Notes: idpy dev call, 26 January 2021
by hlflanagan@sphericalcowgroup.com
Attendees:
Stephen Schwichtenberg, Ivan, Christos, John P, Heather, Johan, Scott
Regrets:
Roland
Notes:
0 - Agenda bash
1 - Security Vulnerability - review
looking for feedback on how we handled the announcements.
Ivan made a private incident-response team to review the patches, but not sure that many people tested. eduTeams did some testing after about a week and found a few issues coming from the new patches. The new code had test cases, but they can't account for everything. We need better community testing.
We made the CVEs public on Jan 20, created a new release for pySAML2, and sent out an announcement. Also updated Satosa, including a new docker image. We also have a new web page: https://idpy.org/security/.
Feedback
• We announced the new release would be available before we actually had the release. That put some time strain on things that rushed the testing and development. We underestimated the complexity, so suggest we needed to have the testing done first, before we make an announcement. There were also requests for early access; how do we answer questions like that? Who gets early access, and who doesn't? Giving a heads' up to the ops people is good, but better to have the patches ready first.
• The clients who had been keeping themselves up to date had the least issues in handling the update. The ones that are still on old versions had quite a few more challenges (custom microservices no longer worked, configs had to change, etc). Standard devops best practice makes responding to this kind of issue much easier.
• In terms of curating a list of early testers, the people who show up and contribute to the community are the ones that should get premium access.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)