Attendees: Ivan, Johan L., Heather, Christos, Rainer 0. Agenda bash 1. PR status and upcoming code releases - Satosa (Satosa PRs - https://github.com/IdentityPython/SATOSA) - Satosa microservices - pySAML (https://github.com/IdentityPython/pysaml2) - pyFF (https://github.com/IdentityPython/pyFF) ## satosa - satosa configuration https://github.com/IdentityPython/SATOSA/issues/184 A small fix, but had Ivan looking deeper into how to configure Satosa, pySAML, etc. So, did a small rewrite (see https://github.com/c00kiemon5ter/satosa/tree/refactor-parse-config (no PR yet)). Part of the configuration is how we configure secrets and microservices. See: - where do configuration secrets go https://github.com/IdentityPython/SATOSA/issues/167 See email about the environment variables. Note that the proposed fix will result in having to restart Satosa when environment variables are changed or set. - satosa micro-services as plugins planning to write about this to the list; for both front end and back end modules. Doing this via “entry points”, part of setuptools. Satosa will define group names, then each plug in can define its entry point (which function will run when invoked). This will work for backend (SP), frontend (IdP), request microservices, and response microservices - demo - Ivan still needs to look into the ordering of micro services (what order they need to run). Expect more info on the list - pySAML will likely be handled the same way with the revised configuration method - an IE11 cookie issue that had been reported by Rainer https://github.com/IdentityPython/SATOSA/issues/164 https://github.com/IdentityPython/SATOSA/pull/166 These can be merged now. The idea behind the fix is that the state module produces a satosa state error; it catches the new error and exposes it so the state module can handle it. After these changes, Satosa can have a new release. This will help the security review team have a solid place to start. ## pysaml2 - new cryptography module for pysaml2 https://github.com/IdentityPython/pysaml2/pull/519 https://github.com/IdentityPython/pysaml2/issues/417 A GitHub engineer indicated he was going to send a security warning to everyone that had downloaded pySAML2. Ivan has come up with a fix, which should fix the changes that the engineer asked for. Will be using https://cryptography.io/en/latest/fernet/. Please review (especially if you have any crypto experience). - some deprecation warnings that surfaced https://github.com/IdentityPython/pysaml2/pull/520 Changed in version python 3.7: DeprecationWarning is once again shown by default when triggered directly by code in __main__. One warning is still persisting if you use the defusedxml library; that is not being maintained. PR 498 - https://github.com/IdentityPython/pysaml2/pull/498 - Ivan is also working on this one. Ivan will be merging some of these by the end of this week or early next week; there will be new releases for both pySAML and Satosa next week (Wednesday or Thursday). 2. AOB Security review update - Michael has asked a few questions about where to start looking; Ivan will respond. Ivan will also be reviewing the incident response guidelines before we make public. Next call: 7 August 2018 (HF, Johan, Scott are unavailable) ; Ivan, Christos are available. Ivan will make the call as to whether there are enough items to hold a call.