Stephen Schwichtenberg, Ivan, Christos, John P, Heather, Johan, Scott
0 - Agenda bash
1 - Security Vulnerability - review
looking for feedback on how we handled the announcements.
Ivan made a private incident-response team to review the patches, but not sure that many
people tested. eduTeams did some testing after about a week and found a few issues coming
from the new patches. The new code had test cases, but they can't account for
everything. We need better community testing.
We made the CVEs public on Jan 20, created a new release for pySAML2, and sent out an
announcement. Also updated Satosa, including a new docker image. We also have a new web
• We announced the new release would be available before we actually had the release. That
put some time strain on things that rushed the testing and development. We underestimated
the complexity, so suggest we needed to have the testing done first, before we make an
announcement. There were also requests for early access; how do we answer questions like
that? Who gets early access, and who doesn't? Giving a heads' up to the ops people
is good, but better to have the patches ready first.
• The clients who had been keeping themselves up to date had the least issues in handling
the update. The ones that are still on old versions had quite a few more challenges
(custom microservices no longer worked, configs had to change, etc). Standard devops best
practice makes responding to this kind of issue much easier.
• In terms of curating a list of early testers, the people who show up and contribute to
the community are the ones that should get premium access.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython