- Idpy-board - lists3.sunet.se

by Roland Hedberg

Hi! This situation with EduTEAMs not releasing their satosa-idpy-oidc integration is really hurting IdPy. I think we should give up on EduTEAMs and instead bring in Giuseppe’s implementation. As long as we keep satosa-oidcop on line as the ‘official’ IdPy SATOSA-OIDC package we loose a lot of help in making our own OIDC implementation better. — Roland

1 year, 6 months

3
3
0 0

Notes: idpy Board call, 18 March 2021

by hlflanagan＠sphericalcowgroup.com

Attendees: Leif, Christos, Roland, Ivan, Mike, Heather Regrets: Chris Notes 1. Agenda Bash 2. Board Nominations a. 3 slots, currently filled by Leif, Christos, and Heather, will be open • Note that Heather’s role is also “At-Large Director of Identity Python" • Heather to send a note to REFEDS about the board nominations as well as to idpy-discuss 3. Approving updated policies a. idpy project policy - https://github.com/IdentityPython/Governance/blob/master/idpy-projects.md A. Should we be more specific about how much the tests should cover? Common numbers are 80% coverage. Yes, will add that. B. Add a note about IPR and licensing, saying what's expected and pointing back to the main statutes as the canonical source C. Should we add that we want a direction where all dependencies are maintained within idpy? Where strategic direction is more solidly align? We are still at a stage where we still maintain flexibility. We should be a supportive framework to get the job done than legislate what it means to be a project. D. Add a note about incident handling b. idpy incident response policy - https://github.com/IdentityPython/Governance/blob/master/idpy-incidentrespo… A. Main changes was to explicitly take advantage of GitHubs incident management tools B. See also the new FAQ: https://idpy.org/security/ c. Heather will send the revised policies to idpy-discuss and to Commons Conservancy 4. AOB Thanks! Heather

3 years, 2 months

2
1
0 0

Agenda & Reminder: idpy Board call, 18 March 2021

by hlflanagan＠sphericalcowgroup.com

Date/time: Thursday, 18 March 2021 @ 09:00 PT, 12:00 ET, 16:00 UTC V/C link: https://us02web.zoom.us/j/86881068893?pwd=OUhRV1N3SnhHVk5ramtwdkVjaGx2Zz09 Expected Attendees: Leif, Christos, Chris, Roland, Ivan, Mike, Heather Agenda 1. Agenda Bash 2. Board Nominations a. 3 slots, currently filled by Leif, Christos, and Heather, will be open • Note that Heather’s role is also “At-Large Director of Identity Python" 3. Approving updated policies a. idpy project policy - https://github.com/IdentityPython/Governance/blob/master/idpy-projects.md b. idpy incident response policy - https://github.com/IdentityPython/Governance/blob/master/idpy-incidentrespo… 4. AOB Thanks! Heather

3 years, 2 months

1
0
0 0

Doodle Poll: idpy Board call, March 2021

by hlflanagan＠sphericalcowgroup.com

Hello all! As mentioned in the previous email, I’d like to get a Board call on the calendar. The agenda will include discussing the updates to the Project and Incident Response policies, a review of the security incident early this year, and a review of the Board seats for 2021. https://doodle.com/poll/vbdd4qywd6askvqc Please fill out the poll by Wednesday, 3 March. Thanks! Heather

3 years, 2 months

2
3
0 0

Updating Identity Python governing policies

by hlflanagan＠sphericalcowgroup.com

Hello idpy Board members! Over the last few months, the idpy developers group has discussed what structure idpy projects should commonly follow. This discussion was inspired by the question of whether we should bring in a new project, djangosaml2, under the umbrella of Identity Python. Also over the last few months, we have had the opportunity to exercise the incident response policy. Some items listed in the incident response policy did not take into account the incident handling tools that GitHub natively provides. As a result of all those conversations, Ivan and I (with feedback from the developers) have updated our governance policies. You can see the proposed changes in the Governance repository: https://github.com/IdentityPython/Governance If you click on idpy-incidentresponse.md and idly-projects.md, there is a “History” link that will let you see the PR that included all the proposed changes. Please take a moment to review the proposed changes. We’ll discuss and (if we managed to get everyone on a call) vote in an upcoming Board meeting. I’ll send out a separate doodle poll to set that up. Thanks! Heather

3 years, 2 months

1
0
0 0

Fwd: Press questions regarding the Pysaml2 vulnerability

by ivan.kanak＠gmail.com

On Mon, 25 Jan 2021 at 17:15, Heather Flanagan <hlflanagan at sphericalcowgroup.com> wrote: > > On Jan 25, 2021, 2:36 AM -0800, Leif Johansson <leifj at sunet.se>, wrote: > > Good answers. I don't think we should claim to provide a complete list of all > > software packages but there is no harm in saying that we know of several (list) > > and these were part of the initial notification process to prepare them for > > new relase > > We could also say that this is an open source library available via GitHub; we have no way of knowing all the deployments that use it. And perhaps we can take this as an opportunity to point people to https://idpy.org/security/. > OK, I am planning to send the final email later, today. For the last question I will answer something along the lines of the following (I welcome any other feedback): > - 5. Finally, what other software/packages utilize pysaml2 ? pysaml2 is an open source project and community effort. We have a page dedicated to security on our website here https://idpy.org/security/ and we urge all users of our software to read it and subscribe to the appropriate channels to stay up to date. We do know of projects that use pysaml2 and members of some of those projects are in direct communication with us, regarding issues and features. Towards the wider community we gave a two-week notice that an issue has been reported, asking everyone to prepare for an upgrade. Throughout the project lifetime, a network of trusted community members has grown organically, and those were given access to more information and early patches to test and provide feedback. Projects like SAtoSA, djangosaml2, UniAuth as well as software and services based on pysaml2 managed by educational institutions and research organizations, like eduTEAMS and InAcademia, were updated swiftly and some were already running the patched version even before it was released. Cheers, -- Ivan Kanakarakis

3 years, 3 months

1
0
0 0

Fwd: Press questions regarding the Pysaml2 vulnerability

by hlflanagan＠sphericalcowgroup.com

On Jan 25, 2021, 2:36 AM -0800, Leif Johansson <leifj at sunet.se>, wrote: > On 2021-01-21 11:56, Ivan Kanakarakis wrote: > > Hello, > > > > On Thu, 21 Jan 2021 at 11:17, Leif Johansson <leifj at sunet.se> wrote: > > > > > > On 2021-01-20 21:38, Ivan Kanakarakis wrote: > > > > Hello everyone, > > > > > > > > I just received the following email with questions on the recent > > > > vulnerabilities of pysaml2. > > > > The news site is https://www.bleepingcomputer.com/ > > > > > > > > Should we answer? > > > > and should we answer all questions? > > > > > > I think we should answer but ask to see the writeup so you can help get the > > > details right. > > > > > > > This sounds like a better strategy. Below, I am answering the email > > and questions to kickstart this process. > > I am skeptical if we should answer the last question. > > Good answers. I don't think we should claim to provide a complete list of all > software packages but there is no harm in saying that we know of several (list) > and these were part of the initial notification process to prepare them for > new relase > We could also say that this is an open source library available via GitHub; we have no way of knowing all the deployments that use it. And perhaps we can take this as an opportunity to point people to https://idpy.org/security/. -Heather

3 years, 3 months

1
0
0 0

Fwd: Press questions regarding the Pysaml2 vulnerability

by ivan.kanak＠gmail.com

Hello everyone, I just received the following email with questions on the recent vulnerabilities of pysaml2. The news site is https://www.bleepingcomputer.com/ Should we answer? and should we answer all questions? Cheers, PS: for those of you did not see our new page on the website, have a look at the security section: https://idpy.org/security/ ---------- Forwarded message --------- From: Lawrence Abrams <labrams at bleepingcomputer.com> Date: Wed, 20 Jan 2021 at 22:22 Subject: Press questions regarding the Pysaml2 vulnerability To: <ivan.kanak at gmail.com>, <info at idpy.org> I am a security reporter for the technology news site BleepingComputer. In regards to your pysaml2 security advisory released today for vulnerabilities CVE-2021-21238 and CVE-2021-21239. 1. Is it known if these vulnerabilities have been exploited in the wild? If so, can you share how? 2. For CVE-2021-21238, would this allow an attacker to tamper a signed file as long as the original legitimate signature is the first keyvalue element? 3. For CVE-2021-21239, a signed document would be valid if the same type of key is present in the document? 4. In what ways do you see these vulnerabilities being exploited and are these critical enough that they should be updated immediately? 5. Finally, what other software/packages utilize pysaml2 ? Thank you Lawrence Abrams BleepingComputer.com -- Ivan c00kiemon5ter Kanakarakis >:3

3 years, 3 months

2
3
0 0

Notes: idpy Board call, 13 October 2020

by hlflanagan＠sphericalcowgroup.com

Attendees: Ivan, Roland, Leif, Chris, Heather, Christos Absent: Mike Action items 1. The Dev team needs to come up with a few key points on change management and semantic versioning first, which will apply to projects, and then inform and educate the Board on what that all means 2. After Board agreement on the change management requirements, reach out to the djangosaml2 maintainer and verify they will be willing to adhere to these requirements Update since our last meeting (see https://github.com/IdentityPython/) • Status of volunteer engagement - seeing largely the same people participating. Given we always have the same people, we continued to be constrained in what we can do to improve the projects over on • Where are more resources required? • Until we improve our documentation, we won’t be able to bring new people on to participate. • Documentation is happening at two levels, at the architecture level and at the code level. Ivan is responsible for the architecture level, but it has not been as high a priority as feature enhancement, security issues, etc. We do have volunteers helping with some of the code-level documentation (Hannah Sebuliba). Not every project is in the same place with regards to the available documentation; OIDC libraries are better off than the other projects. • We also need “how to” documentation, on top of documenting the code and documenting the architecture. • An interesting example is the Norwegian federation team where the developers wrote the first pass of the documentation, but the group that did the implementation were required to improve (and probably rewrite) the documentation. • Our documentation needs at every level are very complex; this is powerful software with many options for implementation. It would be best if we had a strategy to use our resources most efficiently, but we’re limited by what volunteers we have and where their skills/experience lay. Proposal for a new project to be brought on board (See https://dracc.commonsconservancy.org/0025/ for a reminder of how we add new projects to idpy.) • https://github.com/knaperek/djangosaml2 (see email to the board from 15 September, subject line: "idpy 2020 board meeting and a new project") • There is a concern about expanding the idpy product catalog without a proper way to manage the whole catalog. Is this production grade? What is the release management process? • The Dev team needs to come up with a few key points on change management and semantic versioning first, which will apply to projects, and then inform and educate the Board on what that all means, then Quality of the project and how we manage our projects overall • We should be asking each idpy project to follow a consistent release management process and a consistent testing process. The tools we use, how we use them and invoke them, as well as the policies around them, whether we use docker images, etc. • We do have templates for issues and PRs, but they are optional. Similarly, people do not always include tests. • Process is no guarantee of quality. If our ultimate goal is quality improvement, then we need to figure out how to get there then determine what policy is need to keep us at that level. We need the culture to evolve to overall improvements, so the team makes its own rules. • Review is how we manage quality. This ties back to the architecture documentation, so that more people can do the review than just Ivan because they understand how it all fits. • Perhaps tag as “future” all items that are not 100% vetted. • IdentityPython is not so much about turnkey solutions as it is about building tool kits. • The different idpy projects are very different in terms of scale - pySAML2 has been around for 16 years and has an enormous following, whereas the OIDC libraries have a group of 5 committers. There is unlikely to be one model that fits all. • Can we at least get to an agreement to use semantic versioning across all projects? Board nominations for 2021-2023 • 3 slots, currently filled by Leif, Christos, and myself, will be open • Note that Heather’s role is also “At-Large Director of Identity Python" Thanks! Heather

3 years, 6 months

2
1
0 0

IdentityPython Board Agenda & Reminder: 13 October 2020

by hlflanagan＠sphericalcowgroup.com

Date/time: 13 October 2020 @ 17:00 UTC Zoom link: https://us02web.zoom.us/j/85021594049?pwd=dWwzTG5vTGpmSXRCZXdzOHFSZXRtUT09 Meeting ID: 850 2159 4049 Passcode: 953486 Agenda 1 - Agenda bash 2 - Update since our last meeting (see https://github.com/IdentityPython/) • Status of volunteer engagement • Where are more resources required 3 - Proposal for a new project to be brought on board (See https://dracc.commonsconservancy.org/0025/ for a reminder of how we add new projects to idpy.) • https://github.com/knaperek/djangosaml2 4 - Board nominations for 2021-2023 • 3 slots, currently filled by Leif, Christos, and myself, will be open 5 - AOB Thanks! Heather

3 years, 7 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

Idpy-board