[Building Sakai] Code Security (was Re: RSF Present and Future)

[Aaron Zeckoski]

For Matterhorn we mirror every java library that is used in it in our
own maven repository and keep a copy of the compressed javascript
libraries in our source code repository (basically we maintain a
binary copy of all the things we depend on). We do not keep copies of
the source code for these (which I think is what John is getting at).
For Sakai, we basically do the same for the core of Sakai (not for
contrib tools).

-AZ


On Sat, Feb 6, 2010 at 10:41 AM, John Norman <john at caret.cam.ac.uk> wrote:
> Just on a trivial point
>
> On 6 Feb 2010, at 04:43, Steven Githens wrote:
>
> [...]
>
>> I'm pretty sure someone already did pull the plug and everything has
>> been moved to fluid repositories.
>
> The project moved to Fluid first. If any plug has been pulled at Cambridge it was by the project owner. As a committed adopter of the Fluid project outputs, the Sakai 3 UX team see this as a natural development.
>
> This is just a detail, but I wanted to make clear that the project was not forced to move to Fluid, it was the preferred home of the project and Cambridge would have continued hosting indefinitely. Of course, indefinitely does not mean forever.
>
> I think there is a general principle here. For example, what should the Sakai UX folk do about JQuery? I imagine there are some libraries we assume will always be there and some that seem more vulnerable. Belt and braces thinking suggests we should seek to have a copy of any code used in a Sakai deployment under our own control, but I have not idea how big a storage burden that would create for us. It also suggests that we should have mirroring on our repositories for greater code security. Where should we draw the line?
>
> John


-- 
Aaron Zeckoski (azeckoski (at) vt.edu)
Senior Research Engineer - CARET - University of Cambridge
https://twitter.com/azeckoski - http://www.linkedin.com/in/azeckoski
http://aaronz-sakai.blogspot.com/ - http://tinyurl.com/azprofile