[Building Sakai] Code Security (was Re: RSF Present and Future)

[csev]

On Feb 6, 2010, at 4:41 AM, John Norman wrote:

> I think there is a general principle here. For example, what should the Sakai UX folk do about JQuery? I imagine there are some libraries we assume will always be there and some that seem more vulnerable. Belt and braces thinking suggests we should seek to have a copy of any code used in a Sakai deployment under our own control, but I have not idea how big a storage burden that would create for us. It also suggests that we should have mirroring on our repositories for greater code security. Where should we draw the line?

The purist part of me would love to be able to regenerate everything even if the entire internet went away.  But that is silly.

The way I draw the line is on "project vitality" - a project that seems quite vital (and JQuery seems very vital) and has a community that is reasonable large - we can pull in their artifacts.  In a sense, JQuery is bigger than Sakai and used in lots of projects and so it will last plenty long enough for our purposes so we don't have to worry about JQuery going away any time soon.  And if JQuery started to fade away, we would know well in advance so we could grab a copy for our "sock drawer".

I was comfortable with RSF running on its own - particularly to give RSF a chance of wider adoption - even though RSF was small.  Since RSF has an organization behind it, a solid well known lead developer on top of things, and a plan to "take over the world", I was not worried.  Now RSF has none of those things - is it "between organizations" and the new organization is willing to host it but it is not the focus of the new organization, the lead developer's responsibilities are to other software (just calling it RSF does not meant it is Java RSF), and the the "urge to take over the world with Java RSF" has been mothballed.

So part of the "It is OK to take stuff from a vital project" carries a responsibility to detect when that project crosses the line toward obscurity and take reasonable action before it is too late - while we still have access to the expertise and the expert still has things fresh.

I am 100% happy with the notion of grabbing a copy and putting it in contrib somewhere.  Perhaps we should not even put the code in the REPO - but instead an SVN export and ZIP and a bit of readme on how to compile this.  Put it in contrib so we know where it is (The Sakai project sock drawer as it were) - so if in several years RSF is lost track of, we can run to the sock drawer and recover.  It sounds like either a new RSF in contrib with the ZIP and readme or just put it in Stephen's contrib - we can find it in a pinch.  I like the ZIp notion because then no-one is confused where the real trunk is - which should stay with Antranig IMO.

/Chuck