[sakai2-tcc] Anti-Samy and Sakai CLE 2.9.2

Aaron Zeckoski azeckoski at unicon.net
Thu Mar 28 09:31:28 PDT 2013 

Quick note: the option to switch antisamy into a low security mode
(and thus a high and low security) is in place and I am just adding
the ability to load a policy file now.
-AZ

On Thu, Mar 28, 2013 at 12:19 PM, Sam Ottenhoff <ottenhoff at longsight.com> wrote:
> AntiSamy is the right way forward and a huge security upgrade resolving all
> sorts of XSS attacks that we have conceived of (KNL-1009) and haven't
> conceived of (lots).
>
> My preference:
>
> a) Work on all open tickets regarding easier AntiSamy configuration are
> finished by Tuesday.
>
> b) All regression tests pass QA.
>
> Then make AntiSamy default enabled in 2.9.2.
>
> If A and B are not solved quickly, don't hold up the release, but merge
> AntiSamy in and turn it off by default so 2.9.2 would still use our old
> (bad) FormattedText by default.
>
> Sakai institutions that don't want the security upgrade and want the old
> FormattedText can easily switch AntiSamy off.  Longsight plans on using
> AntiSamy with all of our 2.9 upgrades and installations once we have the
> ability to easily swap out policy files ([a] above).
>
> --Sam
>
>
> On Thu, Mar 28, 2013 at 11:52 AM, Neal Caidin
> <nealcaidin at sakaifoundation.org> wrote:
>>
>> Hi TCC,
>>
>> This is not a proposal, but asking for input on
>>
>> https://jira.sakaiproject.org/browse/KNL-1015 - Replace custom stuff in
>> formattedtext with Antisamy processing
>>
>> CLE team had some discussion this morning. I heard very strong support for
>> this change overall but also a few concerns (which may have been addressed,
>> I did not fully follow).
>>
>> So the questions are, I think (others can correct me if I misspeak):
>>
>> 1) Should KNL-1015 become part of the 2.9.x maintenance release at some
>> point?
>>
>> 2) Assuming the question to #1 is a yes (but good to get that
>> confirmation), what would be the best way to roll it out?  Factors might
>> include, but not be limited to:  quality of release, risk assessment to
>> schools (and consider from viewpoint of schools with average administrative
>> capability), security (KNL-1015 address a couple of "blocker" level security
>> issues which have been around since at least 2.9.0 but maybe before), and
>> timing (when schools upgrade to 2.9 are they going to easily be able to take
>> advantage of this change?).
>>
>> Here are some options which were discussed:
>>
>> Options:
>>
>> 1) Release 2.9.2 as-is (with security blockers not yet addressed) . No
>> change from current plan.
>> 2) Release with anti-samy but with default off (which means the default
>> will also not be addressing security blockers, but make it easier to add in
>> later). Will likely impact schedule.
>> 3) Release with anti-samy on - (A) set to low OR (B) set to high (either
>> setting solves current security issues). Will likely impact schedule.
>>
>> Variances:
>> ------------------------
>> a)  Delaying the release to find someone who can run it for a little while
>> (for quality purposes). UCT was mentioned as a potential candidate. For U.S.
>> schools timing does not seem ideal to get this change in.
>>
>> B)  release 2.9.2 as-is (option #1) and then make anti-samy the focus for
>> a 2.9.3 release. So instead of a summer time release (which had not yet been
>> decided, but just some discussion), we would base the schedule of 2.9.3 on
>> the needs of the Antisamy fix (what would that schedule look like?). The
>> hope/idea is that we would be able to flip this release out faster, since we
>> would be focused just on that one goal (though may be a challenge to keep
>> other things from creeping in).
>>
>> Thoughts?
>>
>> Cheers,
>>
>>
>> Neal Caidin
>>
>> Sakai CLE Community Coordinator
>> nealcaidin at sakaifoundation.org
>> Skype: nealkdin
>> AIM: ncaidin at aol.com
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> sakai2-tcc mailing list
>> sakai2-tcc at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
>>
>
>
> _______________________________________________
> sakai2-tcc mailing list
> sakai2-tcc at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
>



-- 
Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile

More information about the sakai2-tcc mailing list