[sakai2-tcc] Anti-Samy and Sakai CLE 2.9.2

Aaron Zeckoski azeckoski at unicon.net
Fri Mar 29 05:54:18 PDT 2013 

> a) Work on all open tickets regarding easier AntiSamy configuration are
> finished by Tuesday.

Done
-AZ


On Thu, Mar 28, 2013 at 12:31 PM, Aaron Zeckoski <azeckoski at unicon.net> wrote:
>
> Quick note: the option to switch antisamy into a low security mode
> (and thus a high and low security) is in place and I am just adding
> the ability to load a policy file now.
> -AZ
>
> On Thu, Mar 28, 2013 at 12:19 PM, Sam Ottenhoff <ottenhoff at longsight.com> wrote:
> > AntiSamy is the right way forward and a huge security upgrade resolving all
> > sorts of XSS attacks that we have conceived of (KNL-1009) and haven't
> > conceived of (lots).
> >
> > My preference:
> >
> > a) Work on all open tickets regarding easier AntiSamy configuration are
> > finished by Tuesday.
> >
> > b) All regression tests pass QA.
> >
> > Then make AntiSamy default enabled in 2.9.2.
> >
> > If A and B are not solved quickly, don't hold up the release, but merge
> > AntiSamy in and turn it off by default so 2.9.2 would still use our old
> > (bad) FormattedText by default.
> >
> > Sakai institutions that don't want the security upgrade and want the old
> > FormattedText can easily switch AntiSamy off.  Longsight plans on using
> > AntiSamy with all of our 2.9 upgrades and installations once we have the
> > ability to easily swap out policy files ([a] above).
> >
> > --Sam
> >
> >
> > On Thu, Mar 28, 2013 at 11:52 AM, Neal Caidin
> > <nealcaidin at sakaifoundation.org> wrote:
> >>
> >> Hi TCC,
> >>
> >> This is not a proposal, but asking for input on
> >>
> >> https://jira.sakaiproject.org/browse/KNL-1015 - Replace custom stuff in
> >> formattedtext with Antisamy processing
> >>
> >> CLE team had some discussion this morning. I heard very strong support for
> >> this change overall but also a few concerns (which may have been addressed,
> >> I did not fully follow).
> >>
> >> So the questions are, I think (others can correct me if I misspeak):
> >>
> >> 1) Should KNL-1015 become part of the 2.9.x maintenance release at some
> >> point?
> >>
> >> 2) Assuming the question to #1 is a yes (but good to get that
> >> confirmation), what would be the best way to roll it out?  Factors might
> >> include, but not be limited to:  quality of release, risk assessment to
> >> schools (and consider from viewpoint of schools with average administrative
> >> capability), security (KNL-1015 address a couple of "blocker" level security
> >> issues which have been around since at least 2.9.0 but maybe before), and
> >> timing (when schools upgrade to 2.9 are they going to easily be able to take
> >> advantage of this change?).
> >>
> >> Here are some options which were discussed:
> >>
> >> Options:
> >>
> >> 1) Release 2.9.2 as-is (with security blockers not yet addressed) . No
> >> change from current plan.
> >> 2) Release with anti-samy but with default off (which means the default
> >> will also not be addressing security blockers, but make it easier to add in
> >> later). Will likely impact schedule.
> >> 3) Release with anti-samy on - (A) set to low OR (B) set to high (either
> >> setting solves current security issues). Will likely impact schedule.
> >>
> >> Variances:
> >> ------------------------
> >> a)  Delaying the release to find someone who can run it for a little while
> >> (for quality purposes). UCT was mentioned as a potential candidate. For U.S.
> >> schools timing does not seem ideal to get this change in.
> >>
> >> B)  release 2.9.2 as-is (option #1) and then make anti-samy the focus for
> >> a 2.9.3 release. So instead of a summer time release (which had not yet been
> >> decided, but just some discussion), we would base the schedule of 2.9.3 on
> >> the needs of the Antisamy fix (what would that schedule look like?). The
> >> hope/idea is that we would be able to flip this release out faster, since we
> >> would be focused just on that one goal (though may be a challenge to keep
> >> other things from creeping in).
> >>
> >> Thoughts?
> >>
> >> Cheers,
> >>
> >>
> >> Neal Caidin
> >>
> >> Sakai CLE Community Coordinator
> >> nealcaidin at sakaifoundation.org
> >> Skype: nealkdin
> >> AIM: ncaidin at aol.com
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> sakai2-tcc mailing list
> >> sakai2-tcc at collab.sakaiproject.org
> >> http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
> >>
> >
> >
> > _______________________________________________
> > sakai2-tcc mailing list
> > sakai2-tcc at collab.sakaiproject.org
> > http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
> >
>
>
>
> --
> Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile




--
Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile

More information about the sakai2-tcc mailing list