[sakai2-tcc] Anti-Samy and Sakai CLE 2.9.2

Earle Nietzel earle.nietzel at gmail.com
Fri Mar 29 07:30:00 PDT 2013 

Nice Job!

+1 for option 3A


On Fri, Mar 29, 2013 at 8:54 AM, Aaron Zeckoski <azeckoski at unicon.net>wrote:

> > a) Work on all open tickets regarding easier AntiSamy configuration are
> > finished by Tuesday.
>
> Done
> -AZ
>
>
> On Thu, Mar 28, 2013 at 12:31 PM, Aaron Zeckoski <azeckoski at unicon.net>
> wrote:
> >
> > Quick note: the option to switch antisamy into a low security mode
> > (and thus a high and low security) is in place and I am just adding
> > the ability to load a policy file now.
> > -AZ
> >
> > On Thu, Mar 28, 2013 at 12:19 PM, Sam Ottenhoff <ottenhoff at longsight.com>
> wrote:
> > > AntiSamy is the right way forward and a huge security upgrade
> resolving all
> > > sorts of XSS attacks that we have conceived of (KNL-1009) and haven't
> > > conceived of (lots).
> > >
> > > My preference:
> > >
> > > a) Work on all open tickets regarding easier AntiSamy configuration are
> > > finished by Tuesday.
> > >
> > > b) All regression tests pass QA.
> > >
> > > Then make AntiSamy default enabled in 2.9.2.
> > >
> > > If A and B are not solved quickly, don't hold up the release, but merge
> > > AntiSamy in and turn it off by default so 2.9.2 would still use our old
> > > (bad) FormattedText by default.
> > >
> > > Sakai institutions that don't want the security upgrade and want the
> old
> > > FormattedText can easily switch AntiSamy off.  Longsight plans on using
> > > AntiSamy with all of our 2.9 upgrades and installations once we have
> the
> > > ability to easily swap out policy files ([a] above).
> > >
> > > --Sam
> > >
> > >
> > > On Thu, Mar 28, 2013 at 11:52 AM, Neal Caidin
> > > <nealcaidin at sakaifoundation.org> wrote:
> > >>
> > >> Hi TCC,
> > >>
> > >> This is not a proposal, but asking for input on
> > >>
> > >> https://jira.sakaiproject.org/browse/KNL-1015 - Replace custom stuff
> in
> > >> formattedtext with Antisamy processing
> > >>
> > >> CLE team had some discussion this morning. I heard very strong
> support for
> > >> this change overall but also a few concerns (which may have been
> addressed,
> > >> I did not fully follow).
> > >>
> > >> So the questions are, I think (others can correct me if I misspeak):
> > >>
> > >> 1) Should KNL-1015 become part of the 2.9.x maintenance release at
> some
> > >> point?
> > >>
> > >> 2) Assuming the question to #1 is a yes (but good to get that
> > >> confirmation), what would be the best way to roll it out?  Factors
> might
> > >> include, but not be limited to:  quality of release, risk assessment
> to
> > >> schools (and consider from viewpoint of schools with average
> administrative
> > >> capability), security (KNL-1015 address a couple of "blocker" level
> security
> > >> issues which have been around since at least 2.9.0 but maybe before),
> and
> > >> timing (when schools upgrade to 2.9 are they going to easily be able
> to take
> > >> advantage of this change?).
> > >>
> > >> Here are some options which were discussed:
> > >>
> > >> Options:
> > >>
> > >> 1) Release 2.9.2 as-is (with security blockers not yet addressed) . No
> > >> change from current plan.
> > >> 2) Release with anti-samy but with default off (which means the
> default
> > >> will also not be addressing security blockers, but make it easier to
> add in
> > >> later). Will likely impact schedule.
> > >> 3) Release with anti-samy on - (A) set to low OR (B) set to high
> (either
> > >> setting solves current security issues). Will likely impact schedule.
> > >>
> > >> Variances:
> > >> ------------------------
> > >> a)  Delaying the release to find someone who can run it for a little
> while
> > >> (for quality purposes). UCT was mentioned as a potential candidate.
> For U.S.
> > >> schools timing does not seem ideal to get this change in.
> > >>
> > >> B)  release 2.9.2 as-is (option #1) and then make anti-samy the focus
> for
> > >> a 2.9.3 release. So instead of a summer time release (which had not
> yet been
> > >> decided, but just some discussion), we would base the schedule of
> 2.9.3 on
> > >> the needs of the Antisamy fix (what would that schedule look like?).
> The
> > >> hope/idea is that we would be able to flip this release out faster,
> since we
> > >> would be focused just on that one goal (though may be a challenge to
> keep
> > >> other things from creeping in).
> > >>
> > >> Thoughts?
> > >>
> > >> Cheers,
> > >>
> > >>
> > >> Neal Caidin
> > >>
> > >> Sakai CLE Community Coordinator
> > >> nealcaidin at sakaifoundation.org
> > >> Skype: nealkdin
> > >> AIM: ncaidin at aol.com
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> sakai2-tcc mailing list
> > >> sakai2-tcc at collab.sakaiproject.org
> > >> http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
> > >>
> > >
> > >
> > > _______________________________________________
> > > sakai2-tcc mailing list
> > > sakai2-tcc at collab.sakaiproject.org
> > > http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
> > >
> >
> >
> >
> > --
> > Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile
>
>
>
>
> --
> Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile
> _______________________________________________
> sakai2-tcc mailing list
> sakai2-tcc at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai2-tcc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai2-tcc/attachments/20130329/3b4b6cf7/attachment-0001.html

More information about the sakai2-tcc mailing list