2020-07-31 Meeting notes

Owned by Mike Gorrell
Last updated: Jul 31, 2020 by Julian Ladisch
2 min read

Date

Attendees

Discussion items

TimeItemWhoNotes
Housekeeping - email, JIRA, etc

Mike Gorrell

NO ACTION TAKEN - follow up in 2 weeks.


Email alias/address security@folio.org still not working. Coordinating through Peter Murray  who is working with EBSCO on other address(es).

Jira configuration actions:

  • Can the Security Project be setup so that new issues automatically set the Security Level to FOLIO Security Group? 
    • Confirmed how to get this done - need to coordinate changes to permissions scheme and security scheme for the Security project with JIRA admin (some dependencies with other settings/projects).
    • Expect to complete week of July 27 (MDG OOO next week).
  • Some issues appear to show Security Level but others don't. Investigate. Could be issue type (Epic vs Story vs Task vs Bug).
    • Still investigating. It won't show unless it's set. The field has to be configured to appear on the screen that the project uses (not so for UXPROD)
    • Able to set for task, bug and epic.
  • Clarify and/or propose how we set a security level that allows only those who might need to know (ie. the specific developers who might work on issues) 
    • Need to define who is part of the list. Currently an "external core contributors" group that has 178 members. The current Security Role of "Core FOLIO Team" points to this group.
    • Use the "Core FOLIO Team"
    • May not ever need a more restrictive group.
  • NEW ITEM: Figure out a tagging/other system to note which items this team discussed

Review open security issuesTeam

Review current list of security items - All items are being addressed.


Action: For next meeting, review the Github Security Notifications ("Your Dependabot alerts for the week of ...") and validate they've been addressed and/or JIRAs are created. We discussed review the activity in Github - looked at RAML-MODULE-BUILDER and FOLIO-GRAPIQL repos. A Few notes:

  • Don't need JIRAs to document handling these security notification when the "fix" was quickly handled (example: https://github.com/folio-org/folio-graphiql/pull/6).
  • Sec Team can create JIRAs if it appears there hasn't been activity on these repos to address the notification
  • Also discussed the potential need to archive repos that aren't being actively used and/or maintained. Need to poke Tech Council on documenting policies around Repos.