I think that’s not a bad way of looking at it. If people do complain,
we can say that the change away was because of a commitment to patron
security and privacy. I would hope that people would find that
difficult to argue against.
If I recall correctly, I think DSpace does it this way. When you
create a new user, I think it sends an email containing a URL with a
token to the user, and then they set their own password from there. It
works pretty well. Surely we could say “everybody else is doing it” as
well.
But I know that there are a lot of libraries using this feature, and
it would be disruptive to their existing workflows for it to go away.
But… that’s also progress for you. So long as people have notice that
it’s going away before the upgrade, they’d have time to change their
workflows and adapt to a safer way of doing things?
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia
Office: 02 9212 0899
Direct: 02 8005 0595
*From:*Chris Cormack [mailto:chr...@catalyst.net.nz]
*Sent:* Wednesday, 20 June 2018 10:12 AM
*To:* koha-devel@lists.koha-community.org; David Cook
<dc...@prosentient.com.au>; 'Liz Rea' <l...@catalyst.net.nz>
*Subject:* Re: [Koha-devel] Why we do not push the ACCTDETAILS email
via message queue?
We could make a list of them. It could be the "libraries who don't
care about their users privacy" list.
I'm only mostly joking
Chris
On June 20, 2018 12:06:52 PM GMT+12:00, David Cook
<dc...@prosentient.com.au <mailto:dc...@prosentient.com.au>> wrote:
I think that would probably be the best way of going about it, but
I’m sure there are a lot of libraries that wouldn’t be happy about
it.
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia
Office: 02 9212 0899
Direct: 02 8005 0595
*From:*koha-devel-boun...@lists.koha-community.org
<mailto:koha-devel-boun...@lists.koha-community.org>
[mailto:koha-devel-boun...@lists.koha-community.org] *On Behalf Of
*Liz Rea
*Sent:* Tuesday, 19 June 2018 12:26 PM
*To:* koha-devel@lists.koha-community.org
<mailto:koha-devel@lists.koha-community.org>
*Subject:* Re: [Koha-devel] Why we do not push the ACCTDETAILS
email via message queue?
I feel like instead of sending people a password, we should send
them to the "forgot password reset page" with a couple of slight
changes for new account holders, so they can set their own passwords.
Seems better than sending the password in the clear in an email.
Cheers,
Liz
On 19/06/18 12:21, David Cook wrote:
Cheers, Jonathan. I had totally forgotten about that. Yikes.
Good call, Chris. While I think many mail servers these days use TLS to
secure the email between the mail servers, an unscrupulous administrator could
still certainly take advantage of people on either end. The best idea probably
is to just not use AutoEmailOpacUser, as Jonathan seems to suggest.
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia
Office: 02 9212 0899
Direct: 02 8005 0595
From: Jonathan Druart [mailto:jonathan.dru...@bugs.koha-community.org]
Sent: Tuesday, 19 June 2018 12:07 AM
To: Christopher Nighswonger<chris.nighswon...@gmail.com>
<mailto:chris.nighswon...@gmail.com>
Cc: David Cook<dc...@prosentient.com.au> <mailto:dc...@prosentient.com.au>;
Koha Devel<koha-devel@lists.koha-community.org>
<mailto:koha-devel@lists.koha-community.org>
Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via
message queue?
It has been reported (by David) on our bug tracker already (20796,
security area, which does no longer make sense at it is public now...)
For information this notice contains the password in clear for... 10
years now (bug 2149) and the behavior is turned off by default
(AutoEmailOpacUser).
On Mon, 18 Jun 2018 at 10:11 Christopher Nighswonger <chris.nighswon...@gmail.com
<mailto:chris.nighswon...@gmail.com> <mailto:chris.nighswon...@gmail.com>
<mailto:chris.nighswon...@gmail.com> > wrote:
Considering that email is plaintext (AKA "postcard") mail, I'm
surprised we would send a user's password in an email in any case.
On Mon, Jun 18, 2018 at 4:14 AM, David Cook <dc...@prosentient.com.au
<mailto:dc...@prosentient.com.au> <mailto:dc...@prosentient.com.au>
<mailto:dc...@prosentient.com.au> > wrote:
Considering that the borrower’s password is typically in the
ACCTDETAILS email, I think using the message_queue for ACCTDETAILS would be a
bad idea and would probably violate the GDPR in Europe.
Just imagine looking through your database and seeing all those plain
text passwords, especially for people who re-use the same password for
everything. I think it would be a security and privacy nightmare.
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia
Office: 02 9212 0899 <tel:02%2092%2012%2008%2099>
Direct: 02 8005 0595 <tel:02%2080%2005%2005%2095>
From:koha-devel-boun...@lists.koha-community.org
<mailto:koha-devel-boun...@lists.koha-community.org>
<mailto:koha-devel-boun...@lists.koha-community.org>
<mailto:koha-devel-boun...@lists.koha-community.org>
[mailto:koha-devel-boun...@lists.koha-community.org
<mailto:koha-devel-boun...@lists.koha-community.org>
<mailto:koha-devel-boun...@lists.koha-community.org> ] On Behalf Of
Sophie Meynieux
Sent: Friday, 15 June 2018 9:33 PM
To:koha-devel@lists.koha-community.org
<mailto:koha-devel@lists.koha-community.org>
<mailto:koha-devel@lists.koha-community.org>
<mailto:koha-devel@lists.koha-community.org>
Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via
message queue?
Maybe because for this message you're expecting it is sent immediately
while message_queue table could be processed more occasionally ?
Best regards
S. Meynieux
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
<mailto:Koha-devel@lists.koha-community.org>
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website :http://www.koha-community.org/
git :http://git.koha-community.org/
bugs :http://bugs.koha-community.org/
--
--
Liz Rea
Catalyst.Net Limited
Level 6, Catalyst House,
150 Willis Street, Wellington.
P.O Box 11053, Manners Street,
Wellington 6142
04 803 2265
GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
