Yeah, I keep thinking that people won’t do something more secure if it’s less convenient for them. I suppose that’s their choice in the end though… and we can provide better options for those that do care more.
David Cook Systems Librarian Prosentient Systems 72/330 Wattle St Ultimo, NSW 2007 Australia Office: 02 9212 0899 Direct: 02 8005 0595 From: koha-devel-boun...@lists.koha-community.org [mailto:koha-devel-boun...@lists.koha-community.org] On Behalf Of Tomas Cohen Arazi Sent: Wednesday, 20 June 2018 11:02 AM To: koha-devel <koha-devel@lists.koha-community.org> Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via message queue? The way we do this is having a syspref to choose between both ways, and a big sign ok to of the release notes asking users to switch. El mar., 19 de jun. de 2018 9:25 p. m., Liz Rea <l...@catalyst.net.nz <mailto:l...@catalyst.net.nz> > escribió: The easy answer is : leave it alone for existing installs, default it on for new ones. On 20/06/18 12:19, David Cook wrote: > > I think that’s not a bad way of looking at it. If people do complain, > we can say that the change away was because of a commitment to patron > security and privacy. I would hope that people would find that > difficult to argue against. > > If I recall correctly, I think DSpace does it this way. When you > create a new user, I think it sends an email containing a URL with a > token to the user, and then they set their own password from there. It > works pretty well. Surely we could say “everybody else is doing it” as > well. > > But I know that there are a lot of libraries using this feature, and > it would be disruptive to their existing workflows for it to go away. > But… that’s also progress for you. So long as people have notice that > it’s going away before the upgrade, they’d have time to change their > workflows and adapt to a safer way of doing things? > > David Cook > > Systems Librarian > > Prosentient Systems > > 72/330 Wattle St > > Ultimo, NSW 2007 > > Australia > > Office: 02 9212 0899 > > Direct: 02 8005 0595 > > *From:*Chris Cormack [mailto:chr...@catalyst.net.nz > <mailto:chr...@catalyst.net.nz> ] > *Sent:* Wednesday, 20 June 2018 10:12 AM > *To:* koha-devel@lists.koha-community.org > <mailto:koha-devel@lists.koha-community.org> ; David Cook > <dc...@prosentient.com.au <mailto:dc...@prosentient.com.au> >; 'Liz Rea' > <l...@catalyst.net.nz <mailto:l...@catalyst.net.nz> > > *Subject:* Re: [Koha-devel] Why we do not push the ACCTDETAILS email > via message queue? > > We could make a list of them. It could be the "libraries who don't > care about their users privacy" list. > > I'm only mostly joking > > Chris > > On June 20, 2018 12:06:52 PM GMT+12:00, David Cook > <dc...@prosentient.com.au <mailto:dc...@prosentient.com.au> > <mailto:dc...@prosentient.com.au <mailto:dc...@prosentient.com.au> >> wrote: > > I think that would probably be the best way of going about it, but > I’m sure there are a lot of libraries that wouldn’t be happy about > it. > > David Cook > > Systems Librarian > > Prosentient Systems > > 72/330 Wattle St > > Ultimo, NSW 2007 > > Australia > > Office: 02 9212 0899 > > Direct: 02 8005 0595 > > *From:*koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> > <mailto:koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> > > [mailto:koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> ] *On Behalf Of > *Liz Rea > *Sent:* Tuesday, 19 June 2018 12:26 PM > *To:* koha-devel@lists.koha-community.org > <mailto:koha-devel@lists.koha-community.org> > <mailto:koha-devel@lists.koha-community.org > <mailto:koha-devel@lists.koha-community.org> > > *Subject:* Re: [Koha-devel] Why we do not push the ACCTDETAILS > email via message queue? > > I feel like instead of sending people a password, we should send > them to the "forgot password reset page" with a couple of slight > changes for new account holders, so they can set their own passwords. > > Seems better than sending the password in the clear in an email. > > Cheers, > Liz > > On 19/06/18 12:21, David Cook wrote: > > Cheers, Jonathan. I had totally forgotten about that. Yikes. > > > > Good call, Chris. While I think many mail servers these days use TLS > to secure the email between the mail servers, an unscrupulous administrator > could still certainly take advantage of people on either end. The best idea > probably is to just not use AutoEmailOpacUser, as Jonathan seems to suggest. > > > > David Cook > > Systems Librarian > > Prosentient Systems > > 72/330 Wattle St > > Ultimo, NSW 2007 > > Australia > > > > Office: 02 9212 0899 > > Direct: 02 8005 0595 > > > > From: Jonathan Druart [mailto:jonathan.dru...@bugs.koha-community.org > <mailto:jonathan.dru...@bugs.koha-community.org> ] > > Sent: Tuesday, 19 June 2018 12:07 AM > > To: Christopher Nighswonger<chris.nighswon...@gmail.com > <mailto:chris.nighswon...@gmail.com> > <mailto:chris.nighswon...@gmail.com > <mailto:chris.nighswon...@gmail.com> > > > Cc: David Cook<dc...@prosentient.com.au > <mailto:dc...@prosentient.com.au> > <mailto:dc...@prosentient.com.au > <mailto:dc...@prosentient.com.au> >; Koha > Devel<koha-devel@lists.koha-community.org > <mailto:koha-devel@lists.koha-community.org> > > <mailto:koha-devel@lists.koha-community.org > <mailto:koha-devel@lists.koha-community.org> > > > Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email > via message queue? > > > > It has been reported (by David) on our bug tracker already (20796, > security area, which does no longer make sense at it is public now...) > > > > For information this notice contains the password in clear for... 10 > years now (bug 2149) and the behavior is turned off by default > (AutoEmailOpacUser). > > > > > > On Mon, 18 Jun 2018 at 10:11 Christopher Nighswonger > <chris.nighswon...@gmail.com <mailto:chris.nighswon...@gmail.com> > <mailto:chris.nighswon...@gmail.com <mailto:chris.nighswon...@gmail.com> > > <mailto:chris.nighswon...@gmail.com <mailto:chris.nighswon...@gmail.com> > > <mailto:chris.nighswon...@gmail.com > <mailto:chris.nighswon...@gmail.com> > > wrote: > > Considering that email is plaintext (AKA "postcard") mail, I'm > surprised we would send a user's password in an email in any case. > > > > > > On Mon, Jun 18, 2018 at 4:14 AM, David Cook <dc...@prosentient.com.au > <mailto:dc...@prosentient.com.au> <mailto:dc...@prosentient.com.au > <mailto:dc...@prosentient.com.au> > <mailto:dc...@prosentient.com.au > <mailto:dc...@prosentient.com.au> > > <mailto:dc...@prosentient.com.au <mailto:dc...@prosentient.com.au> > > > wrote: > > Considering that the borrower’s password is typically in the > ACCTDETAILS email, I think using the message_queue for ACCTDETAILS would be a > bad idea and would probably violate the GDPR in Europe. > > > > Just imagine looking through your database and seeing all those plain > text passwords, especially for people who re-use the same password for > everything. I think it would be a security and privacy nightmare. > > > > David Cook > > Systems Librarian > > Prosentient Systems > > 72/330 Wattle St > > Ultimo, NSW 2007 > > Australia > > > > Office: 02 9212 0899 <tel:02%2092%2012%2008%2099> > > Direct: 02 8005 0595 <tel:02%2080%2005%2005%2095> > > > > From:koha-devel-boun...@lists.koha-community.org > <mailto:from%3akoha-devel-boun...@lists.koha-community.org> > <mailto:koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> > > <mailto:koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> > > <mailto:koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> > > [mailto:koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> > <mailto:koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> > > <mailto:koha-devel-boun...@lists.koha-community.org > <mailto:koha-devel-boun...@lists.koha-community.org> > ] On Behalf Of Sophie > Meynieux > > Sent: Friday, 15 June 2018 9:33 PM > > To:koha-devel@lists.koha-community.org > <mailto:to%3akoha-de...@lists.koha-community.org> > <mailto:koha-devel@lists.koha-community.org > <mailto:koha-devel@lists.koha-community.org> > > <mailto:koha-devel@lists.koha-community.org > <mailto:koha-devel@lists.koha-community.org> > > <mailto:koha-devel@lists.koha-community.org > <mailto:koha-devel@lists.koha-community.org> > > > Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email > via message queue? > > > > Maybe because for this message you're expecting it is sent > immediately while message_queue table could be processed more occasionally ? > > Best regards > > S. Meynieux > > > > _______________________________________________ > > Koha-devel mailing list > > Koha-devel@lists.koha-community.org > <mailto:Koha-devel@lists.koha-community.org> > <mailto:Koha-devel@lists.koha-community.org > <mailto:Koha-devel@lists.koha-community.org> > > > http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel > > website :http://www.koha-community.org/ > > git :http://git.koha-community.org/ > > bugs :http://bugs.koha-community.org/ > > -- > > -- > > Liz Rea > > Catalyst.Net Limited > > Level 6, Catalyst House, > > 150 Willis Street, Wellington. > > P.O Box 11053, Manners Street, > > Wellington 6142 > > 04 803 2265 > > GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7 > > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. > _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/ -- Tomás Cohen Arazi Theke Solutions (https://theke.io <http://theke.io/> ) ✆ +54 9351 3513384 GPG: B2F3C15F
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
