<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-AU link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>I think that’s not a bad way of looking at it. If people do complain, we can say that the change away was because of a commitment to patron security and privacy. I would hope that people would find that difficult to argue against. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>If I recall correctly, I think DSpace does it this way. When you create a new user, I think it sends an email containing a URL with a token to the user, and then they set their own password from there. It works pretty well. Surely we could say “everybody else is doing it” as well. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>But I know that there are a lot of libraries using this feature, and it would be disruptive to their existing workflows for it to go away. But… that’s also progress for you. So long as people have notice that it’s going away before the upgrade, they’d have time to change their workflows and adapt to a safer way of doing things?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>David Cook<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Systems Librarian<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Prosentient Systems<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>72/330 Wattle St<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Ultimo, NSW 2007<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Australia<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Office: 02 9212 0899<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Direct: 02 8005 0595<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> Chris Cormack [mailto:chrisc@catalyst.net.nz] <br><b>Sent:</b> Wednesday, 20 June 2018 10:12 AM<br><b>To:</b> koha-devel@lists.koha-community.org; David Cook <dcook@prosentient.com.au>; 'Liz Rea' <liz@catalyst.net.nz><br><b>Subject:</b> Re: [Koha-devel] Why we do not push the ACCTDETAILS email via message queue?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:windowtext'>We could make a list of them. It could be the "libraries who don't care about their users privacy" list.<br><br>I'm only mostly joking<br><br>Chris <o:p></o:p></span></p><div><p class=MsoNormal><span style='color:windowtext'>On June 20, 2018 12:06:52 PM GMT+12:00, David Cook <<a href="mailto:dcook@prosentient.com.au">dcook@prosentient.com.au</a>> wrote:<o:p></o:p></span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>I think that would probably be the best way of going about it, but I’m sure there are a lot of libraries that wouldn’t be happy about it. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>David Cook<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Systems Librarian<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Prosentient Systems<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>72/330 Wattle St<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Ultimo, NSW 2007<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Australia<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Office: 02 9212 0899<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Direct: 02 8005 0595<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> <a href="mailto:koha-devel-bounces@lists.koha-community.org">koha-devel-bounces@lists.koha-community.org</a> [<a href="mailto:koha-devel-bounces@lists.koha-community.org">mailto:koha-devel-bounces@lists.koha-community.org</a>] <b>On Behalf Of </b>Liz Rea<br><b>Sent:</b> Tuesday, 19 June 2018 12:26 PM<br><b>To:</b> <a href="mailto:koha-devel@lists.koha-community.org">koha-devel@lists.koha-community.org</a><br><b>Subject:</b> Re: [Koha-devel] Why we do not push the ACCTDETAILS email via message queue?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>I feel like instead of sending people a password, we should send them to the "forgot password reset page" with a couple of slight changes for new account holders, so they can set their own passwords.<o:p></o:p></p><p>Seems better than sending the password in the clear in an email.<o:p></o:p></p><p>Cheers,<br>Liz<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On 19/06/18 12:21, David Cook wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Cheers, Jonathan. I had totally forgotten about that. Yikes.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Good call, Chris. While I think many mail servers these days use TLS to secure the email between the mail servers, an unscrupulous administrator could still certainly take advantage of people on either end. The best idea probably is to just not use AutoEmailOpacUser, as Jonathan seems to suggest. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>David Cook<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Systems Librarian<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Prosentient Systems<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>72/330 Wattle St<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Ultimo, NSW 2007<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Australia<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Office: 02 9212 0899<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Direct: 02 8005 0595<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>From: Jonathan Druart [<a href="mailto:jonathan.druart@bugs.koha-community.org">mailto:jonathan.druart@bugs.koha-community.org</a>] <o:p></o:p></pre><pre>Sent: Tuesday, 19 June 2018 12:07 AM<o:p></o:p></pre><pre>To: Christopher Nighswonger <a href="mailto:chris.nighswonger@gmail.com"><chris.nighswonger@gmail.com></a><o:p></o:p></pre><pre>Cc: David Cook <a href="mailto:dcook@prosentient.com.au"><dcook@prosentient.com.au></a>; Koha Devel <a href="mailto:koha-devel@lists.koha-community.org"><koha-devel@lists.koha-community.org></a><o:p></o:p></pre><pre>Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via message queue?<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>It has been reported (by David) on our bug tracker already (20796, security area, which does no longer make sense at it is public now...)<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>For information this notice contains the password in clear for... 10 years now (bug 2149) and the behavior is turned off by default (AutoEmailOpacUser).<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>On Mon, 18 Jun 2018 at 10:11 Christopher Nighswonger <<a href="mailto:chris.nighswonger@gmail.com">chris.nighswonger@gmail.com</a> <a href="mailto:chris.nighswonger@gmail.com"><mailto:chris.nighswonger@gmail.com></a> > wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Considering that email is plaintext (AKA "postcard") mail, I'm surprised we would send a user's password in an email in any case.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>On Mon, Jun 18, 2018 at 4:14 AM, David Cook <<a href="mailto:dcook@prosentient.com.au">dcook@prosentient.com.au</a> <a href="mailto:dcook@prosentient.com.au"><mailto:dcook@prosentient.com.au></a> > wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Considering that the borrower’s password is typically in the ACCTDETAILS email, I think using the message_queue for ACCTDETAILS would be a bad idea and would probably violate the GDPR in Europe.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Just imagine looking through your database and seeing all those plain text passwords, especially for people who re-use the same password for everything. I think it would be a security and privacy nightmare.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>David Cook<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Systems Librarian<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Prosentient Systems<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>72/330 Wattle St<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Ultimo, NSW 2007<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Australia<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Office: 02 9212 0899 <<a href="tel:02%2092%2012%2008%2099">tel:02%2092%2012%2008%2099</a>> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Direct: 02 8005 0595 <<a href="tel:02%2080%2005%2005%2095">tel:02%2080%2005%2005%2095</a>> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>From: <a href="mailto:koha-devel-bounces@lists.koha-community.org">koha-devel-bounces@lists.koha-community.org</a> <a href="mailto:koha-devel-bounces@lists.koha-community.org"><mailto:koha-devel-bounces@lists.koha-community.org></a> [<a href="mailto:koha-devel-bounces@lists.koha-community.org">mailto:koha-devel-bounces@lists.koha-community.org</a> <a href="mailto:koha-devel-bounces@lists.koha-community.org"><mailto:koha-devel-bounces@lists.koha-community.org></a> ] On Behalf Of Sophie Meynieux<o:p></o:p></pre><pre>Sent: Friday, 15 June 2018 9:33 PM<o:p></o:p></pre><pre>To: <a href="mailto:koha-devel@lists.koha-community.org">koha-devel@lists.koha-community.org</a> <a href="mailto:koha-devel@lists.koha-community.org"><mailto:koha-devel@lists.koha-community.org></a> <o:p></o:p></pre><pre>Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via message queue?<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Maybe because for this message you're expecting it is sent immediately while message_queue table could be processed more occasionally ? <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Best regards<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>S. Meynieux<o:p></o:p></pre><pre><o:p> </o:p></pre><p class=MsoNormal style='margin-bottom:12.0pt'><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Koha-devel mailing list<o:p></o:p></pre><pre><a href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a><o:p></o:p></pre><pre><a href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a><o:p></o:p></pre><pre>website : <a href="http://www.koha-community.org/">http://www.koha-community.org/</a><o:p></o:p></pre><pre>git : <a href="http://git.koha-community.org/">http://git.koha-community.org/</a><o:p></o:p></pre><pre>bugs : <a href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a><o:p></o:p></pre></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><pre>-- <o:p></o:p></pre><pre>--<o:p></o:p></pre><pre>Liz Rea<o:p></o:p></pre><pre>Catalyst.Net Limited<o:p></o:p></pre><pre>Level 6, Catalyst House, <o:p></o:p></pre><pre>150 Willis Street, Wellington.<o:p></o:p></pre><pre>P.O Box 11053, Manners Street, <o:p></o:p></pre><pre>Wellington 6142<o:p></o:p></pre><pre>04 803 2265<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7<o:p></o:p></pre></blockquote></div><p class=MsoNormal><span style='color:windowtext'><br>-- <br>Sent from my Android device with K-9 Mail. Please excuse my brevity.<o:p></o:p></span></p></div></body></html>