[Koha-devel] Why we do not push the ACCTDETAILS email via message queue?

Chris Cormack chrisc at catalyst.net.nz
Wed Jun 20 02:12:10 CEST 2018 

We could make a list of them. It could be the "libraries who don't care about their users privacy" list.

I'm only mostly joking

Chris 

On June 20, 2018 12:06:52 PM GMT+12:00, David Cook <dcook at prosentient.com.au> wrote:
>I think that would probably be the best way of going about it, but I’m
>sure there are a lot of libraries that wouldn’t be happy about it. 
>
> 
>
>David Cook
>
>Systems Librarian
>
>Prosentient Systems
>
>72/330 Wattle St
>
>Ultimo, NSW 2007
>
>Australia
>
> 
>
>Office: 02 9212 0899
>
>Direct: 02 8005 0595
>
> 
>
>From: koha-devel-bounces at lists.koha-community.org
>[mailto:koha-devel-bounces at lists.koha-community.org] On Behalf Of Liz
>Rea
>Sent: Tuesday, 19 June 2018 12:26 PM
>To: koha-devel at lists.koha-community.org
>Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via
>message queue?
>
> 
>
>I feel like instead of sending people a password, we should send them
>to the "forgot password reset page" with a couple of slight changes for
>new account holders, so they can set their own passwords.
>
>Seems better than sending the password in the clear in an email.
>
>Cheers,
>Liz
>
> 
>
>On 19/06/18 12:21, David Cook wrote:
>
>Cheers, Jonathan. I had totally forgotten about that. Yikes.
> 
> 
> 
>Good call, Chris. While I think many mail servers these days use TLS to
>secure the email between the mail servers, an unscrupulous
>administrator could still certainly take advantage of people on either
>end. The best idea probably is to just not use AutoEmailOpacUser, as
>Jonathan seems to suggest. 
> 
> 
> 
>David Cook
> 
>Systems Librarian
> 
>Prosentient Systems
> 
>72/330 Wattle St
> 
>Ultimo, NSW 2007
> 
>Australia
> 
> 
> 
>Office: 02 9212 0899
> 
>Direct: 02 8005 0595
> 
> 
> 
>From: Jonathan Druart [mailto:jonathan.druart at bugs.koha-community.org] 
>Sent: Tuesday, 19 June 2018 12:07 AM
>To: Christopher Nighswonger  <mailto:chris.nighswonger at gmail.com>
><chris.nighswonger at gmail.com>
>Cc: David Cook  <mailto:dcook at prosentient.com.au>
><dcook at prosentient.com.au>; Koha Devel 
><mailto:koha-devel at lists.koha-community.org>
><koha-devel at lists.koha-community.org>
>Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via
>message queue?
> 
> 
> 
>It has been reported (by David) on our bug tracker already (20796,
>security area, which does no longer make sense at it is public now...)
> 
> 
> 
>For information this notice contains the password in clear for... 10
>years now (bug 2149) and the behavior is turned off by default
>(AutoEmailOpacUser).
> 
> 
> 
> 
> 
>On Mon, 18 Jun 2018 at 10:11 Christopher Nighswonger
><chris.nighswonger at gmail.com <mailto:chris.nighswonger at gmail.com>  
><mailto:chris.nighswonger at gmail.com>
><mailto:chris.nighswonger at gmail.com> > wrote:
> 
>Considering that email is plaintext (AKA "postcard") mail, I'm
>surprised we would send a user's password in an email in any case.
> 
> 
> 
> 
> 
>On Mon, Jun 18, 2018 at 4:14 AM, David Cook <dcook at prosentient.com.au
><mailto:dcook at prosentient.com.au>   <mailto:dcook at prosentient.com.au>
><mailto:dcook at prosentient.com.au> > wrote:
> 
>Considering that the borrower’s password is typically in the
>ACCTDETAILS email, I think using the message_queue for ACCTDETAILS
>would be a bad idea and would probably violate the GDPR in Europe.
> 
> 
> 
>Just imagine looking through your database and seeing all those plain
>text passwords, especially for people who re-use the same password for
>everything. I think it would be a security and privacy nightmare.
> 
> 
> 
>David Cook
> 
>Systems Librarian
> 
>Prosentient Systems
> 
>72/330 Wattle St
> 
>Ultimo, NSW 2007
> 
>Australia
> 
> 
> 
>Office: 02 9212 0899 <tel:02%2092%2012%2008%2099> 
> 
>Direct: 02 8005 0595 <tel:02%2080%2005%2005%2095> 
> 
> 
> 
>From: koha-devel-bounces at lists.koha-community.org
><mailto:koha-devel-bounces at lists.koha-community.org>  
><mailto:koha-devel-bounces at lists.koha-community.org>
><mailto:koha-devel-bounces at lists.koha-community.org> 
>[mailto:koha-devel-bounces at lists.koha-community.org 
><mailto:koha-devel-bounces at lists.koha-community.org>
><mailto:koha-devel-bounces at lists.koha-community.org> ] On Behalf Of
>Sophie Meynieux
>Sent: Friday, 15 June 2018 9:33 PM
>To: koha-devel at lists.koha-community.org
><mailto:koha-devel at lists.koha-community.org>  
><mailto:koha-devel at lists.koha-community.org>
><mailto:koha-devel at lists.koha-community.org> 
>Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS email via
>message queue?
> 
> 
> 
>Maybe because for this message you're expecting it is sent immediately
>while message_queue table could be processed more occasionally ? 
> 
>Best regards
> 
>S. Meynieux
> 
>
>
>
>
>
>
>_______________________________________________
>Koha-devel mailing list
>Koha-devel at lists.koha-community.org
><mailto:Koha-devel at lists.koha-community.org> 
>http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
>website : http://www.koha-community.org/
>git : http://git.koha-community.org/
>bugs : http://bugs.koha-community.org/
>
>
>
>
>
>-- 
>--
>Liz Rea
>Catalyst.Net Limited
>Level 6, Catalyst House, 
>150 Willis Street, Wellington.
>P.O Box 11053, Manners Street, 
>Wellington 6142
>04 803 2265
> 
>GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20180620/8cf771e4/attachment-0001.html>

More information about the Koha-devel mailing list