[Koha-devel] Why we do not push the ACCTDETAILS email via message queue?

Tomas Cohen Arazi tomascohen at gmail.com
Wed Jun 20 03:01:36 CEST 2018 

The way we do this is having a syspref to choose between both ways, and a
big sign ok to of the release notes asking users to switch.

El mar., 19 de jun. de 2018 9:25 p. m., Liz Rea <liz at catalyst.net.nz>
escribió:

> The easy answer is : leave it alone for existing installs, default it on
> for new ones.
>
>
>
> On 20/06/18 12:19, David Cook wrote:
> >
> > I think that’s not a bad way of looking at it. If people do complain,
> > we can say that the change away was because of a commitment to patron
> > security and privacy. I would hope that people would find that
> > difficult to argue against.
> >
> > If I recall correctly, I think DSpace does it this way. When you
> > create a new user, I think it sends an email containing a URL with a
> > token to the user, and then they set their own password from there. It
> > works pretty well. Surely we could say “everybody else is doing it” as
> > well.
> >
> > But I know that there are a lot of libraries using this feature, and
> > it would be disruptive to their existing workflows for it to go away.
> > But… that’s also progress for you. So long as people have notice that
> > it’s going away before the upgrade, they’d have time to change their
> > workflows and adapt to a safer way of doing things?
> >
> > David Cook
> >
> > Systems Librarian
> >
> > Prosentient Systems
> >
> > 72/330 Wattle St
> >
> > Ultimo, NSW 2007
> >
> > Australia
> >
> > Office: 02 9212 0899
> >
> > Direct: 02 8005 0595
> >
> > *From:*Chris Cormack [mailto:chrisc at catalyst.net.nz]
> > *Sent:* Wednesday, 20 June 2018 10:12 AM
> > *To:* koha-devel at lists.koha-community.org; David Cook
> > <dcook at prosentient.com.au>; 'Liz Rea' <liz at catalyst.net.nz>
> > *Subject:* Re: [Koha-devel] Why we do not push the ACCTDETAILS email
> > via message queue?
> >
> > We could make a list of them. It could be the "libraries who don't
> > care about their users privacy" list.
> >
> > I'm only mostly joking
> >
> > Chris
> >
> > On June 20, 2018 12:06:52 PM GMT+12:00, David Cook
> > <dcook at prosentient.com.au <mailto:dcook at prosentient.com.au>> wrote:
> >
> >     I think that would probably be the best way of going about it, but
> >     I’m sure there are a lot of libraries that wouldn’t be happy about
> >     it.
> >
> >     David Cook
> >
> >     Systems Librarian
> >
> >     Prosentient Systems
> >
> >     72/330 Wattle St
> >
> >     Ultimo, NSW 2007
> >
> >     Australia
> >
> >     Office: 02 9212 0899
> >
> >     Direct: 02 8005 0595
> >
> >     *From:*koha-devel-bounces at lists.koha-community.org
> >     <mailto:koha-devel-bounces at lists.koha-community.org>
> >     [mailto:koha-devel-bounces at lists.koha-community.org] *On Behalf Of
> >     *Liz Rea
> >     *Sent:* Tuesday, 19 June 2018 12:26 PM
> >     *To:* koha-devel at lists.koha-community.org
> >     <mailto:koha-devel at lists.koha-community.org>
> >     *Subject:* Re: [Koha-devel] Why we do not push the ACCTDETAILS
> >     email via message queue?
> >
> >     I feel like instead of sending people a password, we should send
> >     them to the "forgot password reset page" with a couple of slight
> >     changes for new account holders, so they can set their own passwords.
> >
> >     Seems better than sending the password in the clear in an email.
> >
> >     Cheers,
> >     Liz
> >
> >     On 19/06/18 12:21, David Cook wrote:
> >
> >         Cheers, Jonathan. I had totally forgotten about that. Yikes.
> >
> >
> >
> >         Good call, Chris. While I think many mail servers these days use
> TLS to secure the email between the mail servers, an unscrupulous
> administrator could still certainly take advantage of people on either end.
> The best idea probably is to just not use AutoEmailOpacUser, as Jonathan
> seems to suggest.
> >
> >
> >
> >         David Cook
> >
> >         Systems Librarian
> >
> >         Prosentient Systems
> >
> >         72/330 Wattle St
> >
> >         Ultimo, NSW 2007
> >
> >         Australia
> >
> >
> >
> >         Office: 02 9212 0899
> >
> >         Direct: 02 8005 0595
> >
> >
> >
> >         From: Jonathan Druart [mailto:
> jonathan.druart at bugs.koha-community.org]
> >
> >         Sent: Tuesday, 19 June 2018 12:07 AM
> >
> >         To: Christopher Nighswonger<chris.nighswonger at gmail.com>
> <mailto:chris.nighswonger at gmail.com>
> >
> >         Cc: David Cook<dcook at prosentient.com.au> <mailto:
> dcook at prosentient.com.au>; Koha Devel<koha-devel at lists.koha-community.org>
> >         <mailto:koha-devel at lists.koha-community.org>
> >
> >         Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS
> email via message queue?
> >
> >
> >
> >         It has been reported (by David) on our bug tracker already
> (20796, security area, which does no longer make sense at it is public
> now...)
> >
> >
> >
> >         For information this notice contains the password in clear
> for... 10 years now (bug 2149) and the behavior is turned off by default
> (AutoEmailOpacUser).
> >
> >
> >
> >
> >
> >         On Mon, 18 Jun 2018 at 10:11 Christopher Nighswonger <
> chris.nighswonger at gmail.com <mailto:chris.nighswonger at gmail.com>  <mailto:
> chris.nighswonger at gmail.com>
> >         <mailto:chris.nighswonger at gmail.com>  > wrote:
> >
> >         Considering that email is plaintext (AKA "postcard") mail, I'm
> surprised we would send a user's password in an email in any case.
> >
> >
> >
> >
> >
> >         On Mon, Jun 18, 2018 at 4:14 AM, David Cook <
> dcook at prosentient.com.au <mailto:dcook at prosentient.com.au>  <mailto:
> dcook at prosentient.com.au>
> >         <mailto:dcook at prosentient.com.au>  > wrote:
> >
> >         Considering that the borrower’s password is typically in the
> ACCTDETAILS email, I think using the message_queue for ACCTDETAILS would be
> a bad idea and would probably violate the GDPR in Europe.
> >
> >
> >
> >         Just imagine looking through your database and seeing all those
> plain text passwords, especially for people who re-use the same password
> for everything. I think it would be a security and privacy nightmare.
> >
> >
> >
> >         David Cook
> >
> >         Systems Librarian
> >
> >         Prosentient Systems
> >
> >         72/330 Wattle St
> >
> >         Ultimo, NSW 2007
> >
> >         Australia
> >
> >
> >
> >         Office: 02 9212 0899 <tel:02%2092%2012%2008%2099>
> >
> >         Direct: 02 8005 0595 <tel:02%2080%2005%2005%2095>
> >
> >
> >
> >         From:koha-devel-bounces at lists.koha-community.org
> >         <mailto:koha-devel-bounces at lists.koha-community.org>  <mailto:
> koha-devel-bounces at lists.koha-community.org>
> >         <mailto:koha-devel-bounces at lists.koha-community.org>   [mailto:
> koha-devel-bounces at lists.koha-community.org  <mailto:
> koha-devel-bounces at lists.koha-community.org>
> >         <mailto:koha-devel-bounces at lists.koha-community.org>  ] On
> Behalf Of Sophie Meynieux
> >
> >         Sent: Friday, 15 June 2018 9:33 PM
> >
> >         To:koha-devel at lists.koha-community.org
> >         <mailto:koha-devel at lists.koha-community.org>  <mailto:
> koha-devel at lists.koha-community.org>
> >         <mailto:koha-devel at lists.koha-community.org>
> >
> >         Subject: Re: [Koha-devel] Why we do not push the ACCTDETAILS
> email via message queue?
> >
> >
> >
> >         Maybe because for this message you're expecting it is sent
> immediately while message_queue table could be processed more occasionally ?
> >
> >         Best regards
> >
> >         S. Meynieux
> >
> >
> >
> >         _______________________________________________
> >
> >         Koha-devel mailing list
> >
> >         Koha-devel at lists.koha-community.org
> >         <mailto:Koha-devel at lists.koha-community.org>
> >
> >
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> >
> >         website :http://www.koha-community.org/
> >
> >         git :http://git.koha-community.org/
> >
> >         bugs :http://bugs.koha-community.org/
> >
> >     --
> >
> >     --
> >
> >     Liz Rea
> >
> >     Catalyst.Net Limited
> >
> >     Level 6, Catalyst House,
> >
> >     150 Willis Street, Wellington.
> >
> >     P.O Box 11053, Manners Street,
> >
> >     Wellington 6142
> >
> >     04 803 2265
> >
> >     GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7
> >
> >
> > --
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> >
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/

-- 
Tomás Cohen Arazi
Theke Solutions (https://theke.io <http://theke.io/>)
✆ +54 9351 3513384
GPG: B2F3C15F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20180619/a6f03f12/attachment-0001.html>

More information about the Koha-devel mailing list