You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openmeetings.apache.org by "seba.wagner@gmail.com" <se...@gmail.com> on 2016/08/12 23:01:15 UTC
Re: [RESULT] [VOTE] Apache OpenMeetings 3.1.2 RC4
Hi Maxim,
my only concern is that if you import an old backup with the v3.1.2 is
working as expected and you do not end up in a situation where you do an
import and afterwards the login does not work as the password is encrypted
with the old crypt class.
I think we have to be careful with that especially as we are releasing
security features which include recommendations to update. It would be
embarrassing to recommend an update and then discover that the update path
is broken.
I might be able to do a quick installation and verification.
I created a blog post for this release, please review:
https://blogs.apache.org/openmeetings/entry/openmeetings_3_1_2_released
I already published it as it's pretty much the same content as your email.
But please have a quick look.
Great work btw for getting the signing of the Webstart App finally out. I
can remember discussing this for like 1 year.
I think we can also move this discussion the @dev, nothing secret here
anymore. The security patch is out now.
Thanks,
Seb
2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> Actually right now crypt class from the backup will be taken (no changes
> for users)
>
> We can force change in any version
> I would propose 3.2.0 for this
>
> WBR, Maxim
> (from mobile, sorry for the typos)
>
> On Aug 12, 2016 12:02, "seba.wagner@gmail.com" <se...@gmail.com>
> wrote:
>
> Hi Maxim,
>
> this will be required for anybody that upgrades from an older version to
> OpenMeetings v3.1.2 right? So we kind of missed the chance to do that.
>
> Can we not just automatically change it to the old encryption class for
> users that install via a backup ?
>
> I think (1) is not an option anyway as it would need to have all passwords
> in blank to encrypt them. Which we neither have not want to have from a
> security point of view.
>
> (2) is what you would usually do.
>
> However still, the migration path is kind of like a major thing. We don't
> want to loose all of our old user base because they have this upgrade issue.
>
> Thanks,
> Sebastian
>
>
> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>
>> Hmmm,
>>
>> I see couple of options here
>>
>> 1) Brut-force old user password and re-encrypt (unrealistic)
>> 2) Add sort of configurable "admin message" to Sign in dialog, something
>> like: "All users unable to login need to reset their passwords, due to
>> security of the system was enhanced"
>>
>> WDYT?
>>
>> On Fri, Aug 12, 2016 at 11:03 AM, seba.wagner@gmail.com <
>> seba.wagner@gmail.com> wrote:
>>
>>> "remove MD5*.class from bundle and correct class will be set
>>> automatically"
>>>
>>> Well my point is that in the old backup all passwords are encrypted with
>>> MD5. So once you imported that none of the logins will work anymore.
>>>
>>> Asking every user to type in a new password is quite some usability
>>> issue. And we also have no way of prompting users to switch the password
>>> once it's invalid other then going through the entire reset password cycle.
>>>
>>> So how will those be able to migrate ?
>>>
>>> Thanks,
>>> Sebastian
>>>
>>>
>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>>
>>>> Actually there are couple of ways:
>>>>
>>>> 1) unzip backup, edit xml, zip it back
>>>> 2) remove MD5*.class from bundle and correct class will be set
>>>> automatically
>>>>
>>>> I believe I'll choose #2 for 3.2.0 :)
>>>>
>>>> On Fri, Aug 12, 2016 at 10:50 AM, seba.wagner@gmail.com <
>>>> seba.wagner@gmail.com> wrote:
>>>>
>>>>> So you need to adjust the config key after you did import the backup.
>>>>>
>>>>> Is there any way the backup mechanism can do that automatically? I
>>>>> think it's a spring config bean right ?
>>>>>
>>>>> Thanks,
>>>>> Sebastian
>>>>>
>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>>>>
>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings
>>>>>>
>>>>>> yep, this is the complete list :)
>>>>>>
>>>>>> new password encryption will work, BUT crypt class need to be
>>>>>> manually changed
>>>>>> I plan to force it in 3.2.0
>>>>>>
>>>>>>
>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, seba.wagner@gmail.com <
>>>>>> seba.wagner@gmail.com> wrote:
>>>>>>
>>>>>>> Hi Maxim,
>>>>>>>
>>>>>>> let me know when you are ready to publish it.
>>>>>>>
>>>>>>> I would like to create a short blog post with the update.
>>>>>>>
>>>>>>> Does this represent a complete list of all Jira tickets involved in
>>>>>>> this release:
>>>>>>>
>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?proje
>>>>>>> ctId=12312720&version=12335347
>>>>>>>
>>>>>>> One questions regarding the new password encryption. Will that work
>>>>>>> for users that migrate from old versions to new OpenMeetings?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Sebastian
>>>>>>>
>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>>>>>>
>>>>>>>> I'm closing the vote
>>>>>>>> The VOTE is passed
>>>>>>>>
>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner
>>>>>>>>
>>>>>>>> --
>>>>>>>> WBR
>>>>>>>> Maxim aka solomax
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Sebastian Wagner
>>>>>>> https://twitter.com/#!/dead_lock
>>>>>>> seba.wagner@gmail.com
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> WBR
>>>>>> Maxim aka solomax
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Sebastian Wagner
>>>>> https://twitter.com/#!/dead_lock
>>>>> seba.wagner@gmail.com
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> WBR
>>>> Maxim aka solomax
>>>>
>>>
>>>
>>>
>>> --
>>> Sebastian Wagner
>>> https://twitter.com/#!/dead_lock
>>> seba.wagner@gmail.com
>>>
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
>
> --
> Sebastian Wagner
> https://twitter.com/#!/dead_lock
> seba.wagner@gmail.com
>
>
>
--
Sebastian Wagner
https://twitter.com/#!/dead_lock
seba.wagner@gmail.com
Re: [RESULT] [VOTE] Apache OpenMeetings 3.1.2 RC4
Posted by "seba.wagner@gmail.com" <se...@gmail.com>.
Thanks for that!
2016-08-13 16:05 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> LDAP passwords are not being stored unless this:
> https://github.com/apache/openmeetings/blob/3.2.x/
> openmeetings-web/src/main/webapp/conf/om_ldap.cfg#L72
> option is set
>
> in this case password will be re-newed on every login
>
> On Sat, Aug 13, 2016 at 9:00 AM, seba.wagner@gmail.com
> <se...@gmail.com> wrote:
> > Sounds good.
> >
> > Will this also work for installations that use the LDAP/AD integration ?
> >
> > Thx
> > Seb
> >
> > 2016-08-13 13:47 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> >>
> >> Thanks Sebastian :)
> >>
> >> Actually this is the reason why I haven't dropped MD5 support. But I
> >> see no way to perform migration of user password without the
> >> requirement to reset password by each user.
> >> The only solutions I see is:
> >> 1) change crypt type and set sort of "welcome message: please reset
> >> password"
> >> 2) reset passwords for all users to some generated one and mass send
> >> emails with new password (don't like this idea)
> >> 3) add flag to the user: "Reset password is required", add admin
> >> button (set reset flag to all users)
> >>
> >> something like this
> >>
> >> On Sat, Aug 13, 2016 at 6:01 AM, seba.wagner@gmail.com
> >> <se...@gmail.com> wrote:
> >> > Hi Maxim,
> >> >
> >> > my only concern is that if you import an old backup with the v3.1.2 is
> >> > working as expected and you do not end up in a situation where you do
> an
> >> > import and afterwards the login does not work as the password is
> >> > encrypted
> >> > with the old crypt class.
> >> >
> >> > I think we have to be careful with that especially as we are releasing
> >> > security features which include recommendations to update. It would be
> >> > embarrassing to recommend an update and then discover that the update
> >> > path
> >> > is broken.
> >> >
> >> > I might be able to do a quick installation and verification.
> >> >
> >> > I created a blog post for this release, please review:
> >> > https://blogs.apache.org/openmeetings/entry/
> openmeetings_3_1_2_released
> >> >
> >> > I already published it as it's pretty much the same content as your
> >> > email.
> >> > But please have a quick look.
> >> >
> >> > Great work btw for getting the signing of the Webstart App finally
> out.
> >> > I
> >> > can remember discussing this for like 1 year.
> >> >
> >> > I think we can also move this discussion the @dev, nothing secret here
> >> > anymore. The security patch is out now.
> >> >
> >> > Thanks,
> >> > Seb
> >> >
> >> > 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> >> >>
> >> >> Actually right now crypt class from the backup will be taken (no
> >> >> changes
> >> >> for users)
> >> >>
> >> >> We can force change in any version
> >> >> I would propose 3.2.0 for this
> >> >>
> >> >> WBR, Maxim
> >> >> (from mobile, sorry for the typos)
> >> >>
> >> >>
> >> >> On Aug 12, 2016 12:02, "seba.wagner@gmail.com" <
> seba.wagner@gmail.com>
> >> >> wrote:
> >> >>
> >> >> Hi Maxim,
> >> >>
> >> >> this will be required for anybody that upgrades from an older version
> >> >> to
> >> >> OpenMeetings v3.1.2 right? So we kind of missed the chance to do
> that.
> >> >>
> >> >> Can we not just automatically change it to the old encryption class
> for
> >> >> users that install via a backup ?
> >> >>
> >> >> I think (1) is not an option anyway as it would need to have all
> >> >> passwords
> >> >> in blank to encrypt them. Which we neither have not want to have
> from a
> >> >> security point of view.
> >> >>
> >> >> (2) is what you would usually do.
> >> >>
> >> >> However still, the migration path is kind of like a major thing. We
> >> >> don't
> >> >> want to loose all of our old user base because they have this upgrade
> >> >> issue.
> >> >>
> >> >> Thanks,
> >> >> Sebastian
> >> >>
> >> >>
> >> >> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> >> >>>
> >> >>> Hmmm,
> >> >>>
> >> >>> I see couple of options here
> >> >>>
> >> >>> 1) Brut-force old user password and re-encrypt (unrealistic)
> >> >>> 2) Add sort of configurable "admin message" to Sign in dialog,
> >> >>> something
> >> >>> like: "All users unable to login need to reset their passwords, due
> to
> >> >>> security of the system was enhanced"
> >> >>>
> >> >>> WDYT?
> >> >>>
> >> >>> On Fri, Aug 12, 2016 at 11:03 AM, seba.wagner@gmail.com
> >> >>> <se...@gmail.com> wrote:
> >> >>>>
> >> >>>> "remove MD5*.class from bundle and correct class will be set
> >> >>>> automatically"
> >> >>>>
> >> >>>> Well my point is that in the old backup all passwords are encrypted
> >> >>>> with
> >> >>>> MD5. So once you imported that none of the logins will work
> anymore.
> >> >>>>
> >> >>>> Asking every user to type in a new password is quite some usability
> >> >>>> issue. And we also have no way of prompting users to switch the
> >> >>>> password
> >> >>>> once it's invalid other then going through the entire reset
> password
> >> >>>> cycle.
> >> >>>>
> >> >>>> So how will those be able to migrate ?
> >> >>>>
> >> >>>> Thanks,
> >> >>>> Sebastian
> >> >>>>
> >> >>>>
> >> >>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <solomax666@gmail.com
> >:
> >> >>>>>
> >> >>>>> Actually there are couple of ways:
> >> >>>>>
> >> >>>>> 1) unzip backup, edit xml, zip it back
> >> >>>>> 2) remove MD5*.class from bundle and correct class will be set
> >> >>>>> automatically
> >> >>>>>
> >> >>>>> I believe I'll choose #2 for 3.2.0 :)
> >> >>>>>
> >> >>>>> On Fri, Aug 12, 2016 at 10:50 AM, seba.wagner@gmail.com
> >> >>>>> <se...@gmail.com> wrote:
> >> >>>>>>
> >> >>>>>> So you need to adjust the config key after you did import the
> >> >>>>>> backup.
> >> >>>>>>
> >> >>>>>> Is there any way the backup mechanism can do that automatically?
> I
> >> >>>>>> think it's a spring config bean right ?
> >> >>>>>>
> >> >>>>>> Thanks,
> >> >>>>>> Sebastian
> >> >>>>>>
> >> >>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <
> solomax666@gmail.com>:
> >> >>>>>>>
> >> >>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings
> >> >>>>>>>
> >> >>>>>>> yep, this is the complete list :)
> >> >>>>>>>
> >> >>>>>>> new password encryption will work, BUT crypt class need to be
> >> >>>>>>> manually changed
> >> >>>>>>> I plan to force it in 3.2.0
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, seba.wagner@gmail.com
> >> >>>>>>> <se...@gmail.com> wrote:
> >> >>>>>>>>
> >> >>>>>>>> Hi Maxim,
> >> >>>>>>>>
> >> >>>>>>>> let me know when you are ready to publish it.
> >> >>>>>>>>
> >> >>>>>>>> I would like to create a short blog post with the update.
> >> >>>>>>>>
> >> >>>>>>>> Does this represent a complete list of all Jira tickets
> involved
> >> >>>>>>>> in
> >> >>>>>>>> this release:
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> projectId=12312720&version=12335347
> >> >>>>>>>>
> >> >>>>>>>> One questions regarding the new password encryption. Will that
> >> >>>>>>>> work
> >> >>>>>>>> for users that migrate from old versions to new OpenMeetings?
> >> >>>>>>>>
> >> >>>>>>>> Thanks,
> >> >>>>>>>> Sebastian
> >> >>>>>>>>
> >> >>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik
> >> >>>>>>>> <so...@gmail.com>:
> >> >>>>>>>>>
> >> >>>>>>>>> I'm closing the vote
> >> >>>>>>>>> The VOTE is passed
> >> >>>>>>>>>
> >> >>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner
> >> >>>>>>>>>
> >> >>>>>>>>> --
> >> >>>>>>>>> WBR
> >> >>>>>>>>> Maxim aka solomax
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> --
> >> >>>>>>>> Sebastian Wagner
> >> >>>>>>>> https://twitter.com/#!/dead_lock
> >> >>>>>>>> seba.wagner@gmail.com
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> --
> >> >>>>>>> WBR
> >> >>>>>>> Maxim aka solomax
> >> >>>>>>
> >> >>>>>>
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> --
> >> >>>>>> Sebastian Wagner
> >> >>>>>> https://twitter.com/#!/dead_lock
> >> >>>>>> seba.wagner@gmail.com
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> --
> >> >>>>> WBR
> >> >>>>> Maxim aka solomax
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> --
> >> >>>> Sebastian Wagner
> >> >>>> https://twitter.com/#!/dead_lock
> >> >>>> seba.wagner@gmail.com
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> WBR
> >> >>> Maxim aka solomax
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Sebastian Wagner
> >> >> https://twitter.com/#!/dead_lock
> >> >> seba.wagner@gmail.com
> >> >>
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Sebastian Wagner
> >> > https://twitter.com/#!/dead_lock
> >> > seba.wagner@gmail.com
> >>
> >>
> >>
> >> --
> >> WBR
> >> Maxim aka solomax
> >
> >
> >
> >
> > --
> > Sebastian Wagner
> > https://twitter.com/#!/dead_lock
> > seba.wagner@gmail.com
>
>
>
> --
> WBR
> Maxim aka solomax
>
--
Sebastian Wagner
https://twitter.com/#!/dead_lock
seba.wagner@gmail.com
Re: [RESULT] [VOTE] Apache OpenMeetings 3.1.2 RC4
Posted by Maxim Solodovnik <so...@gmail.com>.
LDAP passwords are not being stored unless this:
https://github.com/apache/openmeetings/blob/3.2.x/openmeetings-web/src/main/webapp/conf/om_ldap.cfg#L72
option is set
in this case password will be re-newed on every login
On Sat, Aug 13, 2016 at 9:00 AM, seba.wagner@gmail.com
<se...@gmail.com> wrote:
> Sounds good.
>
> Will this also work for installations that use the LDAP/AD integration ?
>
> Thx
> Seb
>
> 2016-08-13 13:47 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>
>> Thanks Sebastian :)
>>
>> Actually this is the reason why I haven't dropped MD5 support. But I
>> see no way to perform migration of user password without the
>> requirement to reset password by each user.
>> The only solutions I see is:
>> 1) change crypt type and set sort of "welcome message: please reset
>> password"
>> 2) reset passwords for all users to some generated one and mass send
>> emails with new password (don't like this idea)
>> 3) add flag to the user: "Reset password is required", add admin
>> button (set reset flag to all users)
>>
>> something like this
>>
>> On Sat, Aug 13, 2016 at 6:01 AM, seba.wagner@gmail.com
>> <se...@gmail.com> wrote:
>> > Hi Maxim,
>> >
>> > my only concern is that if you import an old backup with the v3.1.2 is
>> > working as expected and you do not end up in a situation where you do an
>> > import and afterwards the login does not work as the password is
>> > encrypted
>> > with the old crypt class.
>> >
>> > I think we have to be careful with that especially as we are releasing
>> > security features which include recommendations to update. It would be
>> > embarrassing to recommend an update and then discover that the update
>> > path
>> > is broken.
>> >
>> > I might be able to do a quick installation and verification.
>> >
>> > I created a blog post for this release, please review:
>> > https://blogs.apache.org/openmeetings/entry/openmeetings_3_1_2_released
>> >
>> > I already published it as it's pretty much the same content as your
>> > email.
>> > But please have a quick look.
>> >
>> > Great work btw for getting the signing of the Webstart App finally out.
>> > I
>> > can remember discussing this for like 1 year.
>> >
>> > I think we can also move this discussion the @dev, nothing secret here
>> > anymore. The security patch is out now.
>> >
>> > Thanks,
>> > Seb
>> >
>> > 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>> >>
>> >> Actually right now crypt class from the backup will be taken (no
>> >> changes
>> >> for users)
>> >>
>> >> We can force change in any version
>> >> I would propose 3.2.0 for this
>> >>
>> >> WBR, Maxim
>> >> (from mobile, sorry for the typos)
>> >>
>> >>
>> >> On Aug 12, 2016 12:02, "seba.wagner@gmail.com" <se...@gmail.com>
>> >> wrote:
>> >>
>> >> Hi Maxim,
>> >>
>> >> this will be required for anybody that upgrades from an older version
>> >> to
>> >> OpenMeetings v3.1.2 right? So we kind of missed the chance to do that.
>> >>
>> >> Can we not just automatically change it to the old encryption class for
>> >> users that install via a backup ?
>> >>
>> >> I think (1) is not an option anyway as it would need to have all
>> >> passwords
>> >> in blank to encrypt them. Which we neither have not want to have from a
>> >> security point of view.
>> >>
>> >> (2) is what you would usually do.
>> >>
>> >> However still, the migration path is kind of like a major thing. We
>> >> don't
>> >> want to loose all of our old user base because they have this upgrade
>> >> issue.
>> >>
>> >> Thanks,
>> >> Sebastian
>> >>
>> >>
>> >> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>> >>>
>> >>> Hmmm,
>> >>>
>> >>> I see couple of options here
>> >>>
>> >>> 1) Brut-force old user password and re-encrypt (unrealistic)
>> >>> 2) Add sort of configurable "admin message" to Sign in dialog,
>> >>> something
>> >>> like: "All users unable to login need to reset their passwords, due to
>> >>> security of the system was enhanced"
>> >>>
>> >>> WDYT?
>> >>>
>> >>> On Fri, Aug 12, 2016 at 11:03 AM, seba.wagner@gmail.com
>> >>> <se...@gmail.com> wrote:
>> >>>>
>> >>>> "remove MD5*.class from bundle and correct class will be set
>> >>>> automatically"
>> >>>>
>> >>>> Well my point is that in the old backup all passwords are encrypted
>> >>>> with
>> >>>> MD5. So once you imported that none of the logins will work anymore.
>> >>>>
>> >>>> Asking every user to type in a new password is quite some usability
>> >>>> issue. And we also have no way of prompting users to switch the
>> >>>> password
>> >>>> once it's invalid other then going through the entire reset password
>> >>>> cycle.
>> >>>>
>> >>>> So how will those be able to migrate ?
>> >>>>
>> >>>> Thanks,
>> >>>> Sebastian
>> >>>>
>> >>>>
>> >>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>> >>>>>
>> >>>>> Actually there are couple of ways:
>> >>>>>
>> >>>>> 1) unzip backup, edit xml, zip it back
>> >>>>> 2) remove MD5*.class from bundle and correct class will be set
>> >>>>> automatically
>> >>>>>
>> >>>>> I believe I'll choose #2 for 3.2.0 :)
>> >>>>>
>> >>>>> On Fri, Aug 12, 2016 at 10:50 AM, seba.wagner@gmail.com
>> >>>>> <se...@gmail.com> wrote:
>> >>>>>>
>> >>>>>> So you need to adjust the config key after you did import the
>> >>>>>> backup.
>> >>>>>>
>> >>>>>> Is there any way the backup mechanism can do that automatically? I
>> >>>>>> think it's a spring config bean right ?
>> >>>>>>
>> >>>>>> Thanks,
>> >>>>>> Sebastian
>> >>>>>>
>> >>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>> >>>>>>>
>> >>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings
>> >>>>>>>
>> >>>>>>> yep, this is the complete list :)
>> >>>>>>>
>> >>>>>>> new password encryption will work, BUT crypt class need to be
>> >>>>>>> manually changed
>> >>>>>>> I plan to force it in 3.2.0
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, seba.wagner@gmail.com
>> >>>>>>> <se...@gmail.com> wrote:
>> >>>>>>>>
>> >>>>>>>> Hi Maxim,
>> >>>>>>>>
>> >>>>>>>> let me know when you are ready to publish it.
>> >>>>>>>>
>> >>>>>>>> I would like to create a short blog post with the update.
>> >>>>>>>>
>> >>>>>>>> Does this represent a complete list of all Jira tickets involved
>> >>>>>>>> in
>> >>>>>>>> this release:
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12335347
>> >>>>>>>>
>> >>>>>>>> One questions regarding the new password encryption. Will that
>> >>>>>>>> work
>> >>>>>>>> for users that migrate from old versions to new OpenMeetings?
>> >>>>>>>>
>> >>>>>>>> Thanks,
>> >>>>>>>> Sebastian
>> >>>>>>>>
>> >>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik
>> >>>>>>>> <so...@gmail.com>:
>> >>>>>>>>>
>> >>>>>>>>> I'm closing the vote
>> >>>>>>>>> The VOTE is passed
>> >>>>>>>>>
>> >>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> WBR
>> >>>>>>>>> Maxim aka solomax
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> --
>> >>>>>>>> Sebastian Wagner
>> >>>>>>>> https://twitter.com/#!/dead_lock
>> >>>>>>>> seba.wagner@gmail.com
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> WBR
>> >>>>>>> Maxim aka solomax
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> Sebastian Wagner
>> >>>>>> https://twitter.com/#!/dead_lock
>> >>>>>> seba.wagner@gmail.com
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> WBR
>> >>>>> Maxim aka solomax
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Sebastian Wagner
>> >>>> https://twitter.com/#!/dead_lock
>> >>>> seba.wagner@gmail.com
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> WBR
>> >>> Maxim aka solomax
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Sebastian Wagner
>> >> https://twitter.com/#!/dead_lock
>> >> seba.wagner@gmail.com
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Sebastian Wagner
>> > https://twitter.com/#!/dead_lock
>> > seba.wagner@gmail.com
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>
>
>
>
> --
> Sebastian Wagner
> https://twitter.com/#!/dead_lock
> seba.wagner@gmail.com
--
WBR
Maxim aka solomax
Re: [RESULT] [VOTE] Apache OpenMeetings 3.1.2 RC4
Posted by "seba.wagner@gmail.com" <se...@gmail.com>.
Sounds good.
Will this also work for installations that use the LDAP/AD integration ?
Thx
Seb
2016-08-13 13:47 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> Thanks Sebastian :)
>
> Actually this is the reason why I haven't dropped MD5 support. But I
> see no way to perform migration of user password without the
> requirement to reset password by each user.
> The only solutions I see is:
> 1) change crypt type and set sort of "welcome message: please reset
> password"
> 2) reset passwords for all users to some generated one and mass send
> emails with new password (don't like this idea)
> 3) add flag to the user: "Reset password is required", add admin
> button (set reset flag to all users)
>
> something like this
>
> On Sat, Aug 13, 2016 at 6:01 AM, seba.wagner@gmail.com
> <se...@gmail.com> wrote:
> > Hi Maxim,
> >
> > my only concern is that if you import an old backup with the v3.1.2 is
> > working as expected and you do not end up in a situation where you do an
> > import and afterwards the login does not work as the password is
> encrypted
> > with the old crypt class.
> >
> > I think we have to be careful with that especially as we are releasing
> > security features which include recommendations to update. It would be
> > embarrassing to recommend an update and then discover that the update
> path
> > is broken.
> >
> > I might be able to do a quick installation and verification.
> >
> > I created a blog post for this release, please review:
> > https://blogs.apache.org/openmeetings/entry/openmeetings_3_1_2_released
> >
> > I already published it as it's pretty much the same content as your
> email.
> > But please have a quick look.
> >
> > Great work btw for getting the signing of the Webstart App finally out. I
> > can remember discussing this for like 1 year.
> >
> > I think we can also move this discussion the @dev, nothing secret here
> > anymore. The security patch is out now.
> >
> > Thanks,
> > Seb
> >
> > 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> >>
> >> Actually right now crypt class from the backup will be taken (no changes
> >> for users)
> >>
> >> We can force change in any version
> >> I would propose 3.2.0 for this
> >>
> >> WBR, Maxim
> >> (from mobile, sorry for the typos)
> >>
> >>
> >> On Aug 12, 2016 12:02, "seba.wagner@gmail.com" <se...@gmail.com>
> >> wrote:
> >>
> >> Hi Maxim,
> >>
> >> this will be required for anybody that upgrades from an older version to
> >> OpenMeetings v3.1.2 right? So we kind of missed the chance to do that.
> >>
> >> Can we not just automatically change it to the old encryption class for
> >> users that install via a backup ?
> >>
> >> I think (1) is not an option anyway as it would need to have all
> passwords
> >> in blank to encrypt them. Which we neither have not want to have from a
> >> security point of view.
> >>
> >> (2) is what you would usually do.
> >>
> >> However still, the migration path is kind of like a major thing. We
> don't
> >> want to loose all of our old user base because they have this upgrade
> issue.
> >>
> >> Thanks,
> >> Sebastian
> >>
> >>
> >> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> >>>
> >>> Hmmm,
> >>>
> >>> I see couple of options here
> >>>
> >>> 1) Brut-force old user password and re-encrypt (unrealistic)
> >>> 2) Add sort of configurable "admin message" to Sign in dialog,
> something
> >>> like: "All users unable to login need to reset their passwords, due to
> >>> security of the system was enhanced"
> >>>
> >>> WDYT?
> >>>
> >>> On Fri, Aug 12, 2016 at 11:03 AM, seba.wagner@gmail.com
> >>> <se...@gmail.com> wrote:
> >>>>
> >>>> "remove MD5*.class from bundle and correct class will be set
> >>>> automatically"
> >>>>
> >>>> Well my point is that in the old backup all passwords are encrypted
> with
> >>>> MD5. So once you imported that none of the logins will work anymore.
> >>>>
> >>>> Asking every user to type in a new password is quite some usability
> >>>> issue. And we also have no way of prompting users to switch the
> password
> >>>> once it's invalid other then going through the entire reset password
> cycle.
> >>>>
> >>>> So how will those be able to migrate ?
> >>>>
> >>>> Thanks,
> >>>> Sebastian
> >>>>
> >>>>
> >>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> >>>>>
> >>>>> Actually there are couple of ways:
> >>>>>
> >>>>> 1) unzip backup, edit xml, zip it back
> >>>>> 2) remove MD5*.class from bundle and correct class will be set
> >>>>> automatically
> >>>>>
> >>>>> I believe I'll choose #2 for 3.2.0 :)
> >>>>>
> >>>>> On Fri, Aug 12, 2016 at 10:50 AM, seba.wagner@gmail.com
> >>>>> <se...@gmail.com> wrote:
> >>>>>>
> >>>>>> So you need to adjust the config key after you did import the
> backup.
> >>>>>>
> >>>>>> Is there any way the backup mechanism can do that automatically? I
> >>>>>> think it's a spring config bean right ?
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Sebastian
> >>>>>>
> >>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
> >>>>>>>
> >>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings
> >>>>>>>
> >>>>>>> yep, this is the complete list :)
> >>>>>>>
> >>>>>>> new password encryption will work, BUT crypt class need to be
> >>>>>>> manually changed
> >>>>>>> I plan to force it in 3.2.0
> >>>>>>>
> >>>>>>>
> >>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, seba.wagner@gmail.com
> >>>>>>> <se...@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>> Hi Maxim,
> >>>>>>>>
> >>>>>>>> let me know when you are ready to publish it.
> >>>>>>>>
> >>>>>>>> I would like to create a short blog post with the update.
> >>>>>>>>
> >>>>>>>> Does this represent a complete list of all Jira tickets involved
> in
> >>>>>>>> this release:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> projectId=12312720&version=12335347
> >>>>>>>>
> >>>>>>>> One questions regarding the new password encryption. Will that
> work
> >>>>>>>> for users that migrate from old versions to new OpenMeetings?
> >>>>>>>>
> >>>>>>>> Thanks,
> >>>>>>>> Sebastian
> >>>>>>>>
> >>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik <solomax666@gmail.com
> >:
> >>>>>>>>>
> >>>>>>>>> I'm closing the vote
> >>>>>>>>> The VOTE is passed
> >>>>>>>>>
> >>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> WBR
> >>>>>>>>> Maxim aka solomax
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Sebastian Wagner
> >>>>>>>> https://twitter.com/#!/dead_lock
> >>>>>>>> seba.wagner@gmail.com
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> WBR
> >>>>>>> Maxim aka solomax
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Sebastian Wagner
> >>>>>> https://twitter.com/#!/dead_lock
> >>>>>> seba.wagner@gmail.com
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> WBR
> >>>>> Maxim aka solomax
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Sebastian Wagner
> >>>> https://twitter.com/#!/dead_lock
> >>>> seba.wagner@gmail.com
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> WBR
> >>> Maxim aka solomax
> >>
> >>
> >>
> >>
> >> --
> >> Sebastian Wagner
> >> https://twitter.com/#!/dead_lock
> >> seba.wagner@gmail.com
> >>
> >>
> >
> >
> >
> > --
> > Sebastian Wagner
> > https://twitter.com/#!/dead_lock
> > seba.wagner@gmail.com
>
>
>
> --
> WBR
> Maxim aka solomax
>
--
Sebastian Wagner
https://twitter.com/#!/dead_lock
seba.wagner@gmail.com
Re: [RESULT] [VOTE] Apache OpenMeetings 3.1.2 RC4
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks Sebastian :)
Actually this is the reason why I haven't dropped MD5 support. But I
see no way to perform migration of user password without the
requirement to reset password by each user.
The only solutions I see is:
1) change crypt type and set sort of "welcome message: please reset password"
2) reset passwords for all users to some generated one and mass send
emails with new password (don't like this idea)
3) add flag to the user: "Reset password is required", add admin
button (set reset flag to all users)
something like this
On Sat, Aug 13, 2016 at 6:01 AM, seba.wagner@gmail.com
<se...@gmail.com> wrote:
> Hi Maxim,
>
> my only concern is that if you import an old backup with the v3.1.2 is
> working as expected and you do not end up in a situation where you do an
> import and afterwards the login does not work as the password is encrypted
> with the old crypt class.
>
> I think we have to be careful with that especially as we are releasing
> security features which include recommendations to update. It would be
> embarrassing to recommend an update and then discover that the update path
> is broken.
>
> I might be able to do a quick installation and verification.
>
> I created a blog post for this release, please review:
> https://blogs.apache.org/openmeetings/entry/openmeetings_3_1_2_released
>
> I already published it as it's pretty much the same content as your email.
> But please have a quick look.
>
> Great work btw for getting the signing of the Webstart App finally out. I
> can remember discussing this for like 1 year.
>
> I think we can also move this discussion the @dev, nothing secret here
> anymore. The security patch is out now.
>
> Thanks,
> Seb
>
> 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>
>> Actually right now crypt class from the backup will be taken (no changes
>> for users)
>>
>> We can force change in any version
>> I would propose 3.2.0 for this
>>
>> WBR, Maxim
>> (from mobile, sorry for the typos)
>>
>>
>> On Aug 12, 2016 12:02, "seba.wagner@gmail.com" <se...@gmail.com>
>> wrote:
>>
>> Hi Maxim,
>>
>> this will be required for anybody that upgrades from an older version to
>> OpenMeetings v3.1.2 right? So we kind of missed the chance to do that.
>>
>> Can we not just automatically change it to the old encryption class for
>> users that install via a backup ?
>>
>> I think (1) is not an option anyway as it would need to have all passwords
>> in blank to encrypt them. Which we neither have not want to have from a
>> security point of view.
>>
>> (2) is what you would usually do.
>>
>> However still, the migration path is kind of like a major thing. We don't
>> want to loose all of our old user base because they have this upgrade issue.
>>
>> Thanks,
>> Sebastian
>>
>>
>> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>>
>>> Hmmm,
>>>
>>> I see couple of options here
>>>
>>> 1) Brut-force old user password and re-encrypt (unrealistic)
>>> 2) Add sort of configurable "admin message" to Sign in dialog, something
>>> like: "All users unable to login need to reset their passwords, due to
>>> security of the system was enhanced"
>>>
>>> WDYT?
>>>
>>> On Fri, Aug 12, 2016 at 11:03 AM, seba.wagner@gmail.com
>>> <se...@gmail.com> wrote:
>>>>
>>>> "remove MD5*.class from bundle and correct class will be set
>>>> automatically"
>>>>
>>>> Well my point is that in the old backup all passwords are encrypted with
>>>> MD5. So once you imported that none of the logins will work anymore.
>>>>
>>>> Asking every user to type in a new password is quite some usability
>>>> issue. And we also have no way of prompting users to switch the password
>>>> once it's invalid other then going through the entire reset password cycle.
>>>>
>>>> So how will those be able to migrate ?
>>>>
>>>> Thanks,
>>>> Sebastian
>>>>
>>>>
>>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>>>>
>>>>> Actually there are couple of ways:
>>>>>
>>>>> 1) unzip backup, edit xml, zip it back
>>>>> 2) remove MD5*.class from bundle and correct class will be set
>>>>> automatically
>>>>>
>>>>> I believe I'll choose #2 for 3.2.0 :)
>>>>>
>>>>> On Fri, Aug 12, 2016 at 10:50 AM, seba.wagner@gmail.com
>>>>> <se...@gmail.com> wrote:
>>>>>>
>>>>>> So you need to adjust the config key after you did import the backup.
>>>>>>
>>>>>> Is there any way the backup mechanism can do that automatically? I
>>>>>> think it's a spring config bean right ?
>>>>>>
>>>>>> Thanks,
>>>>>> Sebastian
>>>>>>
>>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>>>>>>
>>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings
>>>>>>>
>>>>>>> yep, this is the complete list :)
>>>>>>>
>>>>>>> new password encryption will work, BUT crypt class need to be
>>>>>>> manually changed
>>>>>>> I plan to force it in 3.2.0
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, seba.wagner@gmail.com
>>>>>>> <se...@gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi Maxim,
>>>>>>>>
>>>>>>>> let me know when you are ready to publish it.
>>>>>>>>
>>>>>>>> I would like to create a short blog post with the update.
>>>>>>>>
>>>>>>>> Does this represent a complete list of all Jira tickets involved in
>>>>>>>> this release:
>>>>>>>>
>>>>>>>>
>>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12335347
>>>>>>>>
>>>>>>>> One questions regarding the new password encryption. Will that work
>>>>>>>> for users that migrate from old versions to new OpenMeetings?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Sebastian
>>>>>>>>
>>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>>>>>>>>>
>>>>>>>>> I'm closing the vote
>>>>>>>>> The VOTE is passed
>>>>>>>>>
>>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> WBR
>>>>>>>>> Maxim aka solomax
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Sebastian Wagner
>>>>>>>> https://twitter.com/#!/dead_lock
>>>>>>>> seba.wagner@gmail.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> WBR
>>>>>>> Maxim aka solomax
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Sebastian Wagner
>>>>>> https://twitter.com/#!/dead_lock
>>>>>> seba.wagner@gmail.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> WBR
>>>>> Maxim aka solomax
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Sebastian Wagner
>>>> https://twitter.com/#!/dead_lock
>>>> seba.wagner@gmail.com
>>>
>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>
>>
>>
>>
>> --
>> Sebastian Wagner
>> https://twitter.com/#!/dead_lock
>> seba.wagner@gmail.com
>>
>>
>
>
>
> --
> Sebastian Wagner
> https://twitter.com/#!/dead_lock
> seba.wagner@gmail.com
--
WBR
Maxim aka solomax