Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate govcms_security from the profile. #913

Closed
simesy opened this issue Nov 13, 2023 · 6 comments
Closed

Separate govcms_security from the profile. #913

simesy opened this issue Nov 13, 2023 · 6 comments
Labels
requires more community feedback/interest

Comments

@simesy
Copy link
Contributor

simesy commented Nov 13, 2023
edited
Loading

AKA - make it possible to install the same security as govcms profile without having to use the govcms profile.

I like to use the govcms_security module, however since this is a module in the project, there's not an easy way to use it without using the govcms profile. For a complex project i avoid the profile because composer gets confused (so to speak) with all the pinned packages in the govcms profile, to the point where running composer update can be blocked by the GovCMS profile.

Unless I've missed something, could you please move govcms_security into its own package so it can be used with the profile.

Side question - is there a version of govcms where none of the packages are pinned?
@thisisalistairsaccount
Copy link

Hi @simesy we won't move govcms_security for our security requirements, it's a core tenancy of GovCMS and something we want to ensure is in place.

Are you talking to complex projects on or off the GovCMS platform? I'd be looking for some more information here to get a better feel for the use case here.

Re side question - we don't maintain a version of GovCMS where packages aren't pinned. Re-use or forking of the distribution is of course always welcome.

@simesy
Copy link
Contributor Author

simesy commented Nov 14, 2023
edited
Loading

I have a paas site that needs to have the govcms profile removed (composer update keeps breaking due to dependency resolution issues, and this is a very real threat if there is a security issue in one of the many additional modules that are added) and i would like to keep govcms_security, but it seems like this is not easily possible.

Yeah the fork pathway is feasible but there is not really anyone to maintain it.

@simesy
Copy link
Contributor Author

simesy commented Nov 14, 2023

Please note that I can set up TFA the same as vanilla GovCMS and this gets us 99% there. However, removing a module called "govcms_security" I need to make sure i have an audit trail for this. thanks for engaging.

@simesy simesy mentioned this issue Nov 16, 2023
Open
@thisisalistairsaccount
Copy link

@simesy let's chat further noting we've got the GovCMS Mega Meetup so we can get all the context around this.

@thisisalistairsaccount
Copy link

We will explore this internally, but for those watching this issue, please note this a LOW priority.

If anyone is curious about this, please also leave comments here with some context. This is in relation to PaaS using the GovCMS distribution.

@simesy simesy closed this as completed Dec 5, 2023
@simesy
Copy link
Contributor Author

simesy commented Dec 5, 2023

I have closed I don't think anyone cares much, and there's not much more to discuss.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
requires more community feedback/interest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simesy @thisisalistairsaccount