[Koha] Questions on data security, liability and RFP issues

MJ Ray mjr at dsl.pipex.com
Tue Nov 9 02:05:07 NZDT 2004 

On 2004-11-06 00:39:58 +0000 Baljkas Family <baljkas at mts.net> wrote:

> I don't think this question has been raised before -- and I apologise 
> in 
> advance if it has been, or if asking it this way is simply hopelessly 
> naive/ignorant: but how safe against hacking, e.g. would Koha be? Or 
> is this 
> more a matter of systems admin level securities behind which Koha 
> would be 
> shielded? (G*d, I hope so.)

I went through the code fixing some structural security errors during 
the 1.9 development versions. I've not tried testing koha heavily, 
simply through lack of time.

In 2.0, there are some known bugs to do with the librarian access 
levels: having the circulation desk get full librarian access is 
undesirable. I hope this has been fixed during 2.1 and will be 
available to users in 2.2, but I've not checked. Maybe more 
2.1-centred developers can tell?

I think you also want to consider the security of all machines which 
use the koha librarian interface. It's mostly hopeless having 
wonderful security on the server if someone can put a password sniffer 
on a superlibrarian's computer. This may even be a larger 
vulnerability than almost all likely server problems.

> [...] the PTBs in their corporate or organisational culture were 
> concerned, 
> it was against the rules because there would be no one to sue if 
> something 
> went wrong?

I believe this is largely a distraction tactic. At best, you will end 
up effectively suing your supplier's insurance company. Few of the 
people who raise this question have ever suggested trying to sue 
Microsoft after a virus shuts down their office computers or overflows 
their email.

Some organisations like free software because it reduces absolute 
dependence on one outside supplier, even if it will take more 
time/cost more to develop in-house or find an alternative supplier. It 
gives more options and keeping options open is usually good for 
business.

-- 
MJR/slef    My Opinion Only and not of any group I know
  Creative copyleft computing - http://www.ttllp.co.uk/
  Unsolicited attachments to the pipex address deleted
Will HLF fund tree-killings? http://www.thewalks.co.uk/

More information about the Koha mailing list