Stream: fmg
Topic: update to DSTU2
Grahame Grieve (Apr 20 2016 at 00:08):
as a consquence of the XXE susceptibility report, I need to release a new validator for DSTU2
Grahame Grieve (Apr 20 2016 at 00:09):
presently, the validator is available here:
Grahame Grieve (Apr 20 2016 at 00:09):
http://hl7.org/fhir/validator.zip
http://hl7.org/fhir/DSTU2/validator.zip
Grahame Grieve (Apr 20 2016 at 00:10):
I have built a new version that replaxces this - the only functional change is that it returns an error for the XXE attack rather than allowing inappropriate access. I believe that the right course of action is simply to update the binary on the HL7 website, and inform people through Zulip, the FHIR email list, and twitter on #FHIR.
Grahame Grieve (Apr 20 2016 at 00:11):
I do not believe that this counts as 'a technical correction to the DSTU' or that it needs an update to the DSTU - nothing anyone does changes, it's only that they should update the validator with a new one if they use it
Grahame Grieve (Apr 20 2016 at 00:11):
does anyone disagree with this?
Lloyd McKenzie (Apr 20 2016 at 00:51):
My guess is that the TSC will consider this a DSTU update and will want to announce it as such - they'll want to use their "official" distribution channels. If anything that you download from the ballot changes, I think that falls within their definition. However, I'll leave it to the TSC members to share their thoughts as they probably have more insight than I do.
Grahame Grieve (Apr 20 2016 at 01:05):
I argue that this is not the case because it is not balloted content. No balloted content is changing. So how can it be a DSTU update?
Paul Knapp (Apr 20 2016 at 05:23):
I agree - this is not a change to the specification, it is a change to implementations which are not part of the normative content, therefore I don't see the need for a republication or technical correction.
Paul Knapp (Apr 20 2016 at 05:25):
However, given that it is software and people are becoming increasing reliant on this even if only for exploration I think we should formally stand up fixes and demonstrate the testing of the fix before we release.
Grahame Grieve (Apr 20 2016 at 05:30):
What mind of formality do you propose? It's kind of tricky for old software. The current tests are checked into svn...
Paul Knapp (Apr 20 2016 at 05:32):
Do you have a stock test suite to testing functionality after mods? Is there an added test(s) for the XXE vulverabilities?
Is there a spell checker for Zulip?
Grahame Grieve (Apr 20 2016 at 05:33):
Yes, for the current parsers and validators.
Grahame Grieve (Apr 20 2016 at 05:34):
From memory, /build/tests/validator-examples. Added 3 xxe tests this morning
Paul Knapp (Apr 20 2016 at 05:36):
Great thanks, then I'd make that available, perhaps as a link rather than in the RI packages, and FMG can vote to approve publication of new RI's, and procedurally I expect the CTO could approve if a fix was needed on an emergency basis.
Grahame Grieve (Apr 20 2016 at 06:11):
I tihnk it's reasonable that if you want to run the tests you should use version control. It's make work to package them up for anything else
Last updated: Apr 12 2022 at 19:14 UTC
