Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

 

关于Sakai

发布日期:待定

发布日期

Sakai 10 发布日期

10.0 - 待定

关于Sakai

Sakai是使用Java编写的,服务导向的网络应用程序,支持教学、学档、科研、项目协作等功能。Sakai一般部署在Tomcat集群上,其中每一个Tomcat节点部署一份Sakai。Sakai可以集成多种外部认证系统,包括CAS,Kerberos,LDAP,Shibboleth,WebAuth。Sakai使用MySQL或Oracle作为后台数据库,用户文件一般存放于NAS或SAN上。对于多数生产环境,Sakai需要一个后台学生信息系统(SIS)来提供学生、课程信息,然后Sakai通过API进行调用。

Sakai 10 概览

Sakai 10 概览

Sakai 10 在Sakai 2.9.3的基础上发展而来。Sakai 10中增加了2个新工具;提供了HTML 5的音频、视频支持;架构改进;约50个安全补丁;性能改进;一些列新功能;以及仅2000个补丁!其中最突出的部分包括:

  • 预约工具,曾经是第三方工具,现在成为Sakai核心工具,由耶鲁大学开发
  • 授权访问工具,曾经是第三方工具,现在成为Sakai核心工具,由密歇根大学开发
  • 在线页面指导教程更新,更容易修改。
  • IMS LTI - 第一个支持LTI 2.0 的学习管理系统(LMS)
  • IMS Common Cartridge (CC) 改进支持。支持CC文件版本1.0,1.1,1.2;并且基于用户选择,可以导出CC格式1.1,1.2。

  • 作业:学生互评作业,小组作业
  • 练习与测验:支持新的问题类型(计算题和扩展匹配),改进数字答案精度,设置界面改进。
  • 课程组织:重新设计工具栏并简化,更好支持音频和视频,新增内容表格,提供内联调查,更友好的界面。
  • 资源:支持通过拖拽的方式直接添加文件;如果使用Chrome,可以直接拖拽文件夹。
  • 大纲:新的用户界面,批量更新大纲内容,更好的链接集成。
  • 成绩册:支持附加分。
  • 分布缓存:支持 JCache/JSR-107,优化默认缓存大小,简化配置。无丢失地从一台服务器到另一台服务器进行会话复制。提升大型Sakai部署的性能(此功能默认不开启)。

  • Keitai项目:增强Sakai在移动设备上的可用性。
  • 支持 Google Analytics.
  • 安全更新:Sakai社区修补了大约50个安全问题,包括XSS,CSRF。AntiSamy在2.9.3和10中默认开启。AntiSamy保证用户上传的HTML/CSS符合相应规则。
  • 学生成功门户 - 新增集成。
  • Java - 支持JDK 7.x,JDK 8.x 的支持正在进行
  • 简化Sakai技术组织。 合并大量“独立”工具来简化Sakai发布和问题反馈。

Sakai 10 致谢

以下学校按学校英文名排序
  • 美国开放大学 - American Public University 
  • Apereo基金会 - Apereo Foundation
  • AsahiNet International

  • 波士顿大学 - Boston University

  • 布鲁克大学 - Brock University

  • 哥伦比亚大学 - Columbia University

  • 杜克大学 - Duke University

  • Educlever

  • Flying Kite Australia

  • 复旦大学 - Fudan University

  • 印第安那大学 - Indiana University

  • Longsight

  • 芝加哥洛约拉大学 - Loyola University Chicago

  • 曼利斯特学院 - Marist College

  • 纽约大学 - New York University

  • OpenCollab

  • 牛津大学 - Oxford University
  • 佩珀代因大学 - Pepperdine University
  • 罗格斯大学 - Rutgers University

  • Samoo

  • 塞米诺尔佛罗里达州立学院 - Seminole State College of Florida

  • 西班牙Sakai用户组 - Spanish Sakai Users Group (S2U)

  • 斯坦福大学 - Stanford University

  • Three Canoes
  • 塔夫斯大学 - Tufts University
  • Unicon

  • 拉里奥哈国际大学 - Universidad Internacional de La Rioja

  • 莫夕亚大学 - Universidad de Murcia
  • 瓦伦西亚理工大学 - Universidad Politécnica de Valencia

  • 纳瓦拉公立大学 - Universidad Pública de Navarra

  • 莱里达大学 - Universitat de Lleida

  • 滨海大学 - Université du Littoral Côte d'Opale

  • 巴黎第六大学 - Université Pierre et Marie Curie

  • 加州大学默塞德分校 - University of California - Merced

  • 开普顿大学 - University of Cape Town

  • 戴顿大学(俄亥俄) - University of Dayton (Ohio)
  • 佛罗里达大学 - University of Florida
  • 密歇根大学 - University of Michigan

  • 北卡罗来纳州大学教堂山分校 - University of North Carolina - Chapel Hill

  • 弗吉尼亚大学 - University of Virginia

  • 怀俄明大学 - University of Wyoming

  • Western University
  • 耶鲁大学 - Yale University


Sakai 10 新功能详细列表

 Click here to expand...
新功能说明和展示可以参考:http://www.unicon.net/sakai10-whatsnew
工具
对应JIRA
备注及配置说明
系统管理员
  SAK-19952 - Getting issue details... STATUS  

通知

  SAK-23298 - Getting issue details... STATUS

  SAK-25484 - Getting issue details... STATUS

作业

  SAK-24338 - Getting issue details... STATUS

  SAK-22282 - Getting issue details... STATUS  
  SAK-23812 - Getting issue details... STATUS  
  SAK-19147 - Getting issue details... STATUS  
  SAK-23904 - Getting issue details... STATUS  
  SAK-23872 - Getting issue details... STATUS  
  SAK-23787 - Getting issue details... STATUS  
  SAK-23232 - Getting issue details... STATUS  
  SAK-20723 - Getting issue details... STATUS  
聊天室
  SAK-24207 - Getting issue details... STATUS  
富文本编辑器
  SAK-24415 - Getting issue details... STATUS

  SAK-26044 - Getting issue details... STATUS

  SAK-22001 - Getting issue details... STATUS

投递箱

  SAK-5350 - Getting issue details... STATUS

  SAK-25433 - Getting issue details... STATUS

讨论区

  SAK-24854 - Getting issue details... STATUS

根据站点角色查看发帖,根据发帖数量查看。

  SAK-24866 - Getting issue details... STATUS msgcntr.forums.defaultAvailabilityTime (例如 
msgcntr.forums.defaultAvailabilityTime=8:00am)
  SAK-24865 - Getting issue details... STATUS

  SAK-24862 - Getting issue details... STATUS

默认关闭

msgcntr.forums.import.openCloseDates=true (默认)

  SAK-24861 - Getting issue details... STATUS

  SAK-24859 - Getting issue details... STATUS

  SAK-24855 - Getting issue details... STATUS

  SAK-24858 - Getting issue details... STATUS

默认关闭

mc.alwaysShowFullDesc=true (默认false)

  SAK-24856 - Getting issue details... STATUS

成绩册

  SAK-25700 - Getting issue details... STATUS



  SAK-25546 - Getting issue details... STATUS

  SAK-23193 - Getting issue details... STATUS
属性:
gradebook.defaultMaxDisplayedScoreRows 

选项:
gradebook.defaultMaxDisplayedScoreRows=5 
gradebook.defaultMaxDisplayedScoreRows=10 
gradebook.defaultMaxDisplayedScoreRows=15 
gradebook.defaultMaxDisplayedScoreRows=20 
gradebook.defaultMaxDisplayedScoreRows=50 
gradebook.defaultMaxDisplayedScoreRows=100 
gradebook.defaultMaxDisplayedScoreRows=0 (this means "all") 

如果不进行设置,默认为50。
  SAK-22205 - Getting issue details... STATUS

  SAK-21225 - Getting issue details... STATUS

  SAK-18398 - Getting issue details... STATUS

  SAK-14519 - Getting issue details... STATUS gradebook.display.total.points=true (默认false)

课程组织

  LSNBLDR-355 - Getting issue details... STATUS

  LSNBLDR-345 - Getting issue details... STATUS

  LSNBLDR-344 - Getting issue details... STATUS

  LSNBLDR-328 - Getting issue details... STATUS

  LSNBLDR-326 - Getting issue details... STATUS

  LSNBLDR-289 - Getting issue details... STATUS

  LSNBLDR-287 - Getting issue details... STATUS

  LSNBLDR-286 - Getting issue details... STATUS

  LSNBLDR-234 - Getting issue details... STATUS

  LSNBLDR-208 - Getting issue details... STATUS lb-notes.pdf
  LSNBLDR-190 - Getting issue details... STATUS

从Sakai 10中移除链接工具

 提案:废弃链接工具 (从trunk .externals移除)  

邮件发送

  SAK-25393 - Getting issue details... STATUS

通过sakai.properties中的两个属性配置发信地址的本地部分和机构部分:

smtp.postmaster.address.local-part 
smtp.postmaster.address.domain

消息

  SAK-25643 - Getting issue details... STATUS

  SAK-25257 - Getting issue details... STATUS

  SAK-24871 - Getting issue details... STATUS

  SAK-24869 - Getting issue details... STATUS

  SAK-24860 - Getting issue details... STATUS

  SAK-24857 - Getting issue details... STATUS

OSP (学档)

 默认关闭学档类型的创建。Sakai 11中将移除OSP。

调查工具

  SAK-25399 - Getting issue details... STATUS showPublicAccess@org.sakaiproject.tool.poll.api.PollListManager=true 
默认 false

信息发布

  SAK-22780 - Getting issue details... STATUS 使用标准Sakai文件选择器

个人信息

 提案:将roster2加入核心工具,移除roster和profile1 
  PRFL-846 - Getting issue details... STATUS  
  PRFL-834 - Getting issue details... STATUS  
  PRFL-807 - Getting issue details... STATUS  
  PRFL-746 - Getting issue details... STATUS  
  PRFL-740 - Getting issue details... STATUS  
  PRFL-682 - Getting issue details... STATUS  
  PRFL-840 - Getting issue details... STATUS  

Project Keitai - improved support for mobile applications

   

密码重置 和 账户验证

  SAK-24427 - Getting issue details... STATUS  
  SAK-24366 - Getting issue details... STATUS account-validator.terms={包含学期和条件的URL}
  SAK-24365 - Getting issue details... STATUS

需要在sakai.properties中添加: 

#resetAllRoles 允许所有角色 (默认false) 
resetAllRoles=false 
#允许重置系统管理员密码(默认false) 
resetSuperusers=false 

例如:允许除系统管理员外的所有用户
resetAllRoles=true 
resetSuperusers=false 

To have it as the sakai actual behaviour (because if a superuser is included in

the allowed user types it can be changed) 

resetAllRoles=false 
resetSuperusers=true 

资源

  SAK-25868 - Getting issue details... STATUS  
  SAK-25455 - Getting issue details... STATUS  
  SAK-25371 - Getting issue details... STATUS  
  SAK-23587 - Getting issue details... STATUS

# list of macros that will be expanded when used in a web link in resources. 
content.allowed.macros=${USER_ID},${USER_EID},${USER_FIRST_NAME},

${USER_LAST_NAME}

  SAK-23305 - Getting issue details... STATUS # Control the default hidden status of imported resources content 
# when using Import from Site > Re-use Content feature in Site Info (SAK-23305
# Default: false (visible) 
# Since: 2.10 
#content.import.hidden=true
  SAK-23044 - Getting issue details... STATUS  
  SAK-23306 - Getting issue details... STATUS content.upload.dragndrop=true (默认开启)
  SAK-22004 - Getting issue details... STATUS  
  SAK-21855 - Getting issue details... STATUS content.make.site.page (默认false)

花名册

 

提案:将roster2加入核心工具,移除roster和profile1

 
  RSTR-65 - Getting issue details... STATUS  
  RSTR-64 - Getting issue details... STATUS  
  RSTR-59 - Getting issue details... STATUS  
  RSTR-55 - Getting issue details... STATUS  

搜索

  SRCH-130 - Getting issue details... STATUS 必须设置search.enable=true来启用搜索功能
  SRCH-119 - Getting issue details... STATUS search.service.impl=org.sakaiproject.search.elasticsearch.ElasticSearchService 
search.indexbuilder.impl=org.sakaiproject.search.elasticsearch.ElasticSearchIndexBuilder
  SRCH-111 - Getting issue details... STATUS  
 

预约工具

 Sakai新工具 

Statistics

 No new capabilities 

大纲

 升级大纲工具 
  SAK-22283 - Getting issue details... STATUS  
  SAK-23451 - Getting issue details... STATUS  
  SAK-23441 - Getting issue details... STATUS  
  SAK-23342 - Getting issue details... STATUS  
  SAK-23303 - Getting issue details... STATUS  
  SAK-23270 - Getting issue details... STATUS  
 

练习与测验

  SAM-2296 - Getting issue details... STATUS samigo.question.show.extendedmatchingitems 
samigo.question.show.fileupload 
samigo.question.show.essay 
samigo.question.show.audio 
samigo.question.show.matching 
samigo.question.show.truefalse 
samigo.question.show.multiplechoicesinglecorrect 
samigo.question.show.multiplechoicemultiplecorrect 
samigo.question.show.fillintheblank 
samigo.question.show.fillinnumeric 
samigo.question.show.survey 
samigo.question.show.matrixsurvey 
samigo.question.show.calculatedquestion
  SAM-2151 - Getting issue details... STATUS  
  SAM-2087 - Getting issue details... STATUS  
  SAM-1943 - Getting issue details... STATUS  
  SAM-1733 - Getting issue details... STATUS  
  SAM-1660 - Getting issue details... STATUS  
  SAM-1604 - Getting issue details... STATUS  
  SAM-1566 - Getting issue details... STATUS  
  SAM-1457 - Getting issue details... STATUS  
  SAM-1402 - Getting issue details... STATUS  
  SAM-1368 - Getting issue details... STATUS  
  SAM-1139 - Getting issue details... STATUS  
  SAM-658 - Getting issue details... STATUS  
  SAM-1709 - Getting issue details... STATUS  
  SAM-2166 - Getting issue details... STATUS  

批量上传/下载资源 (WebDav)

  SAK-26072 - Getting issue details... STATUS  

视频聊天

  SAK-23349 - Getting issue details... STATUS  

Wiki

  SAK-23566 - Getting issue details... STATUS  
 

新功能特殊说明

 新功能特殊说明

下面的说明描述了如何在Sakai中使用部分新功能。

Sakai 10 测试功能(默认关闭):

实时聊天 (Sakai 2.9)

视频聊天 (新增)

响应式设计

Elasticsearch 是新的默认搜索工具。在Sakai配置文件中,通过设置 search.enable=true 启用搜索工具。 ElasticSearch 会消除旧有的搜索索引。默认情况下,搜索功能是关闭的,只有启用搜索工具的站点才会被索引。搜索工具使用标准文本分析器,并可以通过配置文件进行详细配置。此外,还有另一个新的第三方工具 SOLR 。在Sakai 10中有2个新的配置项。

学档站点默认不能选择


SAK-25587 - Getting issue details... STATUS

默认情况下,站点设置工具中不能创建学档站点;所有OSP工具也将被隐藏,但已有的学档站点依旧可以添加、删除OSP工具。

通过在sakai.propertis中进行下列配置,可以在Sakai中继续创建学档站点、使用OSP工具:

site.types = course,project,portfolio

在Sakai 11中,OSP可能会被彻底移除。

练习与测验现在允许编辑已发布测验的成绩


SAM-1457 - Getting issue details... STATUS

这个功能允许教师编辑已发布作业的成绩,然后再发布。此功能可以通过管理员为特定站点进行设置,由此管理员可以根据教师的需要进行特定设置。

* 已管理员身份登录,进入Administration Workspace

* 通过站点管理工具为编辑特定站点

* 添加属性,名称:samigo.editPubAssessment.restricted ,值'false'

* 保存修改

* 然后就可以在此站点内修改已发布测验了

 

逻辑流程:

* 如果站点属性存在,遵从站点属性。

* 如果没有站点属性,那么使用sakai.properties中的"samigo.editPubAssessment.restricted"设置。

CAS login configuration

在Sakai 10中配置CAS比以前更容易了。只需要在sakai.home中使用这里的样例配置即可(https://source.sakaiproject.org/svn/login/trunk/login-tool/tool/xlogin-context.xml)。其它登录系统也可以使用类似方式配置。参考: SAK-23187 - Getting issue details... STATUS

更多关于此设置的配置信息,可以参考:https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml

 

Sakai 11 的计划
ReleaseTool/ServiceTicketIssue
10.0Events SAM-658 - Getting issue details... STATUS 事件模型变化。

系统需求

 Click here to expand...

操作系统选择

Sakai是操作系统中立的。可以安装在绝大多数的Linux发行版上。常见的Linux发行版包括CentOS,Debian GNU/Linux,Fedora,Gentoo Linux,Red Hat Enterprise Linux (RHEL),SUSE Linux,Ubuntu。Sakai也可以运行在Mac OS X服务器,Microsoft Windows以及Sun Solaris上。Linux意外的操作系统没有被充分测试过,所有的社区测试服务器都是部署在Linux上,所以一般也建议使用Linux来部署Sakai。

Java

Sakai 10 主要在Oracle Java 7下进行测试. 但应该在Java 6(Java 1.6)环境下也可以正常运行。但编译系统至少需要JDK 6或以上版本;JDK 8环境应该也可以运行。有些文件(例如*.jsp和*.jws)需要在部署后进行编译,所以仅仅安装JRE是不够的,必须要安装JDK。

Sakai 10 (2014发布)

版本要求 Java 6+。基于 Java 7进行测试。需要使用 Java 6-8进行编译。

Sakai 11 可能需求 (2015发布)

版本要求 Java 7+。可能基于 Java 8进行测试。可能需要使用Java 7-8进行编译。

影响JRE兼容性的主要原因是引入了Java语言的新功能或新函数。

 

Oracle Sun Java J2SE 5.0 (Java 1.5) 已经结束了生命周期,不再被官方维护。如果您还在使用 Java 1.5,请注意相关安全问题,并升级到1.5.0_17或更新版本。

应用服务器选择

推荐使用Apache Tomcat 7,这是被充分测试的应用服务器,一般会与Apache HTTP Server这样的Web服务器一起使用。有些学校也成功使用了Windows IIS或Nginx作为Web服务器。还有一些学校(香港科技大学和瓜达拉哈拉大学)使用JBoss运行Sakai,但这里不提供相关的安装指导。在Sakai 10完成开发时,Tomcat 8依旧处于beta状态,所以没有进行过相关测试。

Sakai 2.8.0和之前版本需要Tomcat 5.5,但可以通过修改配置运行在Tomcat 7中。Sakai 2.9.0及以后版本需要运行Tomcat 7,并需要修改Tomcat的配置来使其正常运行。具体信息请参考这篇文档。

不再支持Websphere

Sakai 2.7.0中包含Websphere模块来支持Websphere/DB2生产环境,然而由于缺乏维护,Websphere已不被支持。

 

数据库选择

现有Sakai生产环境中,使用最多的是MySql 5.5或更新版本,Oracle其次;已知的使用Oracle版本包括10g,11g,12c。Sakai并不局限于这两种数据库,与其它关系型数据库的集成也不是很困难。曾经有学校使用Microsoft SQL Server作为数据库,Sakai开发者中也偶尔有人建议支持PostgreSQL。但是,目前Sakai社区中没有人支持除MySQL和Oracle以外的数据库。

不再支持IBM DB2

Sakai 2.7.0中增加了IBM DB2支持,但是在2.8.0中,数据库更新脚本没有被更新和测试。所以Sakai不再支持DB2,包括此后的2.9.x。
Sakai demo版使用HSQLDB作为数据库,但请不要在生产环境中进行使用。

集群,文件存储和负载均衡策略

典型的Sakai集群使用多台服务器,每个服务器上部署一个或多个Tomcat,然后还可以将这些服务器部署在Apache HTTP Server之后。其中,每个Tomcat中部署一份完整的Sakai。另外还需要部署一台数据库服务器。

将用户文件保存在数据库外是推荐的做法,但需要在Sakai的配置文件中进行设置。多数部署Sakai的学校使用NAS或SAN来存储文件。负载均衡通过Apache HTTP Server(通过mod_jk,mod_proxy,mod_proxy_balancer或mod_proxy_ajp等模块)或者负载均衡硬件(如F5 BIG-IP,NetScaler或Zeus)实现。 

外部认证

Sakai可以与许多外部认证系统集成,如CAS,Kerberos,LDAP,Shibboleth,WebAuth。

与学生信息系统集成

Sakai社区中的高校成功集成过Datatel,Peoplesoft和其它高校自己编写的学生信息系统。

Sakai有几种基本的集成外部系统的方法。这几种方法可以混合使用。第一种是使用Sakai "provider" API,Sakai在运行时可以通过调用这些API获取信息,包括用户帐号,用户信息,课程信息,用户角色等。

用户帐号 API:Sakai用来确定用户是否可以登录到系统。可以用于Kerberos,Active Directory或者LDAP来进行验证用户身份。

用户信息 API: Sakai用来获取用户姓名、email等信息,获取的来源可以是LDAP或X.509。通过选择性地展示用户信息,可以保护用户隐私。

开课成信息API:Sakai用来获取课程信息、选课信息。

用户角色API:Sakai用来判定特定用户在响应站点中所处的角色。

以上API都是“拉取”API,只有在Sakai系统需要相关信息的时候,才会被调用。

如果需要将数据“推送”到Sakai,有2种方案 - 计划任务和Web Services。

Sakai通过内部叫做Quartz的系统执行批量计划任务,通过创建相关的Java类,执行数据同步任务,并通过类似cron表达式的方法按周期运行相关任务。

另一种更加普遍的方法是将相关数据通过Web Services的方法推送到Sakai。通过Web Services,可以简介访问很多Sakai的API。REST和SOAP接口可以被多种语言调用。系统管理员也可以根据实际需要创建自己的Web Services。但这种方法在数据量大时,可能会产生一定的性能问题。

 

浏览器兼容性

 Click here to expand...

Unable to render {include} The included page could not be found.

下载

 Click here to expand...

 

Unable to render {include} The included page could not be found.

安装

 Click here to expand...

 

Unable to render {include} The included page could not be found.

升级

 Click here to expand...

 

Unable to render {include} The included page could not be found.

配置

 Click here to expand...

 

Unable to render {include} The included page could not be found.

新增配置项、权限

 Click here to expand...

 

Unable to render {include} The included page could not be found.

数据库支持

 Click here to expand...

 

Unable to render {include} The included page could not be found.

已知问题

 Click here to expand...

Unable to render {include} The included page could not be found.

 

安全策略

Sakai Project Security Policy

version 3.1

NOTICE: If you uncover a security vulnerability in Sakai software please do not voice your concerns on any public listserv, blog or other open communication channel but instead notify the Sakai Security Working Group immediately at sakai-security@apereo.org . Please provide a callback telephone number so that we can contact you by telephone if it is deemed necessary.

INTRODUCTION

Sakai is an open-source software initiative that promotes knowledge sharing and information transparency. However, when dealing with security vulnerabilities the integrity of existing Sakai installations can be compromised by the premature public disclosure of security threats before the Sakai Community has had time to analyze, develop and distribute countermeasures through private channels to institutions and organizations that have implemented Sakai software. Recognizing this danger, the Sakai Security Working Group (WG) has developed a security policy that seeks to safeguard the security of existing Sakai installations as well as provide full public disclosure of Sakai security vulnerabilities in a timely manner.

REPORTING SECURITY ISSUES

Security vulnerabilities in Sakai should be reported immediately to the Sakai Security WG at sakai-security@apereo.org . When contacting the WG, please provide a callback telephone number so that we can contact you by phone if it is deemed necessary. Sakai Security WG and community developers, working with the original reporter of the vulnerability, will investigate the issue, determine versions affected, and, if necessary, develop and distribute as quickly as is possible a security update for the Sakai Community and general public.

GENERAL POLICIES

Issues identified as security-related are prioritized and addressed differently than functionality or other issues classified as bugs. Access to issues flagged as security vulnerabilities in Sakai's JIRA issue tracking system will be restricted to Sakai security contacts and members of the Sakai Security Work Group (see below). Discussion, analysis, code development and testing relevant to reported security vulnerabilities will be treated as confidential information.

The Sakai Security WG will work with Sakai Community members to develop fixes for both vulnerable released versions and vulnerable branches (up to a particular date or release number). Code commits for security-related fixes will seek to mask the nature of the vulnerability. This usually takes one of two forms: (1) the commit is held until a patch can be tested, distributed and implemented in known sites or (2) in the case of a fix to a less significant threat the commit may be checked in with limited commentary.

During our QA and release cycles security-related issues will receive priority. At a minimum, the Sakai Security WG will review outstanding security issues before the start of each QA cycle.

The Sakai Security WG will issue security advisories and security updates to the general public once existing Sakai installations have been notified and given time to patch their systems.

SECURITY WORK GROUP

The Sakai Community has instituted a Security Work Group (WG) composed of senior members of the community to respond to reports of security vulnerabilities and who operate using private channels of communication. Besides working to resolve known security vulnerabilities the Security WG will also operate in a pro-active manner, reviewing existing tools and services from a security perspective; defining Sakai security requirements; devising QA/testing models that identify potential security weaknesses; producing security-related documentation; and helping educate developers on web-related security vulnerabilities.

SECURITY DOCUMENTATION

Public information regarding security vulnerabilities will be documented in security advisories, Sakai software release notes and readme files included in demo, binary and source distributions as well as online at the following locations:

Sakai Issues Tracking: http://jira.sakaiproject.org/jira/
Sakai Release page: http://source.sakaiproject.org/release

Release documentation for security updates will identify the Sakai version affected including code branches and provide information on how to close the vulnerability. Security vulnerabilities will be ranked by the threat level index listed below:

Critical Risk

Security vulnerabilities classified as a critical risk involve the possible exposure of data to unauthorized viewing, modification, deletion or acquisition as well as attacks that could result in data corruption.

Major Risk

Security vulnerabilities classified as a major risk involve logical attacks that could compromise the availability of Sakai or otherwise degrade system performance, disrupt or circumvent normal application flow control of Sakai tools and services or use Sakai as a platform for attacks on other systems.

Minor Risk

Security vulnerabilities classified as a minor risk involve threats that (1) can be eliminated by updating existing configuration files to reflect a default secure state (e.g., sakai.properties), (2) are considered extremely difficult for attackers to exploit and/or (3), if exploited, are of minor consequence to the operation of Sakai installations.

SECURITY ADVISORIES

Whenever Sakai security vulnerabilities surface, the Sakai Security WG will execute a three-step security advisory protocol in order to alert (1) Apereo Foundation partners and designated security contacts associated with known Sakai implementations, (2) the wider Sakai Community, and (3) the public at large regarding security issues.

The first step in our protocol involves providing alerts to our partner institutions and organizations as well as to our security contacts throughout the Sakai Community via the use of private communication channels. We delay deliberately the issuance of community-wide and public security advisories in order to allow time for security updates to be devised, tested, distributed and, if necessary, applied to Sakai installations that are known to the Foundation. Once these systems are patched the wider Sakai Community is alerted and time provided for Sakai implementers unknown to the Sakai Security WG to identify themselves, designate security contacts, and patch their systems before we proceed to the third and final step in our security advisory protocol, the general public announcement.

SECURITY CONTACTS

The Sakai Secuirty WG encourages institutions and organizations that download and install Sakai software to consider contacting the Sakai Security WG and providing the name(s) and contact details of one or more individuals to serve as security contacts. Security contact information should be emailed to sakai-security@apereo.org.

As noted above, Sakai security contacts receive security updates in advance of public release in order their institution or organization time to patch their Sakai installation before any Sakai security vulnerability becomes general knowledge. Designated security contacts are also provided access rights to view, comment and address issues flagged as security items in Sakai's JIRA issue tracking application. Security-related JIRA issues are hidden from public view. We do not grant access to these JIRA items lightly and we verify the identity and role of each person who is designated as a security contact.

Email traffic sent to sakai-security-contacts@collab.sakaiproject.org should be treated confidentially and should not be forwarded to other Sakai or public email lists or discussed elsewhere in order to help protect institutions and organizations running Sakai from security-related exploits or attacks.

此前版本

随着Sakai 10发布,Sakai 2.8正式的社区支持将终止。强烈建议运行Sakai 2.8(或更老版本)的学校升级到Sakai 10或Sakai 2.9。

许可证

Sakai 10使用Educational Community License version 2.0许可证

  • No labels