Deploying Protege in a Corporate Environment

[carmenchui]

Hi @matthewhorridge @csnyulas ,

I am working on a project where Protege will need to be deployed in a controlled corporate environment. Since the company deals with extremely sensitive data, the IT department needs to determine how the Protege application handles security fixes for Java/JRE on the Windows and Mac platforms prior to installing the tool on corporate computers.

Two questions that will help us with the installation process:

1. If there is a security patch for JRE, would the Protege development team incorporate it ASAP and through automatic updates, download the security patch to the installed laptops or desktops?
2. Are there other sources of security patches required for the Protégé software (besides for JRE?)

My colleague has also asked these questions over in the Protege Developer mailing list (http://protege-project.136.n4.nabble.com/Security-Patches-for-the-Protege-software-How-does-Protege-keep-up-with-it-tp4671875.html), but we have not heard back from anyone. It would be great if we could get a response on how Protege handles security patches/fixes as we would like the tool installed as soon as possible on the corporate computers.

Thanks, Carmen

[ykazakov]

@carmenchui you can use the platform-independent version of Protege with JRE of your choice (e.g., the default one installed on the system). Bear in mind, however, that Protege currently works only with Java 8, which is end of life. There is an experimental built for Java 11 (see #846), which again should work with any installed JRE 11, but it needs to be further tested.

[carmenchui]

Hi @ykazakov & Protege Dev team,

Because of sensitive data and the possibility of creating proprietary ontologies, we would like to ensure that the Protege app doesn't leak any of the data and is up-to-date with any JRE security patches in the corporate setting. (At the moment, I am not sure which version of Java is being used in the company, but I'll check.)

Since we intend to use Protege in a corporate environment, do you have any details about security / how secure the platform-independent application is? I need to pass these security details over to the IT department before they can install the program.

Thanks!

[matthewhorridge]

@carmenchui. All protege distributions are identical in terms of the Protege source code – they only differ by the JRE that is contained within each distribution (apart from the Platform Independent version, which doesn't contain a JRE). As @ykazakov mentioned, you would have full control over the JRE if you chose to install the platform independent version of Protege, with the rest of the functionality being identical to the other distributions.

The default distribution of Protege does not send (leak) any details about your setup, user name, or ontology content to any external destination (server). We can't and don't guarantee that third party plugins won't do this though – it's up to you to inspect these if you need to install them.

There is an auto-update mechanism in Protege for updating plugins only (not the core system). This can be disabled however.

Hope this helps, and sorry for the delay in getting back to you.

[carmenchui]

Hi @matthewhorridge,

Thank you for your reply. I checked with the IT department and the company uses JRE 8 so we should be fine there. The following question was raised by my colleague when I passed her your reply:

• Is it possible to disable auto-updates / disable checking for updates on startup for all instances where Protege is installed?
• The company wants to disable the "Always check for updates on startup" checkbox in the downloaded version of Protégé so that individual users don’t have a choice to check for updates.
• The IT department would be using the platform independent version of Protege across the company, so is there any way to 'block' third-party plugin updates somehow? Ideally we would want to restrict all installed instances of Protege across the network to not check for plugin updates.

If you can let me know, that'd be great.

Thanks, Carmen

[matthewhorridge]

Hi @carmenchui,

Is it possible to disable auto-updates / disable checking for updates on startup for all instances where Protege is installed?

The setting is in the preferences, which uses Java preferences under the hood. You could preset this value per installation though.

The company wants to disable the "Always check for updates on startup" checkbox in the downloaded version of Protégé so that individual users don’t have a choice to check for updates.

This currently isn't possible.

The IT department would be using the platform independent version of Protege across the company, so is there any way to 'block' third-party plugin updates somehow? Ideally we would want to restrict all installed instances of Protege across the network to not check for plugin updates.

Restricting not to check for plugin access would be part of the solution. Crucially though, you would need to restrict the directory system on a machine so that users cannot write to the Protege installation directory and so that they cannot write to the .Protege/plugins directory in their home directory. These are the two locations where Protege searches for plugins and where plugins can be installed.

Finally, just a heads up... we are likely to move to JRE 11 either in the upcoming 5.6.0 release or in the 6.0.0 (it's not been decided on yet).