(re)approval for Genevieve Genome Report

I’m applying for a review and approval for my personal project, Genevieve Genome Report, which is currently active on Open Humans. This personal project represents a topic I worked on before Open Humans existed (collaborative genome interpretation, from the perspective of exploring primary literature).

There’s a big conflict of interest concern here. I am Executive Director & President of Open Humans Foundation, and I have been the primary reviewer of projects to date. Although I told the board about this project when I released it, I think it should be revisited for community input.

I hope someone else can step forward to make a final call on the review decision. Thanks in advance for everyone’s feedback!

Should this project be visible and available for all Open Humans members to join?

Please vote Approve or Deny, and/or comment.

Quick links

• Activity page: https://www.openhumans.org/activity/genevieve-genome-report/
• Project review guide: Project Review Guide
• Project guidelines: https://www.openhumans.org/community-guidelines/#project

Project info

• Title: Genevieve Genome Report
• Managed by: Mad Ball
• Description: Genevieve is a tool that invites you to explore your genome. By matching your genome against ClinVar’s public variant data, you have a window into what researchers see. To help improve our shared understanding, Genevieve invites users to contribute to shared, public, wiki-style notes that elaborate on genetic variant information.
• Project website: https://genevieve.herokuapp.com/
• Connections: 681 members
• Data received: Open Humans username (implicitly, public data on Open Humans), Genome/Exome Upload, Harvard Personal Genome Project, 23andMe Upload
• Data added: None

Approve (contingent on security suggestion #1)

I should first declare my own conflict, namely that I am a former employee of Open Humans and have some emotional investment in seeing it succeed. More projects built on or integrating with Open Humans make that success seem more likely, so I am slightly biased towards approval.

That said, I think Mad’s project is exemplary in terms of communicating which project datasets are used, what they are used for, what Genevieve itself is used for, and potential issues that may arise.

In terms of security I have the following suggestions:

1. upgrade to a more recent version of Django (1.9 has no security fixes since April 2017). 1.11 LTS would be a good target since it will receive security fixes until “at least April 2020”
2. set CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE to True. If someone connects to Genevieve by memory (by typing genevieve.herokuapp.com into the address bar) or they click on a link that specifies the http:// version of the site they will leak their cookies once before Heroku redirects them to the https:// version of the site. There is a very small chance that this will ever be exploited but it’s easy to protect against with no side effects

Approve

Statement of conflict of interest: I am on the Harvard Personal Genome Project staff and have worked with Madeleine Ball in that context in the past.

Belated but I’m here now!

• I’ve updated Genevieve to Django 2.1
• Other packages are all updated too, including a security issue with requests
• I set SECURE_SSL_REDIRECT = True for when it’s running on Heroku
• I’ve updated the badge so the colors don’t look close to the Open Humans brand

@beau any new thoughts? I know it’s been a while!

make sure these two are set in genevieve_client/settings.py, other than that it looks good to me

Done!

And I’ve been kicking the thing making it work again. Seems like the messaging queue broke, not sure. I think it works now.

Closing this topic as re-approved as there’s no further comments!

If further things come up we can discuss those in another round of review if needed.