bingenito
commented
1 year ago Brian Ingenito / Morgan Stanley
Closed robmoffat closed 1 year ago
bingenito
commented
1 year ago Brian Ingenito / Morgan Stanley
HelloKay27
commented
1 year ago Kay XiongPachay / Goldman Sachs
ghost
commented
1 year ago Thomas Cooper (RBC)
mimiflynn
commented
1 year ago Mimi Flynn / Morgan Stanley
robmoffat
commented
1 year ago Rob / FINOS 🐊
BrittanyIstenes
commented
1 year ago Brittany Istenes - FNMA
jstclair2019
commented
1 year ago Jim StClair - OSR aficionado
awaiken
commented
1 year ago andrew aitken Wipro
ronaldssebalamu
commented
1 year ago Ronald Ssebalamu / FINOS
robmoffat
commented
1 year ago Some notes from the meeting (quite rough):
Managing Open Source Based Project brittany_istenes@fanniemae.com.
Andrew: asked about licensing, whether CLAs were required
Sally: Strict policy on code reviews. You have to screenshot the review process (2 reviews), and DLP reviewer.
Sally/Brittany: Want to have a pre-approved list of CLAs that can be used.
Jim: A lot of the stuff has specific regulatory requirements associated with it (HIPA/GLBA), ethics, segregation data, review processes.
Sally: Projects audited
Citi: Use git proxy for code review process. Has a record of everything there. Automatically requires a review. Separately, a governance process: admin for each project, that person has to do 1/4ly checks of maintainers, that people have done internal training and signed CLAs. Foundation administrator - manages membership feeds, sponsorship approval. Devs just care about getting stuff done. So a lot of the governance stuff is done by the admin.
Brittany: bulk of all code is in GitHub. For Code review, we have expensive scanning, review council. What do you do when you have to review things behind the firewall with a different source code manager?
Katarina; we can only contribute on GitHub.
Brittany: patent portfolio, institutional knowledge, want to push out a project that exists. How to avoid patent issues. Could you enhance an existing project?
Kay (Training)
Up to OSPO what the topics are: Open Source (generally) Contribution Consumption Participation
Assess the current state of the firms open source culture, policies, guidelines, processes You can’t really build open source without understanding those. LF: Open Source Licenseing Basics for Software Developers Was better to create own training to reflect the firms own processes and guidelines, Also, this means you can limit it to just what the developers care about. Collaborate with internal partners on training, SMEs in Legal, SDLC, Executive Office, Compliance Ask the legal team to review everything.
Foundational Topics:
Usability testing of the content, review Follow up questions - how do students feel about it
Provide General Open Source Links
Promoting the training, newsletters
Sally: areas that you’re doing are the same as our firm. Usage, vulnerability management, what teams must do if they want to use oss. Benefits and risks. Guidance around process. Licenses (specific ones that can be used). Internal repositories for these details. What to do if license doesn’t exist. How to scan software. How to remediate risks. 3rd Party software suppliers: requirements around what they must provide. OSS clauses in the supplier contracts (added to legal templates).
Andrew: 12 short videos on training topics. Documented. TAlked about some of these topics. Designed for HR, Procurement, Legal. As orgs move along maturity, procurement often gets left behind.
Kay: course is required before you can contribute. Last year, created usage guidelines around copyleft. Portion for that was the consumption part. Did an internal deep dive on this and linked that video.
Sally: Videos on training/contribution all on the learning hub. Unfortunately, we can’t mandate training unless it’s related to a regulatory initiative. Might change in the future. Rolling out training via newsletters, via CTO Office, distinguished engineers. Training Day - OSS session held at that.
Andrew: is it not part of the new developer process? Why can’t you mandate?
Sally: Devs do have to attest to things as part of the onboarding process. Working with HR and CTO.
Katarina: we couldn’t make it mandatory, but we deny access to the tools to contribute if you don’t do it.
Brittany: Also can’t mandate, want to amke sure we hit all the facets for good citizenship. Would be good to have a mandatory training. But it might put people off.
Kay: We’re making the training course mandatory for all engineering this year. Having the partnership while we built it was a plus. Making sure devs are well equipped to do emergency fixes and understand the process is important.
Date
5th April - 3PM GMT, 10 AM EST
Untracked attendees
Meeting notices
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
Zoom Details
Join by Phone