20 September 2023 - Open Source Readiness Meeting Agenda

[psmulovics]

Date

20 September 2023 - 2pm GMT / 9am EST

Untracked attendees

• Fullname, Affiliation, (optional) GitHub username
• ...

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• [x] Convene & roll call (5mins)
• [x] Display FINOS Antitrust Policy summary slide
• [x] Review Meeting Notices (see above)
• [ ] Approve past meeting minutes
• [x] What's New / Getting Started
• [x] Supply chain article ( #172 )
• [x] What's needed to be finished for OSFF? (like @BrittanyIstenes 's #159 )
• [x] Missing Bios!
• [x] AOB, Q&A & Adjourn (5mins)

Decisions Made

• [ ] Decision 1
• [ ] Decision 2
• [ ] ...

Action Items

• [ ] @BrittanyIstenes Getting Started Page Design
• [ ] @mimiflynn Markdown version of @BrittanyIstenes page design in a PR
• [ ] @JamieSlome @victorliu Bio
• [ ] @caradelia Personas Workshop PR

Zoom Details

• https://zoom.us/j/99753528440?pwd=OEFPWkQzLy9hWlV4NmM0RC9VRjhwQT09
• Meeting ID: 997 5352 8440
• Passcode: 987996

Join by Phone

• Find your local number: https://zoom.us/u/adl5rhui4P

[robmoffat]

Rob / FINOS 👍

[BrittanyIstenes]

Brittany - FNMA

[mimiflynn]

Mimi Flynn / Morgan Stanley

[caradelia]

Cara Delia / Red Hat

[psmulovics]

Peter Smulovics / Morgan Stanley 🏦

[JamieSlome]

Jamie Slome, @Citi

[robmoffat]

Minutes

What’s New / Getting Started

PS: Can we have a what’s new section? Links to OSR Blog Posts for the former. Getting started - we don’t have much here.

BI: We could have this on the front page? People should be able to choose the level they’re at, and get started that way.

PS: Not getting started with open source, but OSR.

KN: We’re trying to combine the websites together. Personas, it’s different for different people. We should point people to the personas pages.

PS: We should point to both OSMM (for levels) and Roles (for different people). We have so much information now we need to improve discoverability.

RM: Does anyone want to take this on?

KN: I can review.

PS: Really, we want something by Nov 1.

BI: An MVP1 maybe? I’ll draw something up and maybe we can cross-collaborate on it. I’ll have something by the end of the week.

MF: I might be able to code this up.

RM: For the blogs we might need a category function, so we can pull a list of OSR blogs. I’ll drop a text to the marketing team about this.

PS: We could just have a bullet-point list of posts? Someone will have to go through and do it.

MF: I can look at RSS - would this do it?

PS: The FINOS RSS feed shows only entries that aren’t published yet!

Supply Chain Attacks - Review

RO: “This is a fast-moving area” - > “THis gives the key concepts / executive summary”

RO: “one guy in nebraska” - where is this? This is a supply chain security issue,

RO: leftpad - not accidental! Rage quit.

RO: signature revocation - you didn’t mention this. Verisign issued a cert for MS, but it wasn’t microsoft. You need to check for revocation.

MF: Cache Poisoning: the headers in the package can be manipulated to poison the cache for those, to pull the wrong one. NPM Cache Poisoning/Manifest Confusion.

PS: “This is not an exhaustive list”

To Finish For OSFF

CD: Now that I’ve finished writing the survey, I can focus on the (personas work).

Maturity Model Update

VL/RM: WOrking on a checklist for a given activity in the BoK - we’ll come back in a few weeks with the first one

RO: Happy to guinea-pig this.

RM: Asked for Bios from JS, VL.

Q & A: Forking In Organisations

MF: When do you feel it’s appropriate for your firms org to have a fork?

JS: The most obvious thing is, has the original maintainer vanished? We had an example where a maintainer was missing for 2.5 years. What’s important is sussing out the community - is there one? Has it already been forked? Is there disagreement between the maintainers?

RM: Ever a good reason to not fork?

JS: A good cultural picture. You don’t want to run into the argument about who’s the best maintainer. It’s not good to fork if there’s going to be collaboration. If that’s there, if there are maintainers, they’re happy to be challenged - a sign not to fork.

MF: There’s an implication that the fork is for a bigger purpose. But an employee might contribute back via their own fork?

JS: Yes. I was talking about forking where you’re not going to contribute back. For forks where you’re collaborating, it’s absolutely fine.

JS: You also have to be careful if you’re an organisation forking, since that looks a lot more official.

RO: This allows us to run org-wide security checks.

MF: So, your org creates an org-level fork, your devs work on it. The PR back to the main project then comes from the org.

RM: With git proxy, you’d have to push the changes somewhere - so you’d need the fork, right?

JS: You could ask the original org, but there are advantages to this too, linting, looking for vulnerabilities. Do we really want devs submitting poorly-linted PRs? It’s much easier to set this up at an org level.