Thanks @Riko Eksteen, @Rob Underwood and @Nicholas Kolba for the thoughtful discussion. And for the patience with us “nudging” to move the issue to an end state (one way or the other).

I am going to personally see this to completion, so I have re-assigned the issue to @Leslie Spiro and reached out to him to provide an update here.

Stay tuned, and just to confirm no action needed from the PMC for now

Thanks for the additional detail Rob.

At this point, it would be great to hear from someone representing this contribution on their plans to address the issues you’ve raised as well as get some more color on plans to move this project forward after the contribution is merged.

Hi @Riko Eksteen

Let me try and restate where I think we are.

• The PMC approved https://finosfoundation.atlassian.net/browse/CONTRIB-42#icft=CONTRIB-42 contingent on several issues with the code, mostly items you identified, being resolved. Those items included some additional clean-up of Tick-42 references in the code and getting the code to build. (Note: I strongly feel now that was not good precedent and in the future will advise PMCs to not approve CONTRIBs until truly all code quality issues and concerns of PMC members have been resolved)

• My understanding is that you've not been able to get the build to work but Mao has in fact been able to get the code to build.

• Since the CONTRIB was approved we’ve learned (or at least I have learned, maybe everyone else understood this) that the the code in incoming pull request for CONTRIB-42, https://github.com/FDC3/appd-launcher-poc/pull/2 , is the 1.0 version of the toolbar and that the 1.1 version of the toolbar exists in the Plexus program, available at https://github.com/finos-plexus/finos-plexus.github.io/tree/master/demos/finos-fdc3/fdc3-toolbar . We know that there is a lot of common code between the 1.0 (pending into FDC3) and 1.1 version (already in Plexus) – when/if this PR is approved there will be much of the same code in two different programs.

• It was the same developer, Ina, who did the pending pull request in FDC3 as well as the pull request in Plexus for toolbar 1.1. You said she’s on maternity leave; my understanding is that she’s left Tick42 permanently; either way she’s not available, it appears, to fix code.

• I have several concerns who how the Toolbar 1.1 code came into Plexus (a single pull request of 132,000 lines) and how the repo, https://github.com/finos-plexus/finos-plexus.github.io/ , is being used which I’ve shared with the Plexus PMC and which are for that PMC’s purview, along with the vulnerabilities there.

• What’s concerning to me is that the repository in which Toolbar 1.1 exists, https://github.com/finos-plexus/finos-plexus.github.io/ , currently has 27 open vulnerabilities, all of which are in the /demos folder and appear to have been introduced with the afore mentioned Plexus PR. Since much of the code is largely the same, it stands to reason that if/when the FDC3 PR is approved, the same or a similar set of vulnerabilities will be introduced into FDC3 (i.e., the https://github.com/FDC3/appd-launcher-poc/ repo).

Open

Open

• I’ll repeat my recommendation: before this pull request gets merged, I think the project team needs to check their code to see if acceptance/merging of this pull request is going to introduce the same/similar vulnerabilities we’re seeing in the Toolbar 1.0 in Plexus (I strongly suspect it will). This is complicated given Ina is no longer available. I can not recommend that this pull request be merged right now until this check and any related remediations are done. I believe an important part of FINOS' value prop is that we help projects and programs stay on top of vulnerabilities. This is why we have resources like the ODP. That’s what I’m trying to do here – raise awareness with the PMC that code may be about to get introduced to the program that has vulnerabilities.

• There was also a question about an announcement. Currently it’s standard FINOS practice that all new contributions get an announcement to announce@finos.org – this practice itself is common in open source communities. A concern has been raised, though, that this CONTRIB does not rise to threshold. So the PMC needs to decide, or a least provide some input, on whether or not an announcement should be done. It’s worth noting that it’s usually the contributor, in this case Leslie, who would send the announcement to announce@

• Both @Nicholas Kolba and@Leslie Spiro (once he accepts the invite to the repo) have administrative access to the repository and so can approve this pull request at any time. (See screen shot of current repo roles)

Open

• There is also nothing stopping Leslie from sending out the announcement. Below, again, is the current draft. I’d repeat again my feedback that I think this announcement could use a sentence or two more of context and framing. I also suggested in a comment above that it wouldn’t hurt to be clear about how Toolbar 1.0 in FDC3 and Toolbar 1.1 in Plexus, especially given they are both within FINOS, relate to each other.

FDC3 App directory is an open standard for listing applications that might be used in an appstore. There's an existing FDC3 appd poc that allows people to create an appd service, which is a great thing. We now launched the toolbar which can connect to any appd server and show the applications being published. It has special modes to look at the raw data being passed. you can use this as a simple test of a new appd server you might be creating. In addition to showing the apps, it will also launch the apps for test launcher or production launcher.

• If the pull request is approved, and it introduces vulnerabilities, FINOS will follow-up with the project team (e.g., Leslie) about getting those vulnerabilities addressed. But it would be much better and consistent with our processes to address vulnerabilities before code is introduced as part of a new CONTRIB, rather than after the codes come in and is available for download on Github. To put it another way, since we know the PR will almost certainly introduce vulnerabilities, why are we not dealing with that now?

• As context projects in the Incubating stage are expected to quickly address and resolve any critical or high vulnerabilities (See https://finosfoundation.atlassian.net/wiki/spaces/FINOS/pages/1158053892/RFC+Revised+Project+Lifecycle )

I get this this is a complicated, intertwined, history. My overarching concern is with stewardship and that as good stewards we’re not launching code into a new project with critical and high vulnerabilities. It’s far better to start a project’s life with a baseline level of code quality/security.

(CC @Frank Tarsillo @Johan Sandersson @Jonathan Teper @Neil Slinger @Riko Eksteen @Former user @Tim Kolecke )

@Rob Underwood I wasn't aware that anything more was required. The contribution has been accepted and I personally approved the pull request weeks ago, so it has been ready to merge for a while.

As you will see from @Maurizio Pillitu's comment above on 25 July, Leslie Spiro has been made project admin and can therefore merge the PR and invite others onto the project as contributors.

I thought as PMC our responsibility had been met, beyond monitoring and supporting the project going forward. If there is anything else that needs to be done from my or our side I wasn't aware of it. If there is, please let us know. If there isn’t, it would be great if we can now close this Jira issue and the project can continue to be discussed and managed on GitHub.

@Frank Tarsillo @Johan Sandersson @Jonathan Teper @Neil Slinger @Nicholas Kolba @Riko Eksteen @Former user @Tim Kolecke FDC3 PMC – What’s the next step here on CONTRIB-42, both re the pending pull request and the announcement. See my comment above.

It’s not healthy for the community (and, candidly wasteful of member resources given the expenditure of time the FINOS staff continues to spend on this one CONTRIB) to not bring this a closure.

Can we get guidance one way or another on this CONTRIB – accept the PR and do an announcement, or reverse and revert - before next Friday’s FDC3 PMC meeting?