Wednesday, 2019-07-31, 12am ET
Name | Organisation |
---|---|
Maurizio Pillitu | FINOS |
Aitana Myohl | FINOS |
Tom Schady | GreenKey |
Brian Ingenito (Deactivated) | Morgan Stanley |
Jamie Jones | GitHub |
Malcolm Chedzoy | JP Morgan Chase |
Ronen Soreq | WhiteSource |
Rob Underwood (Deactivated) | FINOS |
Time | Item | Who | Notes from the Meeting |
---|---|---|---|
5 mins | Convene & Roll Call | Brian Ingenito (Deactivated) | |
5 mins | Improving visibility to current identified security vulnerabilities in programs, especially those that produce a lot of code (e.g., Plexus, Symphony, Hadouken) | Maurizio Pillitu and Group |
|
5 mins | WhiteSource update | Requirements consolidated into | |
5 mins | Enforce dependabot across all FINOS repos | Maurizio Pillitu | https://dependabot.com/ - objections? roll-out plan & expectations. Program Liaison can share this across all programs. Due date August 15, after mao hols. Address repos with high security vulnerabilities (ie Plexus). |
5 mins | GitHub Consolidation update | Maurizio Pillitu Jamie Jones | Demo/walkthrough
|
5 mins | Minutes taking in GitHub (Wiki) | Maurizio Pillitu Tom Schady |
|
5 mins | Ongoing license validation | Maurizio Pillitu | Updates after chatting with FOSSA |
5 mins | Retrospective on current sprint | Group | |
10 mins | Planning next Sprint | Group | |
10 mins | Backlog scrubbing | Group | See ongoing license validation item |
5 | AOB & adjourn | Group |
confirm that github security checks is a sub-set of dependabot
It’s the pre-acquisition version of Dependabot. It’s much more fully-featured than the GitHub-integrated version currently - it can update all your dependencies (not just those with known vulnerabilities), and it supports many more language ecosystems.
You’ll get pull requests from both as usual. In cases where both bots would normally to create the same PR (i.e., dependencies with known vulnerabilities) one bot will create it first and the other will do nothing unless that PR is closed, in which case it will also create it.