2019-07-31 ODP WG Meeting notes

Table of Contents

Date/Time

Wednesday, 2019-07-31, 12am ET

Attendees

NameOrganisation
Maurizio PillituFINOS
Aitana MyohlFINOS
Tom SchadyGreenKey 
Brian Ingenito (Unlicensed)Morgan Stanley
Jamie JonesGitHub
Malcolm Chedzoy

JP Morgan Chase

Ronen SoreqWhiteSource
Rob Underwood (Deactivated)FINOS

Attendee Webex Screenshot

Outstanding Action Items

DescriptionDue dateAssigneeTask appears on
2019-12-18 ODP WG Meeting notes
2019-12-18 ODP WG Meeting notes
James McLeod (Unlicensed)2019-10-9 ODP WG Meeting notes
  • GitHub consolidation docs on handbook -  INT-748 - Getting issue details... STATUS
2019-08-28 ODP WG Meeting notes
2019-08-28 ODP WG Meeting notes
  • Add docs to GitHub consolidation re. security checks on GitHub
2019-08-14 ODP WG Meeting notes



Agenda

Time ItemWhoNotes from the Meeting
5 minsConvene & Roll CallBrian Ingenito (Unlicensed)
5 minsImproving visibility to current identified security vulnerabilities in programs, especially those that produce a lot of code (e.g., Plexus, Symphony, Hadouken)Maurizio Pillitu and Group
  • Automated GitHub security PRs, need to be manually enabled on all repos
    • How to only scan production dependencies (dev dependencies are a false positive)
    • Is GitHub security checks a sub-set of dependabot? Jamie Jones is almost sure, will confirm
  • PMCs should preferably be reported with security alerts on scheduled bases (ie monthly); if not possible, they should be notified (adding to repo security settings)
5 minsWhiteSource update
Requirements consolidated into  ODP-92 - Getting issue details... STATUS
5 minsEnforce dependabot across all FINOS reposMaurizio Pillituhttps://dependabot.com/ - objections? roll-out plan & expectations. Program Liaison can share this across all programs. Due date August 15, after mao hols. Address repos with high security vulnerabilities (ie Plexus).
5 minsGitHub Consolidation updateMaurizio Pillitu Jamie Jones

Demo/walkthrough

  • FINOS Roles
  • Team structure and permissions
  • FDX and DT current setup
5 minsMinutes taking in GitHub (Wiki)Maurizio Pillitu Tom Schady
5 minsOngoing license validationMaurizio PillituUpdates after chatting with FOSSA
5 minsRetrospective on current sprintGroup
10 minsPlanning next SprintGroup
10 minsBacklog scrubbingGroupSee ongoing license validation item
5AOB & adjourn

Group



Action Items


Follow-ups

confirm that github security checks is a sub-set of dependabot

What is "Dependabot Preview"?

It’s the pre-acquisition version of Dependabot. It’s much more fully-featured than the GitHub-integrated version currently - it can update all your dependencies (not just those with known vulnerabilities), and it supports many more language ecosystems.

What happens if I have both "Dependabot Preview" and "Automated Security Fixes" activated?

You’ll get pull requests from both as usual. In cases where both bots would normally to create the same PR (i.e., dependencies with known vulnerabilities) one bot will create it first and the other will do nothing unless that PR is closed, in which case it will also create it.


Need help? Email help@finos.org we'll get back to you.

Content on this page is licensed under the CC BY 4.0 license.
Code on this page is licensed under the Apache 2.0 license.