Table of Contents

Date/Time

Wednesday, 2019-07-31, 12am ET

Attendees

Name	Organisation
Maurizio Pillitu	FINOS
Aitana Myohl	FINOS
Tom Schady	GreenKey
Former user (Deleted)	Morgan Stanley
Jamie Jones	GitHub
Malcolm Chedzoy	JP Morgan Chase
Ronen Soreq	WhiteSource
Rob Underwood (Deactivated)	FINOS

Attendee Webex Screenshot

Outstanding Action Items

Description	Assignee	Task appears on
Next ODP meeting notes onto GitHub; check examples: https://github.com/tc39/notes , https://github.com/emberjs/core-notes , https://github.com/reactiveui/meeting-minutes , https://github.com/nteract/meeting-minutes , https://github.com/finos/voice-metadata-standard/wiki		2019-12-18 ODP WG Meeting notes
Create an issue template for new ODP suggestion into https://github.com/finos/open-developer-platform/issues (see cloud service certification as example		2019-12-18 ODP WG Meeting notes
Create epic with the workflow proposed by OSR /cc James McLeod (Unlicensed)	James McLeod (Unlicensed)	2019-10-9 ODP WG Meeting notes
GitHub consolidation docs on handbook - INT-748 - Getting issue details... STATUS		2019-08-28 ODP WG Meeting notes
GitHub Actions spike for license scanning - ODP-10 - Getting issue details... STATUS (see https://github.com/finos/odp-test/blob/master/.github/workflows/fossa-cli.yml)		2019-08-28 ODP WG Meeting notes
Add docs to GitHub consolidation re. security checks on GitHub		2019-08-14 ODP WG Meeting notes

Agenda

Time	Item	Who	Notes from the Meeting
5 mins	Convene & Roll Call	Former user (Deleted)
5 mins	Improving visibility to current identified security vulnerabilities in programs, especially those that produce a lot of code (e.g., Plexus, Symphony, Hadouken)	Maurizio Pillitu and Group	Automated GitHub security PRs, need to be manually enabled on all repos How to only scan production dependencies (dev dependencies are a false positive) Is GitHub security checks a sub-set of dependabot? Jamie Jones is almost sure, will confirm PMCs should preferably be reported with security alerts on scheduled bases (ie monthly); if not possible, they should be notified (adding to repo security settings)
5 mins	WhiteSource update		Requirements consolidated into ODP-92 - Getting issue details... STATUS
5 mins	Enforce dependabot across all FINOS repos	Maurizio Pillitu	https://dependabot.com/ - objections? roll-out plan & expectations. Program Liaison can share this across all programs. Due date August 15, after mao hols. Address repos with high security vulnerabilities (ie Plexus).
5 mins	GitHub Consolidation update	Maurizio Pillitu Jamie Jones	Demo/walkthrough FINOS Roles Team structure and permissions FDX and DT current setup
5 mins	Minutes taking in GitHub (Wiki)	Maurizio Pillitu Tom Schady	[DRAFT] Collaboration on GitHub - feedback is welcome We should try with the ODP Working Group Implement Bitergia crawler (see ODP-90)
5 mins	Ongoing license validation	Maurizio Pillitu	Updates after chatting with FOSSA
5 mins	Retrospective on current sprint	Group	Also check resolved issues in the last 2 weeks that are not included in any Sprint
10 mins	Planning next Sprint	Group
10 mins	Backlog scrubbing	Group	See ongoing license validation item
5	AOB & adjourn	Group

Action Items

Maurizio Pillitu - work on ODP-90 to run metadata-tool locally for Tom Schady
Update documentation and team settings in order - for each repo - to notify PMC GitHub team for each security alert
Jamie Jones - confirm that github security checks is a sub-set of dependabot
Maurizio Pillitu - fix travis CI builds for transferred repos - Didn't do anything, but https://travis-ci.org/finos/cla-bot seems to work as expected
Jamie Jones and Maurizio Pillitu - socialise gihub consolidations docs - agenda topic at next PMC call (3rd week of august)

Follow-ups

confirm that github security checks is a sub-set of dependabot

What is "Dependabot Preview"?

It’s the pre-acquisition version of Dependabot. It’s much more fully-featured than the GitHub-integrated version currently - it can update all your dependencies (not just those with known vulnerabilities), and it supports many more language ecosystems.

What happens if I have both "Dependabot Preview" and "Automated Security Fixes" activated?

You’ll get pull requests from both as usual. In cases where both bots would normally to create the same PR (i.e., dependencies with known vulnerabilities) one bot will create it first and the other will do nothing unless that PR is closed, in which case it will also create it.

Browser not supported