/
2019-07-31 ODP WG Meeting notes

2019-07-31 ODP WG Meeting notes

Dec 04, 2019

Table of Contents

Date/Time

Wednesday, 2019-07-31, 12am ET

Attendees

Name

Organisation

Name

Organisation

@Maurizio Pillitu

FINOS

@Aitana Myohl

FINOS

@Tom Schady

GreenKey 

@Former user (Deleted)

Morgan Stanley

@Jamie Jones

GitHub

Malcolm Chedzoy

JP Morgan Chase

@Former user (Deleted)

WhiteSource

@Rob Underwood (Deactivated)

FINOS

Attendee Webex Screenshot

Outstanding Action Items

 

 

Agenda

Time 

Item

Who

Notes from the Meeting

Time 

Item

Who

Notes from the Meeting

5 mins

Convene & Roll Call

@Former user (Deleted)

 

5 mins

Improving visibility to current identified security vulnerabilities in programs, especially those that produce a lot of code (e.g., Plexus, Symphony, Hadouken)

@Maurizio Pillitu and Group

  • Automated GitHub security PRs, need to be manually enabled on all repos

    • How to only scan production dependencies (dev dependencies are a false positive)

    • Is GitHub security checks a sub-set of dependabot? @Jamie Jones is almost sure, will confirm

  • PMCs should preferably be reported with security alerts on scheduled bases (ie monthly); if not possible, they should be notified (adding to repo security settings)

5 mins

WhiteSource update

 

Requirements consolidated into https://finosfoundation.atlassian.net/browse/ODP-92

5 mins

Enforce dependabot across all FINOS repos

@Maurizio Pillitu

https://dependabot.com/ - objections? roll-out plan & expectations. Program Liaison can share this across all programs. Due date August 15, after mao hols. Address repos with high security vulnerabilities (ie Plexus).

5 mins

GitHub Consolidation update

@Maurizio Pillitu @Jamie Jones

Demo/walkthrough

  • FINOS Roles

  • Team structure and permissions

  • FDX and DT current setup

5 mins

Minutes taking in GitHub (Wiki)

@Maurizio Pillitu @Tom Schady

5 mins

Ongoing license validation

@Maurizio Pillitu

Updates after chatting with FOSSA

5 mins

Retrospective on current sprint

Group

Also check resolved issues in the last 2 weeks that are not included in any Sprint

10 mins

Planning next Sprint

Group

 

10 mins

Backlog scrubbing

Group

See ongoing license validation item

5

AOB & adjourn

Group

 

 

Action Items

 @Maurizio Pillitu - work on ODP-90 to run metadata-tool locally for @Tom Schady
Update documentation and team settings in order - for each repo - to notify PMC GitHub team for each security alert
@Jamie Jones - confirm that github security checks is a sub-set of dependabot
@Maurizio Pillitu - fix travis CI builds for transferred repos - Didn't do anything, but https://travis-ci.org/finos/cla-bot seems to work as expected
@Jamie Jones and @Maurizio Pillitu - socialise gihub consolidations docs - agenda topic at next PMC call (3rd week of august)

 

Follow-ups

confirm that github security checks is a sub-set of dependabot

What is "Dependabot Preview"?

It’s the pre-acquisition version of Dependabot. It’s much more fully-featured than the GitHub-integrated version currently - it can update all your dependencies (not just those with known vulnerabilities), and it supports many more language ecosystems.

What happens if I have both "Dependabot Preview" and "Automated Security Fixes" activated?

You’ll get pull requests from both as usual. In cases where both bots would normally to create the same PR (i.e., dependencies with known vulnerabilities) one bot will create it first and the other will do nothing unless that PR is closed, in which case it will also create it.