2019-07-31 ODP WG Meeting notes
- Maurizio Pillitu
- Jamie Jones
- Rob Underwood (Deactivated)
Table of Contents
Date/Time
Wednesday, 2019-07-31, 12am ET
Attendees
| Name | Organisation |
|---|---|
| Maurizio Pillitu | FINOS |
| Aitana Myohl | FINOS |
| Tom Schady | GreenKey |
| Former user (Deleted) | Morgan Stanley |
| Jamie Jones | GitHub |
| Malcolm Chedzoy | JP Morgan Chase |
| Ronen Soreq | WhiteSource |
| Rob Underwood (Deactivated) | FINOS |
Attendee Webex Screenshot
Outstanding Action Items
Agenda
| Time | Item | Who | Notes from the Meeting |
|---|---|---|---|
| 5 mins | Convene & Roll Call | Former user (Deleted) | |
| 5 mins | Improving visibility to current identified security vulnerabilities in programs, especially those that produce a lot of code (e.g., Plexus, Symphony, Hadouken) | Maurizio Pillitu and Group |
|
| 5 mins | WhiteSource update | Requirements consolidated into ODP-92 - Getting issue details... STATUS | |
| 5 mins | Enforce dependabot across all FINOS repos | Maurizio Pillitu | https://dependabot.com/ - objections? roll-out plan & expectations. Program Liaison can share this across all programs. Due date August 15, after mao hols. Address repos with high security vulnerabilities (ie Plexus). |
| 5 mins | GitHub Consolidation update | Maurizio Pillitu Jamie Jones | Demo/walkthrough
|
| 5 mins | Minutes taking in GitHub (Wiki) | Maurizio Pillitu Tom Schady |
|
| 5 mins | Ongoing license validation | Maurizio Pillitu | Updates after chatting with FOSSA |
| 5 mins | Retrospective on current sprint | Group | |
| 10 mins | Planning next Sprint | Group | |
| 10 mins | Backlog scrubbing | Group | See ongoing license validation item |
| 5 | AOB & adjourn | Group |
Action Items
- Maurizio Pillitu - work on ODP-90 to run metadata-tool locally for Tom Schady
- Update documentation and team settings in order - for each repo - to notify PMC GitHub team for each security alert
- Jamie Jones - confirm that github security checks is a sub-set of dependabot
- Maurizio Pillitu - fix travis CI builds for transferred repos - Didn't do anything, but https://travis-ci.org/finos/cla-bot seems to work as expected
- Jamie Jones and Maurizio Pillitu - socialise gihub consolidations docs - agenda topic at next PMC call (3rd week of august)
Follow-ups
confirm that github security checks is a sub-set of dependabot
What is "Dependabot Preview"?
It’s the pre-acquisition version of Dependabot. It’s much more fully-featured than the GitHub-integrated version currently - it can update all your dependencies (not just those with known vulnerabilities), and it supports many more language ecosystems.
What happens if I have both "Dependabot Preview" and "Automated Security Fixes" activated?
You’ll get pull requests from both as usual. In cases where both bots would normally to create the same PR (i.e., dependencies with known vulnerabilities) one bot will create it first and the other will do nothing unless that PR is closed, in which case it will also create it.
Need help? Email help@finos.org we'll get back to you.
Content on this page is licensed under the CC BY 4.0 license.
Code on this page is licensed under the Apache 2.0 license.