2017-10-24 Meeting notes
Table of Contents
Date
Oct 24, 2017
Agenda
Time | Item | Who | Notes |
|---|---|---|---|
5 min | Convene & roll call |
|
|
10 min | Review action items from previous meetings |
| See above |
10 min | Discussion: Linux Foundation open source request template | @Aaron Williamson |
|
15 min | Discussion: draft policy outline | @Aaron Williamson |
|
15 min | Discussion: surveillance of Github & other collaboration tools | @Aaron Williamson, @Former user (Deleted) |
|
5 min | AOB & adjourn |
|
|
Attendees
Name | Organisation | Present / Absent |
|---|---|---|
@Aaron Williamson | Symphony Software Foundation | Y |
@Gabriele Catania | BlackRock | Y |
@Former user (Deleted) | Scott Logic |
|
Doug Friedman | Tradeweb |
|
Justin Peterson | Tradeweb | Y |
@Lawrence Miller (Deactivated) | Symphony LLC |
|
@Rhyddian Olds | Deutsche Bank |
|
@Former user (Deleted) | IHS Markit | Y |
@Former user (Deleted) | Credit Suisse |
|
@Ken Watson (Deactivated) | Ipreo |
|
@Peter Monks | Symphony Software Foundation |
|
Actions items from previous meetings
Add new action items here.
Meeting notes
The members reviewed the Linux Foundation's template open source request form and discussed which items were relevant to their processes.
A common process discussed is that open source components are reviewed once upon importation to internal repositories (e.g. Artifactory). Requests are made via a ticketing system like Jira. Developers aren't required to provide much information in their requests. The open source review board become the de facto owners of the open source components after approval, so it's incombent on them to do appropriate dilligence. The information stored about each component includes: owner, whether approval is for production or non-production (i.e. distributed or hosted) use, and any vulnerability information. There is then a less rigorous approval process for version updates. OSRB tracks where packages are deployed geographically because that impacts regulatory concerns. There was agreement that it would be useful to collect information on which clients are affected by each components, for security notification purposes.