Security Office Hour meeting minutes​

Announcements​

• Gitguardian tool for secret scanning will be replaced by TruffleHog. This will be used in parallel with Github's native secret scanning tool.
• Trivy workflow has been updated to address the failure of workflows
• Announcement of Security handover during the committer round

Office Hour meeting minutes​

Infrastructure​

• Info from Test / Infrastructure Management CX Association by Harald:
  • status of product onboarding and deployment progression to new environment
  • clarifying dependencies, resolving blockers is ongoing
  • handover of test cases to new CX Association Xray
  • Invitation to E2E Test Management Daily beginning Monday (July 1, 2024): frequency determined determined to half an hour every 2nd day
• Status about current works on API publishing by Tomasz currently in progress: a separate repository to store API docs and publish via GitHub pages - API Hub - was created. He will present the topic a bit more hands on in one of the upcoming office hours

Security team​

• Info from security team by Rohan:
  • Replacement of GitGuardian with TruffleHog, see according pull request to update TX release guideline: #950
  • Updates to Trivy workflow , see according pull request to update TX release guideline: #949
  • Security tools walkthrough in the Committers Meeting of July 5, 2024 (about 20 minutes) - Rohan will announce the walkthrough next week on the TX mailing list while sending out a reminder for the meeting

FOSS​

• Committer Election for Lucas concluded successfully, congratulations and welcome!
• Don't forget to update the legal docs!! Close the tickets in your repositories if its done: eclipse-tractusx/sig-infra#477

Open planning / community​

• Info by community manager Stephan about the Tractus-X/Catena-X working model and the refinement phase for the 24.12 release, which started this week, for more information see TX mailing list: R24.12 next steps in refinement phase

Discussions​

• Evelyn suggested a consistent storing for environment specific deployment configuration (helm values files) in TX repositories:
  • IF products teams store deployment configuration in TX, it should be stored in a separate directory at root level (/environments) and the notice file should explain it is need for the end-to-end testing of TX releases
  • no deployment configuration other than the one used for the official E2E Testing of TX releases should be kept in TX
  • suggestion is not intended to promote the storing of this configuration in TX but if you do it, do it as proper as possible
  • a benefit from (properly) storing the configuration in TX is the versioning with the TX GitHub releases, allowing to easily trace back the exact configuration used for testing
  • other options for handling environment specific deployment configuration outside of TX were discussed as well as the option of multiple sources for Argo CD was mentioned by Carsten
• Stephan was wondering about how to handle outdated information on the TX Product Page:
  • product teams should check if the information on the page is still up to date, Stephan will write send a reminder on the TX mailing list
  • Arno mentioned that he would update the products which are still outdated in a couple of weeks, thanks for volunteering!

Office Hour meeting minutes​

Infrastructure​

• Info from Test Management will be taken over by Harald Zimmer, please contact with your product owners to get a meeting with Harald and get the access if you are in the association.
• Feedback requested from Harald Zimmer for who is using: https://github.com/catenax-ng/product-test-data-generator
• Branch protecting example provided by Tom Meyer

Security team​

• No security team will be available for R24.08, Rohan Krish has told he will be going in July, contact him if you know who will be responsible for security in the Association.
• Handover from Rohan Krishnamurthy will be done in this ticket: https://github.com/eclipse-tractusx/sig-security/issues/83

FOSS​

• Committer Election for Lucas Capellino, please vote if you are a committer!
• Evelyn Gurschler election to project lead concluded successfully, congratulations to our new project lead!
• Committer Election for Lucas Capellino open for voting again
• Don't forget to update the legal docs!! Close the tickets in your repositories if its done: eclipse-tractusx/sig-infra#477
• 1.000 Lines of code in PRs for non-contributors require project Ip check: https://www.eclipse.org/projects/handbook/#ip-project-content

Open planning / community​

• Every office hour there will be a slot to talk about the current process of the working model of Tractus-X/Catena-X. With the updates from the community.

Discussions​

• Mermaid version in current docussaurus for the tractus-x webpage do not support specific type block-beta and xychart-beta.
  • Stephan Bauer will test to upgrade the version of docussaurus in the Catena-X e.V. Repository.

Security Office Hour meeting minutes​

Announcements​

• Reminder about former GitHub Organisation Catenax-ng
• Reminder to remove any test credentials/sensitive that are present in Catenax-ng
• Reminder to look for the results of the security scans after migration to Eclipse Tractus-x

Office Hour meeting minutes​

System team​

• Support needed for overarching CHANGELOG creation for release 24.05. If interested, please get in contact with Stephan Bauer

Security team​

• n/a

FOSS​

• Committer Election for Arno Weiß concluded successfully. Congratulations!
• Committer Election for Lucas Capellino open for voting

Open planning / community​

• We are looking for committers to help with the Release QG Check Review for the upcoming release. Please reach out to Roland and Siegfried if you are interested.
• Check out the meeting invitations for open meetings regarding planning for release 24.12

Discussions​

• Are there defined deadlines for release 24.08 -> No one in the meeting did know of one yet
• Interoperability and Thread Modelling checks in 24.05?
  • You can approach the Security Team via issue on sig-security
  • Checks, that have been documented in a Consorita Confluence instance, could still take place, but a transparent format should be considered. Some Teams already documented on GitHub.

Office Hour meeting minutes​

System team​

• We moved from the former Miro board to the new Board within our Eclipse Tractus-X GitHub organization projects and if you would like to give Feedback feel free to state it in the draft issue
• Now you can state everytime your topic for the next office hour as a draft issue for each open meeting like the "Office Hour" as described in the info section of the board

Security team​

• Rohan will resume work on Monday, 13-May Alternate contact: Lokesh Gujre , Tim Herres
• Bug bounty program is still in the works, but we are making progress on it see issue

FOSS​

• Committer Election for Arno Weiß open for voting
• Please check out the statements to the "Use of AI" in one of our Eclipse Office Hour sessions
• OCX Conference - Call for speakers is open! Submit your talk here
• Friendly reminder to the Eclipse Office hours about the process and shared information see here
• Friendly reminder to check our product notice sections in your documentation and update it if necessary a little example was found within the KIT documentation see here

Open planning / community​

• We are looking for committers to help with the Release QG Check Review for the upcoming release. Please reach out to Roland and Siegfried if you are interested.

Discussions​

• n/a

Office Hour meeting minutes​

System team​

• n/a

Security team​

• An updated list of Security related TRGs are available after this PR has been merged

FOSS​

• The footer of the Eclipse Tractus-X website have been updated
• Community days are getting closer, more info can be found on this page

Open planning / community​

• New dates with blockers will be added to the website for release 24.12 soon, keep an eye on them! There will be a news entry when they are available
• Starting with the next release (24.05) QG4 reviews will be mandatory to do in pairs every committer can get familiar with the process. A committer can't review their "own" products

Discussions​

• You can read about Eclipse roles and how to become one here
• There is a new board work in progress on GitHub that could be a replacement for the current Miro board we use for the Office Hour
• Kubernetes 1.30 is available now, but consortia clusters are still on 1.27 (which is the LTS version). This should be aligned as TRG5.10 describes our goal otherwise.
• For release 24.05 you can open an issue for security assessment in the sig-security repository. This support won't be available starting with release 24.08
• There is a problem currently with the calendar files on the website for. It is being investigated and an update will be provided soon.

Committer meeting - meeting minutes​

Open Planning Participation of committers​

The open planning is one of the most important meetings. I think 14 (of 41) committers were present, but only two used their voice ;) what about the others?

=> Maybe we should talk more beforehand, about the importance of the meeting. Responsibilities and expectations of attendance.

Label structure​

The labels on the features are very important for dependencies and filtering. Yes we have a lot, but we need more ;) but on the other hand we can also delete some ;)

Suggestions:

New needed​

• ssi
• data-sovereignty
• policy-hub
• policy-registry
• issuer-component
• authority-registry

=> discussed -> create the labels

• open-discussions (color: red)
• Prep-P14 -> maybe Prep-R2412 -> do we need the specific prep label?
• Prep-P15
• Standards (marks tickets which have impact on standards)
• Breaking Change (marks breaking change tickets)

Changes needed​

• miw => rename to identity-wallet

Delete (probably we need to discuss this once since a deletion has impacts…)​

• kit (reason: each kit has an own label already)
• foss
• go
• PI12 (ideally we just inactive it to not lose it on the old tickets)
• Prep-P11 (ideally we just inactive it to not lose it on the old tickets)
• Prep-P12 (ideally we just inactive it to not lose it on the old tickets)
• Project management
• Test results

Additionally I like to suggest a clear color coding​

• All Product labels - ocean blue
• All Prep-Pxx label – grey
• All highlight labels – red
• All UseCase labels – green -> can we delete this?
• All Expert group labels - yellow

=> HTML color code is used

Clean Board​

My feeling is, we will have round about 60 features for 24.08 -> all good. Happy about it. But on the board itself we have more than 200. I understand its good to have some features in inbox/backlog... but i think the gap is to big ... and i think a lot of them could be deleted ;(

=> discussed and decided: Friendly reminder -> after a specific amount ot time the issues are deleted automatically

Views an project board​

The views (tabs) should be cleaned up) which views are still needed?

• Feature view (issuetype feature) -> for Expert Groups / Committees / Developer
• QGate View (issuetype realease_ac)
• ???

Future workingmodel​

Instead of miro we could work with GitHub Project as agenda/issuetracking. e.g. example board

=> lets try it

Custom Attribute​

Since we work together e.V/Open Source it would be beneficial if we could map the features to the related expert (groups) therefore i would like to discuss a custom attribute, which holds the related committee/expertgroup (dedicated list) -> This would help to filter and also get a better feeling

=> prepare a poc -> Tom , Stephan

Featurequality​

Since sometimes the quality (how is a feature described, did you clarify your dependencies, did you talk to your committer, is the time allocated) i would like to extend the feature template to guide a little bit more. For example a checklist like:

• [ ] i have talked to dependent components
• [ ] i have talked to my committers
• [ ] i will contribute on this features
• ...

-> mention the release process via link in the template, keep the template simple -> link the contribution guidelines

Office Hour meeting minutes​

System team​

• Number of previous KIT versions of the home page have been reduced. (this speeds up the compile process by 3,5x)
• System team is working on collecting the OpenAPI specs (as alternative to SwaggerHub)

Security team​

• Invicti DAST scans are available now. They are not part of the next QG.
• Heads up regarding the XZ backdoor awareness mail on the mailing list

FOSS​

• Committer elections are important to prevent hostile project takeover (especially in the wake of the XZ Utils backdoor )

Open planning / community​

• n/a

Discussions​

• Reminder that there will be a "tandem mode" review for next QGate:
  • one reviewer from System team and one committer from the projects for each QG Check
  • the "project committer" can not review his/her one project

Security Office Hour meeting minutes​

Announcements​

• SAST: CodeQL workflows seems successfully well integrated
• KICS, Trivy, GitGuardian and Dependabot tools will continue as it is.
• No new updates