Skip to main content

Security Office Hour meeting minutes

Announcements

  • Reminder about former GitHub Organisation Catenax-ng
  • Reminder to remove any test credentials/sensitive that are present in Catenax-ng
  • Reminder to look for the results of the security scans after migration to Eclipse Tractus-x

Sebastian Bezold

Office Hour meeting minutes

System team

  • Support needed for overarching CHANGELOG creation for release 24.05. If interested, please get in contact with Stephan Bauer

Security team

  • n/a

FOSS

Open planning / community

  • We are looking for committers to help with the Release QG Check Review for the upcoming release. Please reach out to Roland and Siegfried if you are interested.
  • Check out the meeting invitations for open meetings regarding planning for release 24.12

Discussions

  • Are there defined deadlines for release 24.08 -> No one in the meeting did know of one yet
  • Interoperability and Thread Modelling checks in 24.05?
    • You can approach the Security Team via issue on sig-security
    • Checks, that have been documented in a Consorita Confluence instance, could still take place, but a transparent format should be considered. Some Teams already documented on GitHub.

Fabian Grün

Office Hour meeting minutes

System team

  • We moved from the former Miro board to the new Board within our Eclipse Tractus-X GitHub organization projects and if you would like to give Feedback feel free to state it in the draft issue
  • Now you can state everytime your topic for the next office hour as a draft issue for each open meeting like the "Office Hour" as described in the info section of the board

Security team

  • Rohan will resume work on Monday, 13-May Alternate contact: Lokesh Gujre , Tim Herres
  • Bug bounty program is still in the works, but we are making progress on it see issue

FOSS

  • Committer Election for Arno Weiß open for voting
  • Please check out the statements to the "Use of AI" in one of our Eclipse Office Hour sessions
  • OCX Conference - Call for speakers is open! Submit your talk here
  • Friendly reminder to the Eclipse Office hours about the process and shared information see here
  • Friendly reminder to check our product notice sections in your documentation and update it if necessary a little example was found within the KIT documentation see here

Open planning / community

  • We are looking for committers to help with the Release QG Check Review for the upcoming release. Please reach out to Roland and Siegfried if you are interested.

Discussions

  • n/a

Gabor Almadi

Office Hour meeting minutes

System team

  • n/a

Security team

  • An updated list of Security related TRGs are available after this PR has been merged

FOSS

Open planning / community

  • New dates with blockers will be added to the website for release 24.12 soon, keep an eye on them! There will be a news entry when they are available
  • Starting with the next release (24.05) QG4 reviews will be mandatory to do in pairs every committer can get familiar with the process. A committer can't review their "own" products

Discussions

  • You can read about Eclipse roles and how to become one here
  • There is a new board work in progress on GitHub that could be a replacement for the current Miro board we use for the Office Hour
  • Kubernetes 1.30 is available now, but consortia clusters are still on 1.27 (which is the LTS version). This should be aligned as TRG5.10 describes our goal otherwise.
  • For release 24.05 you can open an issue for security assessment in the sig-security repository. This support won't be available starting with release 24.08
  • There is a problem currently with the calendar files on the website for. It is being investigated and an update will be provided soon.

Committer meeting - meeting minutes

Open Planning Participation of committers

The open planning is one of the most important meetings. I think 14 (of 41) committers were present, but only two used their voice ;) what about the others?

=> Maybe we should talk more beforehand, about the importance of the meeting. Responsibilities and expectations of attendance.

Label structure

The labels on the features are very important for dependencies and filtering. Yes we have a lot, but we need more ;) but on the other hand we can also delete some ;)

Suggestions:

New needed

  • ssi
  • data-sovereignty
  • policy-hub
  • policy-registry
  • issuer-component
  • authority-registry

=> discussed -> create the labels

  • open-discussions (color: red)
  • Prep-P14 -> maybe Prep-R2412 -> do we need the specific prep label?
  • Prep-P15
  • Standards (marks tickets which have impact on standards)
  • Breaking Change (marks breaking change tickets)

Changes needed

  • miw => rename to identity-wallet

Delete (probably we need to discuss this once since a deletion has impacts…)

  • kit (reason: each kit has an own label already)
  • foss
  • go
  • PI12 (ideally we just inactive it to not lose it on the old tickets)
  • Prep-P11 (ideally we just inactive it to not lose it on the old tickets)
  • Prep-P12 (ideally we just inactive it to not lose it on the old tickets)
  • Project management
  • Test results

Additionally I like to suggest a clear color coding

  • All Product labels - ocean blue
  • All Prep-Pxx label – grey
  • All highlight labels – red
  • All UseCase labels – green -> can we delete this?
  • All Expert group labels - yellow

=> HTML color code is used

Clean Board

My feeling is, we will have round about 60 features for 24.08 -> all good. Happy about it. But on the board itself we have more than 200. I understand its good to have some features in inbox/backlog... but i think the gap is to big ... and i think a lot of them could be deleted ;(

=> discussed and decided: Friendly reminder -> after a specific amount ot time the issues are deleted automatically

Views an project board

The views (tabs) should be cleaned up) which views are still needed?

  • Feature view (issuetype feature) -> for Expert Groups / Committees / Developer
  • QGate View (issuetype realease_ac)
  • ???

Future workingmodel

Instead of miro we could work with GitHub Project as agenda/issuetracking. e.g. example board

=> lets try it

Custom Attribute

Since we work together e.V/Open Source it would be beneficial if we could map the features to the related expert (groups) therefore i would like to discuss a custom attribute, which holds the related committee/expertgroup (dedicated list) -> This would help to filter and also get a better feeling

=> prepare a poc -> Tom , Stephan

Featurequality

Since sometimes the quality (how is a feature described, did you clarify your dependencies, did you talk to your committer, is the time allocated) i would like to extend the feature template to guide a little bit more. For example a checklist like:

  • [ ] i have talked to dependent components
  • [ ] i have talked to my committers
  • [ ] i will contribute on this features
  • ...

-> mention the release process via link in the template, keep the template simple -> link the contribution guidelines

Office Hour meeting minutes

System team

  • Number of previous KIT versions of the home page have been reduced. (this speeds up the compile process by 3,5x)
  • System team is working on collecting the OpenAPI specs (as alternative to SwaggerHub)

Security team

  • Invicti DAST scans are available now. They are not part of the next QG.
  • Heads up regarding the XZ backdoor awareness mail on the mailing list

FOSS

  • Committer elections are important to prevent hostile project takeover (especially in the wake of the XZ Utils backdoor )

Open planning / community

  • n/a

Discussions

  • Reminder that there will be a "tandem mode" review for next QGate:
    • one reviewer from System team and one committer from the projects for each QG Check
    • the "project committer" can not review his/her one project

Sebastian Bezold

Office Hour meeting minutes

System team

  • Several TRGs in Draft
    • See TRG 0
    • Dedicated PRs will be raised to gather feedback before publishing

Security team

  • Veracode license finally expired
    • Dashboards still accessible
    • No new scans can be run
    • CodeQL is the replacement
  • Security TRGs live. See the "TRG 8 - Security" section in Release Guidelines

FOSS

  • n/a

Open planning / community

  • n/a

Discussions

  • Dependabot PRs
    • In general: keep your dependencies up to date. Keep the DEPENDENCIES file in mind. Ask committers for help, if you don't have one in your team.
    • Specifically Docker base images: If dependabot suggests to upgrade the base image to a new major library version, that you do not support. Ask a committer to tell dependabot to ignore the dependency
    • Specifically Chart Releaser Action: Should not be an issue, but we can investigate if the upgrade would raise issues (1.4.1 to 1.6.0 in this case)
  • Are there updates to API versioning
    • No one in the call had an update
    • The Discussion is untouched for a while
    • If this is an issue for anyone, please push that topic again

Security Office Hour meeting minutes

Announcements

  • SAST:
    • Veracode - Offboarding: Last reminder, license terminates on 30-March-2024
    • CodeQL - Onboarding- Workflow Setup: TRG 8.01
  • DAST security scans are not part of the next release 24.05 (Updates will follow through the QG Acceptance Criteria)
  • KICS, Trivy, GitGuardian and Dependabot tools will continue as it is.

Sebastian Bezold

Office Hour meeting minutes

System team

  • Investigating slow website build times
    • Local builds (and CI) take increasingly more time (~13 min for static build with empty caches)
    • Heap size has to be increased on some machines
    • Potential source: Versioning of the KITS and keeping all the versions

Security team

  • Some teams are already migrating from Veracode to CodeQL. Great! Remember to also remove Veracode workflows in this case.
  • PR to publish the Security TRG section will be raised
  • Snyk will not be part of the Security TRGs and therefore not mandatory. Best practices and how-tos will still be provided in sig-security

FOSS

  • Getting started guide improved
    • Does make it easier for new-joiners
    • Please link to this guide instead of duplicating information
    • If anything is missing, feel free to raise a PR or open an issue

Open planning / community

  • Tractus-X "Stammtisch Munich". See Matrix post
  • Old consortia office hour meeting will be cancelled. Open meeting link is now well known.

Discussions

  • People have been receiving on- and offboarding emails for the Tractus-X contributor team in GitHub
    • Unclear what triggered it
    • If you are committer, you don't need to also be part of the contributor group
    • In case you lost a necessary group assignment, please reach out