Skip to main content

Sebastian Bezold

Office Hour meeting minutes

System team

  • Investigating slow website build times
    • Local builds (and CI) take increasingly more time (~13 min for static build with empty caches)
    • Heap size has to be increased on some machines
    • Potential source: Versioning of the KITS and keeping all the versions

Security team

  • Some teams are already migrating from Veracode to CodeQL. Great! Remember to also remove Veracode workflows in this case.
  • PR to publish the Security TRG section will be raised
  • Snyk will not be part of the Security TRGs and therefore not mandatory. Best practices and how-tos will still be provided in sig-security

FOSS

  • Getting started guide improved
    • Does make it easier for new-joiners
    • Please link to this guide instead of duplicating information
    • If anything is missing, feel free to raise a PR or open an issue

Open planning / community

  • Tractus-X "Stammtisch Munich". See Matrix post
  • Old consortia office hour meeting will be cancelled. Open meeting link is now well known.

Discussions

  • People have been receiving on- and offboarding emails for the Tractus-X contributor team in GitHub
    • Unclear what triggered it
    • If you are committer, you don't need to also be part of the contributor group
    • In case you lost a necessary group assignment, please reach out

Fabian Grün

Office Hour meeting minutes

System team

Security team

FOSS

  • Congrats to Rohan Krishnamurthy as a new committer in our community.
  • No open feedback or veto to archiving repositories that are out of purpose

Open planning / community

  • Current planning around the 2. Community Days Event, feel free to join
  • Infosession Processes, Methods Tools for next release 24.08 will present on monday planning meeting

Open Discussions

  • Committer Matrix Chatroom i now available for us within the Eclipse Tractus-X.
  • Release Day information to release day insights (YouTube)
    • Impressions for release process from Hanno, new standards and topics like SSI and further breaking changes
    • Working together with the community

Security Office Hour meeting minutes

Announcements

  • SAST: CodeQL transition is ongoing, PRs to add corresponding workflows is ongoing. Veracode license will expire at the end of March, so everyone is encouraged to review their workflows to ensure a timely transition to CodeQL.
  • DAST: Invicti license will expire at the end of August and already exceeded the website limit. There will be no DAST tool required for the next Quality Gate.
  • Secret scanning
    • Gitguardian is currently set up, but Gitleaks is a potential successor.
    • Testing of Github secret scanning is still in progress.
  • TRG 8.0 has been published as a draft, adjustments as PR are warmly welcome.

Open Discussions

  • none

Gabor Almadi

Office Hour meeting minutes

System team

  • n/a

Security team

  • TRG 8.01, 8.03, 8.04, 8.05 first drafts are created, final versions will come soon
  • Be patient with CodeQL, could be tedious since it does provide a lot of findings

FOSS

  • New commiter election is open for Rohan Krishnamurthy. Please visit the page and make your vote!

Open planning / community

  • Role of the committer is being discussed, it will be presented in the next committer meeting. Basic role descriptions come from the Eclipse Foundation, but we want to specify in Tractus-X what else can be expected from a contributor, commiter and project lead.
  • Association release process and Eclipse Tractus-X needs to be aligned as the first is managed by the association and the second should be driven by the community.

Open Discussions

  • We should align on how and where a migration documentation should be created for products. This would ensure that upon Breaking Changes the upgrade processes can run smoothly with a guide available for everyone. The guide could include property, configuration, API changes and everything else that would affect the upgrade process from and old version to the new. A draft will be available on a working model that could be implemented by the products soon. A TRG could include information on where these guide should be located and in which format.

Tractus-X Office Hour meeting minutes

System team

  • Docusaurus: Please use "toc_min_heading_level" and "toc_max_heading_level" to adjust your TOC
  • The community has to transparently describe our post-consortia release process

Security team

FOSS

  • Reminder: please make sure to attribute your "foreign" logos correctly

Open planning / community

  • second Eclipse Tractus-X Community days will take place 16-17 May 2024:
    • please provide your "wishes" for topics
  • Roadmap review finished 29th Feb 2024
  • refinement phase will start the next days
  • different open meetings can now be linked directly

Open Discussions

  • n/a

Security Office Hour meeting minutes

Announcements

  • Security team approvals for most projects in scope of release 24.03 have been completed.
  • Upcoming changes for release 24.05 will focus on FOSS security tools, including
    • switch from Veracode to CodeQL for SAST,
    • switch from Gitguardian to gitleaks for secrets scanning,
    • DAST will not be part of the upcoming TRG until further notice.
  • DAST was removed from TRG due to issues with authenticated scans and SARIF report as scanning alerts in repository security section.

Open Discussions

  • An overarching issue for tracking the tool shifts was discussed, as it is necessary for proper planning by teams.
    • Teams need to estimate efforts to adjust Github workflows
  • The PR for the new Security TRG was discussed, which includes a new requirement of remediation of findings with medium severity, but not for the 25.05 release.
    • Concerns were raised about the need for additional planned team resources for triaging these issues, and it was suggested that the TRG should be finalized and teams made aware.
  • What are best-practices for scheduling security tools Action workflows, with every PR or another frequency?
    • The TRG claims at least once, this is mandatory baseline for all.
    • Best practice is more frequently, recommendations differ per tool (e.g. secret scanning for every PR, dependency scan on a weekly basis).
    • The trigger will be on push + on pull + scheduled - frequency depends on repositories activity, so the team has to decide.
    • Best practice recommendations will be published in the sig-security repository.

Sebastian Bezold

Office Hour meeting minutes

System team

  • Quality Gate Reviews in progress. Please keep an eye on your issues

Security team

  • New "Read only filesystem" TRG will be introduced to the "Container" category
  • New "Dependabot" TRG will be worked on via PR #659 and moved to the security section afterwards
  • With Release 24.05, Veracode will no longer be part of the QGate. We move to CodeQL. Do necessary migration early on, if possible

FOSS

Open planning / community

  • n/a

Open Discussions

  • Automated email about upgrades to Kubernetes and PostgreSQL version: What does it mean?
    • See it as a discussion starter and reminder
    • Potentially, the committer group can use that as a trigger for alignment on these two crucial topics
  • Is there a publicly available test installation of a dataspace build from Tractus-X components
  • Is there a possibility to enable contributors ot edit other contributors issue descriptions
    • No. This is only possible with write permissions
    • Write permissions are only granted to the committer role

Sebastian Bezold

Office Hour meeting minutes

System team

  • Still looking for volunteers to work on QG reviews together with the system team
    • Goal is to spread knowledge on how TRGs are checked
    • Especially interesting for committers, that already know they will stay post consortia
  • Preparing an open description on our release process. Feel free to comment any suggestion or important topics, you think should be covered on this draft
  • Markdown linting will again be enabled for KITs. Findings will be collected as issue per KIT
  • OpenAPI plugin for docusaurus will be removed
    • OpenAPI definitions will be pushed to SwaggerHub. User credentials available as org secrets
    • Ongoing discussions: Some definitions might be published through standard and therefore out of eclipse-tractusx

Security team

  • New TRG suggestion PR: eclipse-tractusx/eclipse-tractusx.github.io#681
  • Reminder: please focus on eclipse-tractusx instead of catenax-ng
  • Please reach out to the security team, as soon as the security scans for QG checks are ready for QG review

FOSS

Open planning / community

office hour meeting minutes

System team

  • Kube Prometheus Stack upgraded to latest release 56.6.2.
  • Committer Election for Tuncay Tunc on Eclipse Tractus-X has started.
  • The Committer Election for Fábio Mota on project Eclipse Tractus-X concluded successfully.
  • Committer volunteers wanted to participate/shadow next Quality Gate process.

Security team

  • New TRG/s from security team was presented requesting for feedback Security TRG 8.0.
  • Suggested to contact security team directly for any support required to use, complete Invicti related issues/tasks.
  • Update for static application security testing/source code scanning, ongoing transition from Veracode to CodeQL. Reach out to security team for any assistance.
  • Reminder on available onboarding process to Snyk.
  • There will be separate security office hours meeting, biweekly Thursdays 8:30 - 9:30.

FOSS

  • N/A

Open planning / community

  • Open meetings PR.

Open discussion

  • Question related to TRG 1.04 Diagrams as code, if there a need/requirement to convert already existing .png diagrams. It is recommended to use described in the TRG toolset to keep good level of maintainability of the diagrams, not a hard requirement though in case there is lack of source.

Fabian Grün

office hour meeting minutes

System team

  • Please be aware of our Markdown lint problem in the eclipse-tractusx.github.io that currently only the /docs folder is checked and should be extended to more markdown file directories
  • TRG Update information about TRG 3-1 that was superseded by TRG 5-09
  • Upcoming Office Hours meeting minutes will be reported in the community section of our webpage and you can find here

Security team

FOSS

Open planning / community

  • Open Meetings Links with ics invitation files are available for the community

Open discussion

  • No open discussion