Office Hour meeting minutes​

Infrastructure​

• Info from Test Management will be taken over by Harald Zimmer, please contact with your product owners to get a meeting with Harald and get the access if you are in the association.
• Feedback requested from Harald Zimmer for who is using: https://github.com/catenax-ng/product-test-data-generator
• Branch protecting example provided by Tom Meyer

Security team​

• No security team will be available for R24.08, Rohan Krish has told he will be going in July, contact him if you know who will be responsible for security in the Association.
• Handover from Rohan Krishnamurthy will be done in this ticket: https://github.com/eclipse-tractusx/sig-security/issues/83

FOSS​

• Committer Election for Lucas Capellino, please vote if you are a committer!
• Evelyn Gurschler election to project lead concluded successfully, congratulations to our new project lead!
• Committer Election for Lucas Capellino open for voting again
• Don't forget to update the legal docs!! Close the tickets in your repositories if its done: eclipse-tractusx/sig-infra#477
• 1.000 Lines of code in PRs for non-contributors require project Ip check: https://www.eclipse.org/projects/handbook/#ip-project-content

Open planning / community​

• Every office hour there will be a slot to talk about the current process of the working model of Tractus-X/Catena-X. With the updates from the community.

Discussions​

• Mermaid version in current docussaurus for the tractus-x webpage do not support specific type block-beta and xychart-beta.
  • Stephan Bauer will test to upgrade the version of docussaurus in the Catena-X e.V. Repository.

Security Office Hour meeting minutes​

Announcements​

• Reminder about former GitHub Organisation Catenax-ng
• Reminder to remove any test credentials/sensitive that are present in Catenax-ng
• Reminder to look for the results of the security scans after migration to Eclipse Tractus-x

Office Hour meeting minutes​

System team​

• Support needed for overarching CHANGELOG creation for release 24.05. If interested, please get in contact with Stephan Bauer

Security team​

• n/a

FOSS​

• Committer Election for Arno Weiß concluded successfully. Congratulations!
• Committer Election for Lucas Capellino open for voting

Open planning / community​

• We are looking for committers to help with the Release QG Check Review for the upcoming release. Please reach out to Roland and Siegfried if you are interested.
• Check out the meeting invitations for open meetings regarding planning for release 24.12

Discussions​

• Are there defined deadlines for release 24.08 -> No one in the meeting did know of one yet
• Interoperability and Thread Modelling checks in 24.05?
  • You can approach the Security Team via issue on sig-security
  • Checks, that have been documented in a Consorita Confluence instance, could still take place, but a transparent format should be considered. Some Teams already documented on GitHub.

Office Hour meeting minutes​

System team​

• We moved from the former Miro board to the new Board within our Eclipse Tractus-X GitHub organization projects and if you would like to give Feedback feel free to state it in the draft issue
• Now you can state everytime your topic for the next office hour as a draft issue for each open meeting like the "Office Hour" as described in the info section of the board

Security team​

• Rohan will resume work on Monday, 13-May Alternate contact: Lokesh Gujre , Tim Herres
• Bug bounty program is still in the works, but we are making progress on it see issue

FOSS​

• Committer Election for Arno Weiß open for voting
• Please check out the statements to the "Use of AI" in one of our Eclipse Office Hour sessions
• OCX Conference - Call for speakers is open! Submit your talk here
• Friendly reminder to the Eclipse Office hours about the process and shared information see here
• Friendly reminder to check our product notice sections in your documentation and update it if necessary a little example was found within the KIT documentation see here

Open planning / community​

• We are looking for committers to help with the Release QG Check Review for the upcoming release. Please reach out to Roland and Siegfried if you are interested.

Discussions​

• n/a

Office Hour meeting minutes​

System team​

• n/a

Security team​

• An updated list of Security related TRGs are available after this PR has been merged

FOSS​

• The footer of the Eclipse Tractus-X website have been updated
• Community days are getting closer, more info can be found on this page

Open planning / community​

• New dates with blockers will be added to the website for release 24.12 soon, keep an eye on them! There will be a news entry when they are available
• Starting with the next release (24.05) QG4 reviews will be mandatory to do in pairs every committer can get familiar with the process. A committer can't review their "own" products

Discussions​

• You can read about Eclipse roles and how to become one here
• There is a new board work in progress on GitHub that could be a replacement for the current Miro board we use for the Office Hour
• Kubernetes 1.30 is available now, but consortia clusters are still on 1.27 (which is the LTS version). This should be aligned as TRG5.10 describes our goal otherwise.
• For release 24.05 you can open an issue for security assessment in the sig-security repository. This support won't be available starting with release 24.08
• There is a problem currently with the calendar files on the website for. It is being investigated and an update will be provided soon.

Committer meeting - meeting minutes​

Open Planning Participation of committers​

The open planning is one of the most important meetings. I think 14 (of 41) committers were present, but only two used their voice ;) what about the others?

=> Maybe we should talk more beforehand, about the importance of the meeting. Responsibilities and expectations of attendance.

Label structure​

The labels on the features are very important for dependencies and filtering. Yes we have a lot, but we need more ;) but on the other hand we can also delete some ;)

Suggestions:

New needed​

• ssi
• data-sovereignty
• policy-hub
• policy-registry
• issuer-component
• authority-registry

=> discussed -> create the labels

• open-discussions (color: red)
• Prep-P14 -> maybe Prep-R2412 -> do we need the specific prep label?
• Prep-P15
• Standards (marks tickets which have impact on standards)
• Breaking Change (marks breaking change tickets)

Changes needed​

• miw => rename to identity-wallet

Delete (probably we need to discuss this once since a deletion has impacts…)​

• kit (reason: each kit has an own label already)
• foss
• go
• PI12 (ideally we just inactive it to not lose it on the old tickets)
• Prep-P11 (ideally we just inactive it to not lose it on the old tickets)
• Prep-P12 (ideally we just inactive it to not lose it on the old tickets)
• Project management
• Test results

Additionally I like to suggest a clear color coding​

• All Product labels - ocean blue
• All Prep-Pxx label – grey
• All highlight labels – red
• All UseCase labels – green -> can we delete this?
• All Expert group labels - yellow

=> HTML color code is used

Clean Board​

My feeling is, we will have round about 60 features for 24.08 -> all good. Happy about it. But on the board itself we have more than 200. I understand its good to have some features in inbox/backlog... but i think the gap is to big ... and i think a lot of them could be deleted ;(

=> discussed and decided: Friendly reminder -> after a specific amount ot time the issues are deleted automatically

Views an project board​

The views (tabs) should be cleaned up) which views are still needed?

• Feature view (issuetype feature) -> for Expert Groups / Committees / Developer
• QGate View (issuetype realease_ac)
• ???

Future workingmodel​

Instead of miro we could work with GitHub Project as agenda/issuetracking. e.g. example board

=> lets try it

Custom Attribute​

Since we work together e.V/Open Source it would be beneficial if we could map the features to the related expert (groups) therefore i would like to discuss a custom attribute, which holds the related committee/expertgroup (dedicated list) -> This would help to filter and also get a better feeling

=> prepare a poc -> Tom , Stephan

Featurequality​

Since sometimes the quality (how is a feature described, did you clarify your dependencies, did you talk to your committer, is the time allocated) i would like to extend the feature template to guide a little bit more. For example a checklist like:

• [ ] i have talked to dependent components
• [ ] i have talked to my committers
• [ ] i will contribute on this features
• ...

-> mention the release process via link in the template, keep the template simple -> link the contribution guidelines

Office Hour meeting minutes​

System team​

• Number of previous KIT versions of the home page have been reduced. (this speeds up the compile process by 3,5x)
• System team is working on collecting the OpenAPI specs (as alternative to SwaggerHub)

Security team​

• Invicti DAST scans are available now. They are not part of the next QG.
• Heads up regarding the XZ backdoor awareness mail on the mailing list

FOSS​

• Committer elections are important to prevent hostile project takeover (especially in the wake of the XZ Utils backdoor )

Open planning / community​

• n/a

Discussions​

• Reminder that there will be a "tandem mode" review for next QGate:
  • one reviewer from System team and one committer from the projects for each QG Check
  • the "project committer" can not review his/her one project

Security Office Hour meeting minutes​

Announcements​

• SAST: CodeQL workflows seems successfully well integrated
• KICS, Trivy, GitGuardian and Dependabot tools will continue as it is.
• No new updates

Office Hour meeting minutes​

System team​

• Several TRGs in Draft
  • See TRG 0
  • Dedicated PRs will be raised to gather feedback before publishing

Security team​

• Veracode license finally expired
  • Dashboards still accessible
  • No new scans can be run
  • CodeQL is the replacement
• Security TRGs live. See the "TRG 8 - Security" section in Release Guidelines

FOSS​

• n/a

Open planning / community​

• n/a

Discussions​

• Dependabot PRs
  • In general: keep your dependencies up to date. Keep the DEPENDENCIES file in mind. Ask committers for help, if you don't have one in your team.
  • Specifically Docker base images: If dependabot suggests to upgrade the base image to a new major library version, that you do not support. Ask a committer to tell dependabot to ignore the dependency
  • Specifically Chart Releaser Action: Should not be an issue, but we can investigate if the upgrade would raise issues (1.4.1 to 1.6.0 in this case)
• Are there updates to API versioning
  • No one in the call had an update
  • The Discussion is untouched for a while
  • If this is an issue for anyone, please push that topic again

Security Office Hour meeting minutes​

Announcements​

• SAST:
  • Veracode - Offboarding: Last reminder, license terminates on 30-March-2024
  • CodeQL - Onboarding- Workflow Setup: TRG 8.01
• DAST security scans are not part of the next release 24.05 (Updates will follow through the QG Acceptance Criteria)
• KICS, Trivy, GitGuardian and Dependabot tools will continue as it is.