 Okay, okay, let me start over again. Sorry about that. Let's take a little bit of minutes. Okay, back to the meeting page. Thanks for joining the Baging and Lifesight Practice Meeting either by the Hyperlegic Order Conduct and the Adidas Keep the Adidas Policy Notice in account. So we have, we couldn't continue where we left off in the last task of meeting we had, which was four weeks ago because I missed the last one because I was sick. In the previous meeting we had discussed, we were going through the list of badges or list of proposed badges which are on this table and we reached up to the infrastructure badge and a couple of weeks later in the TOC meeting we reviewed the notes that we had made and there was some discussion on those but we only discussed the first two, the legal badge and the diversity badge. So I was just trying to get the, before we started recording, I was trying to talk about the diversity badge. We, I think that's easier to resolve. I don't think there were any major concerns that TOC had about this or any major comments. Rai confirmed that we can add a company affiliation in the maintenance.md file and we can potentially use that as an easy way to track the diversity of maintainers via GitHub Action. And Tracy had a comment on how we determined what percentage of maintainers are in each company. I can, I think the simple way of doing that is to pass the maintenance file and assuming that each maintainer is contributing at an equal level. If you want, if anybody has any concerns about whether different organizations are pulling the weight then think can always have the TOC member further or have the TOC question, the project maintainers as was done last week or put the CACI and the Firefly Incubation Exit review meetings. So, any other comments on that or do you think that's good to park in one? I think that sounds good to me. Okay, cool. That makes a note about the legal badge and I think there was some questions here about how we track non-compliance. I think Tracy, you had made a comment on this in one of the earlier meetings as well. I was listening to the recording. I think you had mentioned that maybe Hyperledge Bevel had some files that were, that had some licenses that are not compatible with Apache. So, I think if we have a situation like that the comment that I heard in the last few meetings was that we have to consult the legal staff. So, how do we, any thoughts on how we codify the process there? Is this, do we, first, do we just say that, do we mandate that that needs to be some kind of an action that we'll check to see whether the code is covered by either Apache or compatible licenses and it can also flag code is covered by some non-incapitalized. And if it does, then that will automatically result in a review, which may involve consulting with the legal staff. Does that sound good? Yeah, I think that makes sense. I think from the, you know, it really is something that we need to stay on top of, right, for projects. And so, if something is not correct and nobody's going to fix it, then it sounded to me like last time we talked in the TOC meeting that it was a case for basically the Linux Foundation to basically remove that project or move that project to a private until such time as somebody actually fixes the concerns that exist with legal. So I think that's, you know, it pretty much is you're either compliant which means you're a project in Hyperledger or you're not compliant, which means you're not currently a public project or public repo within Hyperledger. Okay, so this is, I think it's Mark, that's here. Should be just having the life cycle as a restaurant. Suppose the project is graduated or let's say even if it's an incubation and then it's discovered to be or it goes out of compliance. Do we just, when you say take it offline, do we duplicate it or do we just completely remove it from this lifetime? I would say that if nobody is taking action within a month, then the project needs to basically be moved to end of life, it feels like, right? Because if that project repo is going into a private status, then that project basically doesn't exist, right? So let's say we have, it's difficult because we have projects that are multi-repo projects. So in the case of a project that is a single repo project, it's easy to say, move it to end of life, right? But in the case of a multi-repo project, does the whole project go to end of life or is it just that repo that goes to end of life, if you will, right? So I think this is a tough question because I don't know that I know what the right answer will be until we actually discover that issue. I don't know, what do you guys really think on this one? I think it's a multi-repo project and if only particular repos are in non-compliance, then my personal preference would be to have a light touch, that is just move the repositories that are not in compliance to EOL and that's all, I think, yeah, I mean, that should at least be a trigger for the maintainers to take action. So I don't, I think if anybody's depending on you, I don't, I think if anybody's depending on the active repositories that are still in compliance, they should be allowed to, I personally, I think that would be my opinion, but open to others. In this case, we are mostly concerned about like the project having like meeting certain criteria, right? And if a release means that criteria, I think it won't change over a period. Why do we have to like recheck within a month? I think the, what I'm trying to say is if nobody takes action within a month on a license, that's bad. Okay. Then, if the action is I'm gonna peg this to the previous version, right? Until I can fix this in a better way, that's taking action, right? If the action is, I'm not responsive and I'm not doing anything, then that's a clue that this particular thing should probably head towards an end of life state because nobody's maintaining it. I agree that depending actions don't make sense. Yeah. I think different repositories have their own different review cycle. Like Fabric, you have the core fabric repository has a very different cycle and different versioning cadence than the Fabric SDKs do. So I think if the SDK goes out of compliance, for example, then there's no need to force the core fabric to go out of the process. So I don't, I mean, I take the point that we should peg this to a release or rather we should evaluate a compliance against a particular release. I think that's something we had been mentioned for somewhere, right? I think Jenna's question and I confirmed that and I think generally we all agree about that. The release, yeah, I mean, we can, just because the latest release of the SDKs, they're out of compliance, doesn't have to be the core repository of the SDK, that might be. I mean, it's tough, right? I think that it would be ideal if we could do some sort of lights and scanning for each pull request to be able to determine whether or not something went out, right? And not even let it go in at that point into the source space, but obviously that's, there's cost involved there and I think it becomes a challenge. So what is the right time to do that is, I think, the question. Yeah, and I think I agree with it. I think best to, if we can, have a photo test that we have to be the best, in case that something that keeps that actions, the diagnosis, then we will have to go through the review and the penalty part. Yeah, yep. Okay. Let's move on to the, just before we move to the next item, the last thing we were discussing the last time in the last meeting was whether we need an answer to that. And I think tentatively what we concluded was that based on my going over the recording, we, there are particular criteria that are given even for a project to reach at the global stage. So whether it be a lab, even whether it be a lab. So, or rather, once the project is approved by the lab, the infrastructure gets automatically created because we have competent administrators who do that for a project, whether it be a lab or also project. So those things are given. There are other things that are associated with infrastructure that we wanted to track by a budget, which was whether or not the maintainers are meeting repositories that are confirmed to hyper-legislative standards, and whether the meeting was also responsive to community requirements. So tentatively we agreed that we can shelf the core parts of the infrastructure or maybe just have a maybe it could be like a badge that was issued to a project when it's the product is accepted because that's sort of a given. We can just maybe have it as a label to show that the project puts on the basic criteria. Other than that, the project has to earn its responsiveness and conformity badge or more accurately it has to maintain the badge. So as long as the project is seen to be conforming to standards, it will seem to conformity badge has defined further down, which is doesn't we can feel up for the positive structure and the documentation match that of other projects and according to what hyper-legislative requirements and also for responsiveness are the meetingers engaged with community and responding using the concrete to question. So again, what are the precise criteria to be defined, we may get those from the documentation and onboarding task force as well which Bobby is using. But yeah, we can potentially have so have an infrastructure label by default. I think our and then actually I don't know do we even need that infrastructure label by default because it's a once the project is created, we know that it has a repository at least one repository and mailing list and the departure. So I think maybe we can even show that and as I think pretty serious of last time we just have the responsibility badge. That okay? Yeah, I think that we can potentially even replace this like you said with a, you know, an acceptance badge which is, I think we could have one of two badges there, right? A labs badge or a top level project badge, right? Reflecting whether it's in labs or it's a project and then once because we would issue that badge basically once all the infrastructure is set up, right? The discord channel, the mailing list, whatever, you know, the GitHub repos that sort of thing. So I kind of liked that idea that you had Rama which is kind of that acceptance badge and just splitting it into accepted as labs or accepted as top level project. How about on the similar line slide along with saying it is accepted project or a labs project? Maybe in the read me, we have right now it is difficult for different projects to find information of all these links. For instance, if somebody was getting a discord link for a project, I don't think all projects have easy to find way to redirect people over there. Since we are talking about infrastructure and we want to make sure like everybody has the infrastructure, maybe we'll bring in a uniform way of announcing all this information. I don't know if it's possible but I've seen certain projects having those badges listed on the read me page which says click this link and then it takes them to a discord link or maybe click this link, it takes them to a recent build power status or maybe recent test coverage status. Yeah, I like having the discord link or the mailing list link. The challenge of discord is that you can get a link to the channel but if somebody hasn't actually joined the discord yet it doesn't actually work. It works great for people who are already part of the discord server. So it's kind of like whenever I put these things together I always say it's on the hash foo channel on the Hyperledger Foundation discord server and I link the foo channel and then I link the discord server as two separate things. One is the invite to the discord server. The other one is the link to the channel itself. So I don't know, it's probably an improvement that discord can make, right? Which is if you're not part of the discord server consider that and invite to the discord server but I suppose they have to be able to support multiple types of servers and ours is very public versus others who might not want that to be the case. I think every project is supposed to have a channel, I think one channel on the public hyperledger discord server. Yeah, I think we actually say that when we set up discord we went through that chat task force. I think we said there were two channels that should be created by default which is the main project name and then the project name dash contributors so that there were distinction between the people who were using it and the people who are contributing to it. There's been obviously some discrepancy since that task force but those were the two that we said needed to be created and of course we don't do that for labs we only just create the labs channel. We don't have a two separate one so but yes we do and labs are optional as far as whether or not we created discord channel it's up to the labs maintainers if they want one or not. Anything else on this particular badge? I mean this is the yeah this particular badge is something I think you can't really lose like once you get it because it's the hyperledger staff like all the hyperledger admins who are who provide that to you. Yeah, I guess there's a question of do you lose the accepted as labs when you get accepted as a top level project? Does that take precedence if you will? I mean you were obviously accepted as labs so there's no reason to get rid of it and you were obviously accepted as a top level project so there's probably no reason to get rid of it but there is this question of does one take precedence over the other and so that's the one that you display. And then the second question around this is when something goes to end of life do you get rid of that or do you leave it? I mean I guess it doesn't really matter because it's in the life and nobody's going to be looking at it but I guess there is this question of does it go away or does it not go away? I'm perfectly happy for us to say it never goes away. I think it's an end of life that's a chance that the Discord channels have died I mean there's no activity there and the project should not necessarily have that bad. So I am okay with saying that if a project actually goes to the other it automatically loses its credit value. Sounds good. Okay. So let's move on to the PII criteria. So this is what we said the original dodging recommendation I think it should be used this or should be used, there are a couple of other things we can use instead of this there's the openness, the best practices requirement which is already listed in the incubation exit criteria and there's also the Appalachia best practices guide which is listed in the TOC repository and I think also in the Appalachia Viki. Should we use that instead of this? I'm not, I don't know the history behind this. Yeah, so I think the CII actually ended up becoming open SSF. So I think it's one and the same and so I think we can go with the open SSF badge if you will. What about the Appalachia best practices? Could be considered both. That's a good question. We probably have to go through them and see which ones would make sense. There's actually a lot of interpretations around project life actually, so I think, okay. I think this is a summary of the incubation exit and this is kind of covered by the interest too. Maybe we should consider having badges for some of these if we don't already have badges for some of them. Yeah, thank you. Do you have an exclusive naming that should be a I guess no sort of thing, right? Badge that we could set up. So maybe we should go through each of these and compare and contrast to what we have in the other list, right and determine what we need to add that might not already be there. We can make a note of that. I think they're obviously important what we have in the best practices, but I don't want to be duplicative either. And make people have to go through more or make us have to run more scripts than we need to, right? So I just want to come to the set that covers everything, but not more than once. Yeah. We don't have anything explicitly that covers the presence of the maintenance file, but as we listed in the mentioned in the legal criteria, if we are going to be parsing a maintenance file, we sort of get the check for a maintenance file by default, right, so I think we can, that's one way we can compare and contrast between these criteria and what we have here. So if something is already covered by a batch here, like the maintenance and the file was covered by the legal requirement, then we can just submit that in that. We don't need a separate check for maintenance and the file. On the other hand, sorry, thanks. Yeah, I just agree. Yeah. If we can potentially consider a batch or rather some check that will just look for the presence of a particular file, like have a checklist, maintain 100 and the security dot and the latest security policy template as we agreed upon yesterday, the presence of that having an RSE folder, maybe we can just, we could have a check for like the basic structure, but I think that could potentially be assumed into like the consummate. I don't know if you want to make a part of the continuity, but I think we could put it there because that's a great sort of problem with that structure. Yeah, I think that makes sense. Yeah, I think Roma on that one, I think it's not the legal one, I think it's the diversity one that is the maintainer's file. Oh yeah, sorry about that. If you just click and say online, I think it's... Is there an option to go? Don't right click, just I think it's a, yeah, there you go. Oh, I'll make part. So two action items here, one, I think we can just have an open assistant that's back to the batch, and what does the have there? It should be at a passing level, right? Yes. I mean, is that the requirement for all projects in all stages, do you think, or just for the ones that want to be graduate? That's the idea, I think. Yeah, I think that it is not a requirement for all. I think we should look at what the percentages are and see if open SSF has any recommendations. But I do think that, you know, obviously that graduated state that we have today is intended to be that. I also wonder, since open SSF is a fill it out manually sort of thing, does it ever, once you've set yourself to 100%, would you ever go out of 100%, right? I mean, I think there are possibilities that you would, but only if you were to go back and redo the open SSF questionnaire again, right? And so like, I think it's an interesting badge, but I think there's also some challenges with the badge when it's manually documented. As to one, did people actually answer the questions in the way they were supposed to, right? Have things changed since last time they filled it out? So there's, in my mind, I guess some challenges with a manually reported on that never gets looked at again. Yeah. Okay, I think for the criteria, we can probably just say that it needs to be passing at least for the graduate stage, for other stages we can maybe say that the text could be the, but didn't mean only passing. Yeah, and it could be for labs, maybe they haven't even started it for incubation, they have started it, but it's not yet passing, right? I think there's, we'll have to look at what the right way to look at that is based on either recommendations by open SSF or maybe even we could see if other people use this badge and how they use it. Okay. Moving on to the next one, the security. Again, these are, I think this was the last one that was in the original list. So the others are what I've added a suggestion. So security, I think it's already merged, I don't know. So more or less, right? Yeah, this is not merged, but it's approved in a status call. So again, there's a question about how much you want to slice and dice. So if you're going to be tracking all the basic files in one action, we don't need a separate security badge or we can have something separately. I think there's two things for security in my mind. One is do you have the standard documents, right? Which I think are part of the CR, the common repository structure, right? Which I think we should be checking to make sure people are matching the common repository structure. The second piece is around security. If they've had a security issue, did they follow the processes? Did they meet their 90-day timeline? I think there's some things around that we've seen in projects where they haven't really followed that 90-day disclosure piece, right? And that timeline that exists there. But so I think there's, and that one's obviously harder to create an automatic badge for, but it is something that I think we should consider. Okay, I think, how do we track the fact that they have the follow-up choosing? We are not using Hacker 1 anymore, right? No, no. Well, I mean Fabwork, I think it was the only one using it and it sounds like they went to move away from it. So I would say no, we probably wouldn't be using Hacker 1 anymore. It could be, there was some discussion yesterday about changes that the Hyperlider Foundation was gonna make, but I think that was mostly around bug bounties. So I don't know that we have any way to track like the open security issues, obviously. Like this is not something that's gonna be obvious to us unless the Hyperlider Foundation is tracking it. Right, I mean, so one thing you can do, if somebody follows, if somebody looks at the security, vulnerability reporting template and then they file a bug and classify it as security, you can potentially look and see an open issue and see if there are any outstanding security issues which have not been resolved in the 1980s. Do you think that would cover this? Yeah, I think that might cover it. Does it make sense? Yeah, I think that makes sense. How does this, does this overlap that the animal is really talking about? Am I gonna be tracking these things there as well, right? Not to be going to look at, I'm sure part of the annual review is whether or not the 1980s have been acting security vulnerable, please. So sorry, you asked if it overlapped with what? The annual review process. I don't know, that's the other side of it. Are we making life easy for the annual review process by having badges which can give a, and can give a clear picture of what it has been. Yeah, I mean, I think, go ahead, Ren. Go ahead, Tracy. I was gonna say, I think that there will be, that it will definitely help us with the annual review cycle, but I think there are places where there'll still be some manual work that's required to look at certain things to see, right? So for example, one of the things that we might consider is a project had, say for security vulnerabilities, they dealt with three of them in the timeframe they were supposed to and one that wasn't, how would we deal with that, right? So I think there's some work that will still need to be done even with the badges, but yeah, Arun, I'd love to hear your thoughts on it. I see it as an opportunity during annual review for people who are reviewing to, like, refresh these badges if they're still applicable or not. I mean, they will help, but I see as an opportunity for us to really look into if any of these badges still valid. Yeah, that makes sense. So, you know, you maybe were deemed for having a security vulnerability past 90 days. When was that? And have you since then fixed that process such that that's not really a longer a ding because you've worked through whatever the issue was originally and fixed it. So that makes sense to me, Arun. I don't know any thoughts. Other than that, I think this needs to be a criteria for all pages, which is a serious, okay, next one that I thought we could consider was this. This is something that I actually was thinking about early this year, if I could put in the list of items that I was, I suppose in the first year meeting, whether projects are doing something unique or if they, if some of the components are, already being worked on in other projects or have already been developed in other projects, then should we ask that they have got psychological dependency and not even do you. So something like, for example, I think, I imagine, I mean, GACTA has been probably other projects have been two under different risers. So I think that is being, yeah, gone now. Sorry. I just wanted to say like, should we restrict this to just hyperlature or should we say this project is not reinventing the wheel in case, so the things that I would probably be interested in is that I don't want any of my projects that I'm using to reinvent the wheel in terms of maybe like adding a new cryptographic functions. I would expect them to reuse if there exists one or it will increase the confidence in the project. I can be sure that it's been peer reviewed across a large community. I was, I'm not sure, I do not remember the real purpose of this particular section, but if the intention is about giving it back. You within the, yeah. Reusability. This is my proposal. This is not that the original, the original was stopped at CIO. So I just have a, yeah. From security onwards, these are my suggestions. So, yeah. Okay, sorry. Then I misunderstood, right? So I would prefer my confidence on a project will increase if I can, I can be sure like whatever they are using is of good quality. I know like for that, those dependencies would be maintained for a longer time. Let's do a couple of hazards. One is if the, you say you have a cryptographic tool that's not within hyperledger, but it's open source, but it's governed by say, GPL license, right? So that will then make a pattern with hyperledger. So then maybe there's a case to allow somebody to implement their own model for that. Even though technically it's doing the same thing. That's okay. But what are we achieving with this patch? Like what are we trying to communicate to the end user? The biggest incentive for any project to achieve any of these patches for them to showcase that they are meeting the highest standard site. And so with this one. I agree. I agree. I can't, yeah, I don't have a good concept for that. I think there's more just to confirm. It's just a checklist item for whether people are following generally good short-engined practicing, but I don't know if this actually stays something to their view. So we can probably strike it on the phone. We can keep it. Yeah, I got one. Yeah, we can keep it. I'm still trying to see how to best put it. But yeah, that's a good badge to think about. Tracy, any thoughts? I think my thought is at what level right, are we doing reuse or looking at the uniqueness of it? So for example, will we claim that fabric is unique given that we have other distributed ledger projects within Hyperledger? I think that in my mind, there's certain levels of uniqueness and is the level that we're looking at which is dependencies or integrations with other projects across Hyperledger? What is that level, I guess? And would it be, as Arun says, useful to people as they are looking at, is this a project that I want to use? Is this a project that I think is going to continue? I don't know that we know the right level of looking at this uniqueness. And so until we can come up with something that is more concrete, right? It sounds like a great idea, but I just don't know that we can communicate what it is that we're trying to get across to the person who's going to be looking at the badges. Yep. All that makes sense, Tracy, and Arun. Okay, I think then for now we're going to strike this off because as we say this, on the grounds that this does not necessarily communicate something about the project quality as it's relevant for an end user to decide whether they can use the project people. So, strike this off the moment. Yeah, I mean, I think, you know, striking it like this means that we can come back to it if at some point we do come up with something that's concrete that we think would be very useful for people to be able to understand from this. Because I personally like it, I just not sure that I have the right answer for how we measure it or what it is that we're specifically looking for. Give me a little bit of time to just go one more entry in the story that we have. We have CTIPB, I think it's quite a good plan to do. But we don't have a set of badges outlined yet, but that is task force that is devoted to doing that right now. So what do you think? Should we have a badge here that you are looking about any project that follows the guidelines that Peter and Tim are trying to create? Is the badge, the way you have it written right now, it's not necessarily a yes, no, it's how well do you conform to those best practices? Am I understanding that correctly? Yeah, it's similar to how I think, how we're looking at the project best practices as well, and it does that. Yeah, and I think what became of fear was we just have to break this up into different criteria and try to figure out any project that's meeting those independent criteria. So yeah, if we take all the criteria together, it'll be how much you cover it, but then if we take individual criteria, then it's a binary question. So yeah, I think you're right. Here, this is somewhat negative point, yeah. Okay, yeah, I think we should definitely come back to this one when Peter's further along with the list of best practices. We can determine whether or not it's a percentage of that story, let's break this off into separate things. Okay, I think we are just one minute away. So if we can call it to a close and how many of you have left? I think we discussed some of this the last time. Open SSF, I'm gonna go and strike it off because we've already covered this in the previous form. Confirmity and responsiveness, this deeper, what we wanted to call out in place of the infrastructure batch or rather after the infrastructure batch. So that's there. And maybe we can just discuss about production. Maybe we can just discuss in the next time. I don't know if you have any quick thoughts on this. I don't know how we would actually evaluate whether the project is production ready except to ask whether or not it's been used in some publicly verifiable software. Like I think we showed example of this both for the Gacti and for Firefly using this last week. Yeah, I think we should potentially recommend an adopters.md file in the common repository structure that would allow us to at least see whether or not there's any adopters. I think this does two things for us. One, it gives people an idea of who else is using it. And then secondly, it allows people who are using it that maybe we don't know are using it to do a pull request to say, hey, I'm using this particular project, which I think is very valuable information for people that they might know who to reach out to to get additional requirements for new roadmap features or whatever the case may be. So I'm thinking that an adopters.md file might be a really good thing to add to our requirements. Yeah, I think that sounds good. Thanks for the, okay. Yeah, I think we have a couple of things, maybe not, we haven't complete slides out yet, but I think we can cover that the next call, maybe in the next call, maybe we can wrap this up and create some concrete recommendations. I'm going to, before the call, I'm going to clean everything up and drop a proper list and fill in all the entries in the table. And yeah, hopefully we can come to an conclusion within the next meeting or two. Sounds good. Thanks so much for your time and for your suggestions. I really appreciate it. Yep. Have a good weekend. Thanks, Peter. Bye.