 All right, welcome everybody. It is 28th. This is the hyper letter technical oversight committee call Everybody on a call has been here before so, you know about the antitrust policy and you also know about our code of conduct So those are the two things that we have to abide by in this call For announcements today, we have the Dev Weekly developer newsletter that goes out each Friday If you do have something that you want to include in that, please do leave a comment on the Upcoming newsletter wiki page that is linked from here. I think this is the 2023 link, but we just need to create that wiki page The second one that announcement that we have is the how to create a currency management application and deploy it on hyperledger or fabric Network workshop. It's scheduled for October 12th If you are interested in attending that call or that webinar, please do click on the registration link. That's in the agenda Any other announcements that anybody has that they would like to make? So the quarterly reports I left the firefly one on here because as of yesterday I didn't think we had enough to merge that I think as of this morning. I did see a few Additional approvals come in so we can probably go ahead and merge that after the call But any questions on the firefly for those of you who've had a chance to look at it No, okay, and then the the basic report came in yesterday that one is Obviously up for review from everyone I think we've had maybe a couple people take a look at it already, but please do have a look at that one as well The caliper report was due last week. It has not come in yet. So it would be We should make sure that we go out and remind them that they have a report. That's due So we can take care of that. I'm pretty sure that we've created an issue in their repo So I'll probably just go comment on that particular issue For upcoming reports next week the cacti and the fabric reports are not much Two weeks from now the cacti and the fabric report are due So just fyi that those are coming up Any questions on the reports before we move to the discussion items So for discussion items, we do have a Whole request that's come in from steven on the security policy and template And then we also have the task force discussion on best practices for automated pipelines So steven, I don't know. Did you want to walk us through the security policy and template? We may have lost him Hey, steven. He's still with us Sure happy to do that. I didn't call it up yet. So let me just call that up and I'll And I'll go through I love how zoom changes from full screen to park screen mode It's a feature. Yeah That's not a very good feature I agree I sometimes wonder if people use the products that they create They do because that's all these things eventually get fixed All right back to zoom. Sorry about this. I'll be there in a sec Maybe this is why they wanted all the zoom employees to come back to work See my screen I assume we can Okay So I actually come back to this My goal here was to take Do not editorialize much in this but rather to separate out into a Spirit template that is What we think are the best practices And a document that describes the hyper ledger policy how it applies to projects and Indicates the places in the template document where projects are Are able to change and provide alternatives to what is in the The default best practices document. So if I come over to the I'll start with the security template Um Oh 11 minutes guys, I'm going to say I haven't seen comments. So that explains it um so basically the only change that a A uh only changes that must be made are Hyper ledger projects and capitals gets uh everywhere projects in capitals change it to the name of your project um Remove these instructions sections and fill in the names of the security team members um that basically Uh covers what's necessary to change it um It does provide Enough information for someone landing on the page for the project itself to say what is a vulnerability disclosure Immediately goes into what is who is on the security team And outlines the responsibility of the security team This is both for to make sure that the security team members know what they're signing up for when when the pr goes in to put their names in there and for Members of the public or or whoever lands on this page for the project to see that those roles And then in here Notice how short this is um these basically outline the Particular um rules that are to be followed that that we recommend as uh as a toc that every project follows um the discussion Forums exist and that they primarily be on discord Um that reports can go into either emailing the security list or opening a vulnerable vulnerability report um that uh CVE reporting begun and that github be the numbering authority um that that every project have an embargo A private embargo list And here's how it gets how you get on it And then a reference back to the main security policy That the project will publish security advisories and that it will use a private the github private deployment infrastructure, so if um barring good reasons Um, this would be the policies of all projects within win hyper ledger. So that's the security template itself it's the idea there is um, this would be copied into the um primary repository for the project would be copied into each Each other repository of the project or a pointer to this document uh to the projects would be put into Other repositories, so you you're not copying the text. So that's the template Any questions or comments at that point? Okay Here is the policy and in this case I basically took out Books That doesn't look right instructions Okay, I'm a little nervous here. This looks like a duplicate of the other one Uh, oh Yeah, that's the template still. Okay. Why is it not showing the other one? Sorry Lucas You have to uncheck that box that says viewed Because on the bottom If you scroll down the bottom, there's uh When I clicked on this I clicked the wrong one. I did it again. Okay. So what's happening here? Okay So I'm trying new software that's altering my most the most behavior. I think I'm struggling with it. Okay Sorry about that. Um, okay So this is the full security policy um, and this goes in This is in the toc governance and this is the overall policy again about the documents, um, so I tried to keep it pretty much clean, but the the biggest thing Pretty much adhering to what was already written by those that actually formed the policy I didn't form the policy. I I'm just trying to present it slightly differently. So Uh, this talks about what is it Um, what's the policies and rules that are followed what the security team has to do The fact that each, um Project must have a security team and here's the guidelines for having a security team in place um requirements for You know must have at least three maintainers on it and and established early in the project and so on Um, here's the what I wanted to highlight. So in each of these sections or where it's appropriate in each of these sections There's an alternative This section is either exactly what is in the Template or has a bunch of verbiage to give more background Then it says what is in the template and then it has the section called alternative and this is where um the items that were already in the project that Talked about what alternatives were possible um Or are permissible Provided they align with the overall policy of hyperledger So in a discussion forum, um, they may use other forums provided they Details about the other ones must be included in the security policies. So projects may Have other forums they use if they do they must Provide details about those other forms report intakes Here They may Accept security vulnerability exposures by other mechanisms and then I give the example of hacker one um The policy must document all of the alternatives the projects must accept reports from the security list from the mailing list So that's not an option to remove that one so that's basically the Approach of the overall policy. So you've got um Again in this one the github is the numbering authority and then an alternative you may list other You may have another numbering authority in listis There's a lot more detail in the embargo list um So more information is provided about what an embargo list is and so on So this is more or less the background for the project um, this is Basically a repeat of what's exactly in the template And then this is the alternatives such as they may not have a Made-toothed document that they did not have an embargo list and the reason for not having should be included So and finally the same things for the security advisories and the private patch infrastructure That covers, um, how I split it up and what I was thinking when I said we should Adjust the policy in that way in comments discussion peter peter I just wanted to say that I think it looks good Not much else. Thank you for putting it together Sorry, it took so long No problem heart Yeah, thanks, steven. Um I think, you know The modularization will help people get started. So thank you for doing that All right, any other comments or do we want to vote on Accepting this today I could submit a motion Okay, uh, jim Yeah, just one quick clarification So the the template gets Needs to be adopted by all the teams and then the advisory How does that get communicated to to the projects? Does that live somewhere? Maybe in Which the repository I'm sorry, jim. Which advisory are you talking about? I think unfortunately that word came up multiple times sorry, uh So the first document that steven presented is the is the template that All projects should include in their in in the repositories and there's the second document that tells the project team, uh, how to use it Do both get merged into to see, um Yeah, so are they less? Yeah, the template and so the the overall policy the security md in the toc Um repository is the overall policy for hyper ledger And guidance for the projects the template Is what gets copied as the security dot md file into the repositories of the projects And it links back to the toc policy. So it's got a link in there back to the toc policy paper Okay, and the toc policy thing, uh goes on Though a week you said yeah toc.hyper ledger.org Okay, yeah, that's whatever. Yeah, okay. Cool. Yeah, thanks Sorry about the delay No worries Good clarification All right, so we do have a motion. Do we have a second? I seconded All right, thanks Arun Sean did you want to take us to a vote? Happily, uh, I will call out your name. Please say whether you are for the proposal for the security policy for the security to approve the security policy and template against approving the security policy and template or abstain, uh Arun How do you vote? Yes Marcus, how do you vote? for Rama, how do you vote? for Steven, how do you vote? for David and Yarn, how do you vote? for Arno, how do you vote? for Peter, how do you vote? for Bobby, how do you vote? for And Tracy, how do you vote? for Uh, it's unanimous Tracy on the security policy and template approval Okay, great. Thank you so much. Uh, thank you Everybody who worked on the security vulnerability task force got the got us to this place. Um, thank you Steven for the template and the Alternates if you will in the policy, I think this is going to be great and we will get this merged in Uh, and then we will uh communicate this. I think if I'm not mistaken Arun, you had a blog post that was uh with the um, with the hyperledger staff to get this announced to the greater Hyperledger community. Is that uh, still correct? That's correct, Tracy. I can get that proposed. Um, get sure you look for publishing this week. Okay, great. Um, Jim, thank you for the four vote. I think we missed Jim. Is that uh, in the vote, but uh, Jim is a four as well. That was my mistake. Uh, I apologize. Okay, great. Uh, so we will close out this uh task force as an item and we'll um continue from here. One sec. Um, I should look at uh, David's comments before, uh, before we merge it. So I haven't had a chance to look at those yet. So I'll take a look. That's fine. They were nits. Um, so a little grammar and a little formatting. So I think uh, it doesn't uh, change the policy or the template in any, you know, distinctive way. But we might as well fix the typos before. For sure. For sure. Yeah, okay. Okay, great. Uh, Dave? Yeah, just right before we close out the task force, I will say fabric is still on hacker one. I think we would like to move off of it. Does anybody see any problem with that? I usually work with Ryan on this. He's not on the call, I guess. Rise on vacation, but no, I mean, it's, it's the maintainers. So it's whatever you all want to do. And do we still expect to maintain a bounty program? Because I think that was kind of documented through hacker one, if I recall correctly. It was. Yes. Um, so that is a question we have been meaning to address. Um, uh, so this is a longer discussion, I guess. I'm not sure we want to get into it right now, but, um, you know, talking about things like, uh, security audits, bug bounty programs, et cetera, is something we definitely need to do. Um, it's in some ways a board discussion because of the amount of money involved. Uh, but this is a, an excellent question, Dave. And I, um, we should have a longer discussion about it at some point. Yeah, we don't have to do it now. I just wanted to bring it up. Thank you. Yeah, it is on the radar. Okay. Hart, um, it's on the radar, meaning at some point in the future, you will bring that back to the TOC and then to the governing board. Is that my understanding? In some permutation of things. Yes. Yeah. Okay. Um, I just didn't know if there was something I needed to add to the agenda for a future meeting for us to discuss, uh, right now, or if it was a future sort of thing for us to take a look at. No, but if anyone has feedback on this, we would love to know. So this, you know, Dave's data points on hacker one and other things are going to be great. All right, great. Anything else on this topic then? All right. So I think the next agenda item is off to Peter, um, to talk about the automated pipeline best practices and, uh, you know, either update or let's have a discussion if we need to have a discussion in the, in the group to move this forward. Okay. A bit of both. Okay. I started working on a survey and I put the link onto the Discord chat, but I also want to share my screen and go through the items very quick and then ask for opinion feedback. So I'm using Google Forms and, uh, actually, even before I get started with questions themselves, the more boring part is that I set it up so it does not collect email addresses. It does not need login. I don't know how good that's going to be, but I just prefer not to force people to have to sign in if they don't want to. Maybe it improves the level of candidness that they will provide, which is what we're looking for. And so the questions, so that's a little description, but it just sets up the context that everyone here already has. We are trying to improve things with CI for everyone. We are trying to make sure that best practices are easier to follow. And the survey here, we hope that it will help us make decisions educated or at least a little more educated decision is on what to include in the document and in what format to present it, etc. So the first question I had is which service or provider to use. I thought this is important because our assumption is that most people use GitHub Actions, but I would like to actually validate that because if it turns out that one of the other options is way more popular than we have to make sure to address that by way of collecting the best practices for that as well. And I tried to provide then other for everything or wherever possible just so that people can tap out and include whatever else they have because I'm always a little disappointed when there's a survey and they have a yes no question that I either don't understand or it doesn't apply or I'm not sure for some other reason what should be chosen. And then there's a long free forum question about what are the pain points if anything. I'm hoping that this will be the biggest value add of the survey so I put it relatively early because we could identify patterns of issues that people deal with that we might actually have an easy solution to so that I would consider that to be the biggest win if there's the majority of people putting down something here that has a problem that we actually have a good solution to then they would that would pretty much be proved that the document will be very useful to whoever uses it and it would also inform our priorities on where to put which piece of information because if something is a common issue then I think that should be front and center at the very top of the document even if our initial hierarchical organization of the points would not agree with that. And then there's a few more questions that I thought might be useful to know for us for example if they are using the CEI to do publishing of their artifacts this is this might come in handy for future other task forces as well for example the artifact signing task force and it will also inform us on whether this is something where we should push a little harder because I think automated publishing is something that it's hard to set up but once you set it up it's very very enjoyable that it actually works and it overall improves the software quality because the maintainers who are usually manually spending time issuing releases can spend time on more useful things and then on the similar kind of idea I'm asking about dependency caching and you you'll see there's an option here to say I'm not sure which it seems obvious to me whether it should be true or false but I've also put myself in other shoes and maybe they say they will want to say I'm not sure which also led me down the path of questioning if someone wants to contact us as a task force where should that be and should I leave that contact information on this survey so I'm definitely take I will be taking advice on that as well and then the last question that no the one before the last question I came up with was how often do you have to deal with your CI is it kind of set it and forget it or or is it something that needs some sort of update very regularly and this again feeds into the prioritization if you have to change your CI every day or every week there might be something going wrong in the sense that one of the best practices might be missing that could make it more stable sort of generic enough that it can deal with changing requirements and then another one is if the hardware resources are enough I'm asking this specifically because based on how I would respond to this survey one of the things that we struggle with a lot initially on cacti is the fact that the free tier virtual machines that we get with the GitHub actions only have seven gigs of RAM and we have to run multiple containers as part of the CI running different ledgers so that we can run our integration tests where the cacti connectors are talking to the ledgers and so working around this was not easy we spent a lot of time just optimizing our containers to use less memory and maybe this is very unique to the project but I figured I'll just include it to see and so these are the questions that I've written down so far and I figured we could put in there any other questions that anyone else thinks would be a good idea and we can do it that's a little live editing session you know if you have a question idea I'll just put it right in uh Peter Tracy is your hand raised oh sorry I was sharing Tracy no worries uh the there's a couple things so one we can create a discord channel for this task force I'm actually surprised we didn't have one created so I think that's probably a miss on our part we can add that the second question I have is around the package registry so you have a true false sort of question there do we want to know which package registries they use is that important or not important to me as I was thinking of the question it wasn't but your yeah it should be important because the best practices dealing with the specific registries can also differ so maybe I should refactor this question saying multiple choice and then which one do you use any of those or none and then the question captures the same thing makes sense Peter I just created the discord channel for automated pipelines under toc thank you very much there is a question from marcus in the discord uh what about asking number one the usual ci execution time options could be less than one minute between one and five minutes five to thirty greater than thirty and the second question is when is the ci usually triggered multiple answers possible nightly on push on pr I like those ideas I sorry I actually type in this but the I agree okay get hope talk robin p.m. or factory and then oops I did not use any and then other okay so new question and how long does your ci usually take one minute sorry what were the options there I just put them in chat Peter uh the usual ci execution time options could be less than one minute between one and five minutes between five and 30 minutes and greater than 30 minutes yeah see the cactus or cacti ci takes more than 30 minutes it's less than one minute not greater than one minute at the top Peter oh yep thank you and then maybe maybe uh maybe an option for I do not know or there's times or you can be not sure or you can write an essay and if you write an essay I will read it so I've got all the options for the ci question and for the registry question you're asking what they currently use we might also want to ask if they would like to move to another ci or registry okay are you happy with your current ci provider slash package registry well I was kind of getting at like do they have a preference if they want if they were going to move do they have a preference okay how do we phrase that or am I putting that built into the existing question or a separate question just asking what is I would think a separate question right after that you ask the current question okay after this you have a preferred package registry ci provider that you would like to move to well I was I was going to say for the ci question that came before this and for the registry question we ask it oh separately separately okay does it look good otherwise for what a package registry looks good also if anyone would like to add any other options I just let me know these are the ones that I came up with just by myself or I do not want to move I or I don't Robin just asked about Matt Maven in uh in the chat okay sorry I'm coming around to it so this sorry to stupidate this but then package registry become ci provider have actions or call ci Travis IWSGCP and I'm happy or the other and I move this up so that we don't confuse everyone okay so we ask you which one do you use and then do you like it or are you planning on moving away okay and now checking around with question Maven well the thing with Maven is that Maven is the build tool but behind Maven there's a tree frog there's the Maven central there's a bunch of different registries that the tool itself can connect to so I think if you said Maven people get confused because they you they would all use Maven to connect to these different registries but we could ask a separate question if they use Maven Gretel or and which are all Java built or dependency management tools tools if that's what you prefer okay I'll have the thumbs up so I'm adding a new question build and dependency management tools to new incredible of npm yarn bar go make files or make see make more else is there yeah there will be a million of these and they not use any Peter forgive me if this was already answered are we asking people what projects they use no we could yeah I think that might be good like which hyperledger foundation project that could be front and center that's I think that'd be good yeah that we that way we could uh I think that would help us much better understand the results the projects we do have people that use multiple so it should be checkboxes yep that's where I get caught that I don't know all of them by heart oh we are pop quiz fairies and and on crates uh jim you can't help him yes you can please do I think and on crates is another one that's it uh chalem sawtooth no no no age peter yeah yeah like the inex explorers not a project I mean you could put that well we don't I guess we don't offer this to labs anyway eroa oh that's right level very hot what did you say about labs we don't usually offer uh these services to labs peter could you add so long and if oh you have so long right I think but uh get up actions also exist on the maps right that's true that's the usual do we deal with the labs as well or not questions I'm open to suggestions but I guess you could just say other and then people can specify the labs that sounds good yeah yeah I think this will let it like if we get half the people this will let us interpret data better I think I agree it gives us contacts and now I get outed for not knowing the alphabet sorry I'll check if anyone else has their hands up did you all know that if you go to hyperlegion.org and click on projects and all projects it doesn't actually do anything oh really oh I thought you were just going to tell me that I could have just went on the website and checked the list of projects well I was like we gotta make sure we got them all right oh thanks for flagging that it did work before I guess it broke somehow I'll file a ticket great thanks David okay something like this alphabetical order we could also change the order if if it should be in some other order but alphabetical is where my mind usually defaults okay so that's required as well I don't see any other hands go ahead Jim should that be multiple choices it is let's check boxes okay so you can if you want you can tick all of them cool so I'll probably wait the week or two for people to come in with more questions if anyone remembers any that they would like but then assuming that we are there at that point in the future we can talk about how to communicate this should we send this to the mailing list discord or all of the above none of the above because if we cast a two wide net then then the responses might might be hard to process but if you don't then maybe we do it layered at first we could send it to just maintainers I think we have tooling to message just maintainers and by we I mean rye has scripts to collect that information go ahead so Peter I think also if you have more boxes for qualitative feedback that might also be useful because you'll probably get some people that you know just don't care and do like a relatively low effort pass but you'll also get some people really who really do care and they'll be willing to explain things and you know written feedback is probably going to be extremely useful here right so if you ask a question right which service provider do you use right you know and then do you have a preferred CI provider you would like to move to then you could ask why right and then just have a oh good point if you answer yes to the question above and would like would like to expand on your reasoning for which we would be very great form and please do something like this yep okay something like that easy okay so we have this now for the CI provider and the package registry I guess another generic one below this one just you could just do one at the very end it's basically like if you'd like to provide any additional information on CI CD automated pipelines whatever you know give us your information here right just any other thoughts basically that you have okay yeah I guess that's the easiest way otherwise we we risk having just way too many questions and then some people will drop off just because of that then they reach question eight and then they realize that there's 15 okay yeah this is great feedback thanks everyone for the advice all right any other thoughts for this oh from my side just the question of how to send it out so it is everyone thinking that it's a good idea to send it first just the maintainers and then we can decide how and when and where to send it in addition to contributors or anyone else I think maintainers make sense um we've got the maintainers discord channel and I think we have a maintainers main list if I remember correctly oh that's yeah that makes it very easy okay then I will put this on hold or on review for further review for anyone who couldn't make it today or who will need some more time to think through it and uh we can finalize it maybe at our next session and then I'll send out the link to the maintainers main list and the discord okay so just a small suggestion maybe at the beginning of this document it would be nice if we add a paragraph of what the survey is about okay thank you sorry I missed that no no problem if if there's something missing from that paragraph I'm also very happy to add that specific thing so please do read it if you if you think something's missing I'm happy to add it and I'm also happy to add you as a collaborator if you send me an email then I can give you a great okay sounds like that's it for today then okay great thanks Peter uh other uh topics that we should discuss today um I think there is one that comes to mind uh in the basu report there is a question about um I think the the gehub actions but I think that's potentially a question for staff and not a question for the toc um let me see if I can bring that up quickly here so the question is are there remaining ask of consensus around the ci that should be spelled out am I right and assuming that's a staff question and not a toc question that sounds correct tracy that sounds like a staff question I know rye's been working with the basu team on some ci issues while he's on vacation um so we'll I'll I'll check in with rye and that when he's back on Monday okay sounds good sounds good um no rush we've got two weeks before we'll merge it so I just wanted to make sure that that was brought up as a question that was there so any other topics for discussion today okay if not then I think the uh next beatings task force discussion will be around the security artifact signing so I think that's the next topic up for discussion yeah bobby yeah and I was hoping that the documentation task course could get on the calendar for october 12th uh okay october 12th yep heart hey yeah I just wanted to say if we're discussing the artifact signing I'd encourage everyone to like read up on sickstore before next week's meeting I can post some links in the discord chat if you're interested as well that would be great rama just to remind everyone that there's a badging and life cycle task force meeting tomorrow same time uh we missed the last one because I was involved but we had it tomorrow so I'm really content that would be good thank you all right thanks trauma yeah so if it is but he's interested in joining that uh task force meeting tomorrow um you're obviously welcome to join and have a discussion on project life cycle and badging all right any other topics before we're closed for today okay so thanks everybody for joining and we will talk again next week thank you bye thank you thank you bye