 All right, this is Dan Middleton and you've joined another exciting addition of the Hyperledger Technical Steering Committee. All are welcome at this meeting and of course at our other technical working group meetings. Likewise, everybody's welcome to communicate and contribute on our mail lists and chat server. And last but not least, of course, contributing code under an Apache 2 license to any of our projects and labs. If you're not familiar with how to interact in any of these settings, we do have a code of conduct available, which I will briefly summarize as saying, please be respectful of everybody else in the community. We've got mostly new business to discuss today. Just to tie things in with last week. I want to thank Todd again for sending out minutes as usual. It's a good discussion on that thread. Thanks to the presenters from last week. We heard from Dave Checke on a supply chain proposal submitted by several Hyperledger contributors, including myself. There's good feedback on that and I anticipate revisions back out to the TSC ahead of next week's meeting or the one following, depending on some travel schedules for some of us. We heard from Victor on the Caliper project, fixing some issues that are endemic to an incubated project. So good work from Victor on helping to shore up some things that were going on there. Chris updated us on the Fabric project. Congrats again on the 1.3. That project has a very healthy release cadence and that's a nice accomplishment to see that so regular. Also raised issues with chat and Jira, which I think you'll see the dialogue on the mailing list there. And then finally, we heard from Andy Gundersen on the Sawtooth project. Heard about the upcoming 1.1 release and some issues were raised on CI, which have also been addressed or in progress being addressed rather over email and chat and so forth. Moving into today's agenda, we've got the usual event reminders. Todd and we've got updates on any of those. No, no updates. Still targeting March 4th. We're talking with a couple organizations in Hong Kong and beyond that can potentially host Hackfest. So that would be more budget friendly. Trying to close on that. And then, yeah, Global Forum, going to be an exciting event. So definitely participate in that. It's for the entire ecosystem. Okay, great. We've got a few updates today. First up will be Iroha and then we also have a late breaking update from the technical working group, China. Do we have a presenter on from Iroha? Yes, I'm here. I'm Kenos Alahi from Surinitulabs. Hi. All right. Well, I will turn the dialogue over to you. Okay. Shall we start now or word? Yeah, if you like, I think I can copy the update link into the TSC channel in chat for you so people can follow along. Or you're also welcome to share your screen if you prefer to do that. Oh, yeah. So how can I share the screen? You should see a share button in the bottom of the Zoom. Yeah, I see. But it says you cannot start or screen share like other participants share. So you're supposed to stop sharing, I think. Yeah, right. Can I see it now? Yes, I can. Okay, great. So hello, everyone. I am from Surinitul, one of the developers of Hyperledger Iroha and this is our next update. I think the last one was in July and since that moment we released beta 4 version which happened on the 2nd of August and we are now working hard towards beta 5 release, which is going to be shipped I think next week if everything will be fine. So the project health is good. We have now community manager who helps us a lot with managing questions and different bugs and the future requests from the community side. We launched a new channel in Telegram about news in Iroha. We're also very active in rocket chat and existing Telegram and Gitter messengers. Yeah, so community was very active as well. We have constant community members who tell us about the problems, the features that they like to see in Iroha. They also tell us about some bugs and for example some of them really made us to postpone our upcoming release. Yeah, we're now working towards making more community events like we recently we had an event about our consensus algorithm in Iroha and in future I think we will have more these kind of things like presentations or webinars from Iroha side discussing new features and maybe some problems with community. On December we planned to ship Iroha 1.0 release and we already finalized all the features that we want to include to our final release in December and it will have a network testing framework in order to help developers to test interaction between Iroha nodes inside the network. We're also working towards substituting our current ordering service to the new one which is going to be Byzantine for tolerant. It's already implemented in the developer branch and hopefully it will be shipped in beta file but it might be postponed and released in 1.0. We're also improving our documentation of YAK consensus algorithm. We also have white paper about consensus algorithm. Yeah, of course we need to improve our peer initialization strategy of the network. So the strategy how do we add new peers, how do we remove them and so on. Also we want to improve our log velocity to have more debug messages that help us to reproduce bugs from community. We soon will have replay attacks solution for queries and transactions in Iroha. We consider including mechanism like session case and transaction caching which will help us to prevent replace in future. Yeah and also we need to process reject cases in YAK consensus and we also want to add Iroha online sandbox in order to make it easier to play with Iroha in future and also we want to have load testing for performance regressions using hyperledger hyper of course. Since last report we have new Iroha maintainer Mikhail Baldurov who is from Russia. Yeah on the lower organizations our contributors did not change, it remains the same. Yeah we have several active community members from Ukraine, Taiwan who ask questions and prepare issues in GitHub. Any issue, any question usually answered within a few hours as you probably noticed in if you follow our chats in telegram, rocket chat. Yeah so and our current plans are actually to stabilize platform and prepare it to release in December. Yeah we also want to improve process within the community as I said we want to have more webinars, presentations and so on to be more interactive with community in future. We also want to increase diversity of maintainers to invite more maintainers from all around the globe and we also need to move from our own ceramicus to hyperledger to make it easier for community to follow any issues and features that are currently under development. Yeah I think this is basically all from my side. Okay if you have any questions I will be glad to answer them. Thanks. Thanks that was a very thorough update. Floor is open now for questions and comments. In the project updates they talk a lot about the new contributors being added. Are you seeing kind of a regular churn of contributors or are you seeing kind of a steady growth and can you comment at all about kind of the the company composition of contributors or or kind of the magnitude of how much you help you have or what kind of help you need? Well if we're talking about contributors majority parts of them are hired by the Ceramitsa company and their employees of Ceramitsa even though we have few members outside of the company who also make prepared pull requests into Iroha I think yeah we need the more contributors in future and for now we're looking for them from our company side not from outside I mean yeah. So that that is of course a key thing to work on especially hearing about the plans to get to a 1.0 a lot of the projects I think we'd all well actually we would like all the projects to have a diverse contributor base when they're going to be announcing a production release part of the stability of the project is knowing that that a single company's departure isn't going to invalidate the project as a whole. I was taking a look at our hyperledger community calendar I don't know if you're aware of that but it's a listing of all of the meetings across the community. We've had a lot of discussion recently about actually reducing the number of meetings that projects and working groups do because it can work against global diversity time zone diversity for contributors but I'd say in Iroha's case unless I'm missing something I don't see any meetings on there at all. I wonder if that might be another opportunity for you to help recruit more interest or ramp new interest into your project. Yeah right as I noticed we want to conduct more different kinds of events and notice notify a community about that as soon as possible. Yeah so for example if we have if we have to discuss a new feature and we have several options and we want to know what actually our community wants to to be implemented in Iroha we can conduct webinar or presentation to discuss these kind of things I think that might help. Yeah I think something that's been useful in some of the projects at least in Sawtooth we have an application developer forum so people who want to develop on top of Iroha could come to a meeting like that and that's a way to help ramp those first initial contributions where somebody can then grow into a maintainer position from there. I think another thing you mentioned you use like three different IRC applications and so that can also be limiting to some people to have to try to track that many. Yeah different what could you repeat please sorry. The IRC you said you use rocket chat telegram and something else. The Gitter. Yeah so that you know for me personally that would be something that would limit me coming in because now I have to monitor three different things. Oh no it's not a problem we have a bridge for example between Telegram and Rocket Chat so every message is being sent from Rocket Chat Telegram directly so everyone get noticed about that. Okay so it's a feature. Yeah we had a little bit of discussion in Montreal with some of the Iroha contributors about getting exclusively on to Rocket Chat and not using bots to interact with Rocket Chat. It's a way to get more integrated with the Hyperledger community. Yeah we know that. Yeah now actually most of the developers are moved to Rocket Chat and we try to really make them use this thing instead of Telegram and in future we will only I think interact the community there. But for now we have a lot of members in Telegram and we have to support that as well. Okay if there's additional feedback feel free to take that to the mail list and I think next up is probably Pawar. Are you giving the technical working group China update? Hello Dan, Jay will give the presentation. He is also the co-chair of the 2DAPTC. Hi I'm sorry your audio was broken up could you repeat that? Hey Dan can you hear me? Yes. Yes. Yeah I mean Jay Guo from 2DAPTC he will give the presentation because he is also a co-chair. Oh wonderful thank you for being available Jay. Yeah Jay go ahead. All right can you see my screen here? Hello? Yes we can. All right hi this is Jay from China. I'm one of the newly elected board member of Working Group China. So as always TWC is working on four areas development and innovation internationalization and education collaboration scenarios and then event organizations. So I would say in last quarter most of them are going well. So overall activity in last quarter will be we still held a regular bi-weekly meetings and we got more than 20 attendees on average per meeting and we very often chat in WeChat groups so we have channel in Rocket Chat but in China people most people use WeChat group and we have quite a lot of them and the conversation there are going I would say very traffic is high basically and in August we elected two new board members me included another one is Junhua from IBM China so we have three in total. Bo Hua is still the chair and we've done translation of fabric 1.2 from all the volunteers from China. A lot of them are from universities in China actually and the internationalization team is moving forward to fabric 1.3 and we continue to organize meetups in China so we had 12 meetups across six cities in last quarter so this year we've held more than 30 meetups across 10 cities and we've got from 40 to 200 attendees per meetup depending on the space capacity and the popularity of the blockchain technology in the city. So I'd say this is quite active and we got a lot of interest for every meetups and we got we in this way we accumulate a lot of volunteers and some of them became the speaker of the substantial meetups actually and we, TFRGC keeps helping developers in China to contribute and a small group of developers have been working on the code to comply with China encryption regulation so in China we use different like crypto algorithms and this is like regulated by the government and some products released need to be compliant with those regulations so we have a group of people working on that and they are reaching out to a crypto lip team to see how this can be integrated into fabric and potentially other project in Hyperledger and we have active developers in in shallow and also like February SDKs and last week I think another group of developers contributed Blockly that's a project using a doing graphics smart contract development so it's based on a framework open source by Google and in TFRGC we've reviewed the project in for two weeks and I think a lot more people are get interested and we have several volunteers discussing to launch a testnet in China and potentially connecting individual peers and donated by individuals and blockchain as a service provider and potentially also some communities clusters and this has been kind of going like ramping up and a lot more people are interested we've have a WeChat group of 100 people and people are also like already talking about architecture and the the resource they could get so any resource from Linux Linux Foundation is also highly appreciated I think this is in line with the testnet proposed in the global community as well we do have several issues here so first of all is one of the four areas a working group is working on is collaboration scenarios basically we collect use cases from all the companies and try to share them in the in the group but we've got last momentum in this area companies and organizations are not that motivated to to share or promote their use cases we are still trying to figure out the reason behind that and the second issue is we have there's a lack of talent especially for projects other than fabric in China I think where they are I mean shallow is probably fine but there are definitely field developers for for example sawtooth or uroha in China and so there is only one talk about sawtooth this year during the meet-up series so I think this is definitely there's a definitely space for this to improve and we've been encouraging developers to contribute to all all the projects in high pleasure but probably there's a either a language barrier or there's a culture difference but it's it's a bit hard like we don't see many new contributors from China and they are not that active as we expected and the third one as I mentioned before the this China encryption regulation work has been done since the last year but it's a bit hard to get integrated into fabric I think due to technical issues and also due to various reasons that probably people don't know how to compute to open source or people don't have just there's no not much time for them to work on this but they are currently working with Crypto Lib teams I think this is probably going well at least going better and the fourth issue is that we we kind of need some funding from links foundation to maintain the meet-up because I mean we've been trying to use some free space like provided by universities and we also have some free offering for live webcasting but from time to time there's a money issue and we're trying to maintain the neutral neutrality of the working group so either it won't be hijacked by any sponsors or they there's a space for anybody to participate or to present their ideas so it'd be highly appreciated if there are some funding that can cover space fee and other materials like some posters would be nice and the planned work product will still be technical events documentation mostly translation and education materials and we definitely want to see more code contribution I mean not only from the project or the components mentioned before mentioned but also some new areas and the participant diversity I think it's pretty good so geographically we have we've covered most major cities in China and from big companies to startups we all we have many different volunteers and participants in the working group and we've been engaging with universities like picking university has been providing the meet-up space since the beginning of this year and we also have for the universities in Shanghai providing the space and also a group of students from another Wuhan University is helping with translation so I think diversity is pretty good I don't have any additional information any questions thanks for the update Jay questions and comments from the TSC or the community well yeah again thanks Jay I just Chris I um I think the the one thing that I you know that comes to mind is this whole notion of a test net and I know you teed that up for discussion and towards the end but I'm still struggling with the whole notion of a test net and so maybe we can just have that there but I know what you said well we need you know we need to do more of this but I'd like to better understand what people think they want to get out of it um so uh so when uh those volunteers propose it the idea is quite simple I think first one is stock footing so they they've been working on their own use cases and they want to see a public space that they can experiment and they can put some probably not very useful but interesting the app out there and the second is we want to have a um a application that can motivate more contributors for example it's not necessarily a token but it could be a credit that we give to volunteers as a proof of contribution and it may not be used to buy anything but it's a a record that those people or this individual from any company they've contributed either code or translation so the idea I think is quite simple and we don't expect a very scale network but just something that people can use as an example and they probably can play with so I don't think this could be a very like a big like like 100 nodes of network that people are very excited about but I think we start like take baby steps and start with some things small so there's there's a lot but there's a lot in there right so then there's there's you know sort of the contribution and gamifying things a little bit we talked a little bit about that the members summit and the hackfest in Montreal both you know I do think that you know trying to you know as part of the whole you know grow the community kind of a thing that we should be you know who's you know presenting at meetups who's contributing code who's helping to translate who's you know doing you know writing apps and so forth and who's going out and doing training that all those things I think are I think that's worthwhile pursuing I'm not sure that a test net necessarily addresses that per se although again we could I suppose have some token tracking thingy I don't know that would be interesting to see but that that's not really a test net that would be just like an application you know where you know deploying something where people can try out their their new stuff again I think I don't understand why helm charts are not enough and then people can get their own coup however they want to source it but that's just okay um any other topics for for Jay um yeah that was um that was really interesting Jay thanks um thinking about the the issues you raised with like I guess a hypothesis that language barrier is is something that gets in the way of cross project um uh collaboration do you think there could be a role for maybe like an extension of the technical ambassadors that we have that could specifically maybe across multiple projects try and farm out tasks and help with communication um do you think there's people that might be up for taking those kind of roles well I think Linux Foundation is trying to recruit a technical ambassador in China I don't think there is a result yet but I do think it will be very helpful I don't think that the uh as far as your sort of a related thing on on funding the meetups I don't think that hyper led river funds meetups directly I do know that there's things like stickers and stuff that can be provided and that um we can use uh zoom meetings that are provided through hyper ledger for uh for these kinds of meetings that we're doing now I don't think we typically have funds that can cover space rental definitely prefer not to do space rental um but we have provided some um especially for first or second time meetups in the city um money for food um but uh yeah the space typically you can find you can find spaces for you know 200 people at universities and and and other companies in the area so we do try to connect organizations we know of in any given city um to each other um and and try to rotate around you know hosting these things but but yeah generally meetups you shouldn't have to pay for space one other thought that comes to mind for you is in in order to get other project participation uh you might try to recruit from the maintainers of the other projects to come and present I know your meetings are typically in in mandarin and and the maintainers from other projects might not be able to um speak that but if there's um you know think about whether uh english or or russian or whatever the particular maintainers languages whether that presentation would still be meaningful if you could get those maintainers in like stimulate some more interest yeah sure I mean just if there are any maintainers out there want to promote the project in china just reach out to me or or why anyone in the working group we definitely want to help and we have meetups across multiple cities so I mean anywhere you go I mean any major cities you go we can figure something out okay great well thanks for that update jay and again uh further dialogue you can take to chat or the mail list and heart montgomery you are up now and heart's going to be talking about uh project proposal for a shared crypto library awesome uh thanks dan um so I will post the project proposal in the chat uh for those of you that haven't seen it so this is something that I guess we've been talking about for quite some time now so I think many people here are already familiar with it but the general idea is that we want to build a project wide shared crypto library so that all of the other projects can use it we think there are a lot of good reasons for doing this they're listed in the document basically it saves effort we avoid duplication it potentially improves security it allows us to concentrate our resources uh we have a finite number of crypto and security people uh having them all concentrated in one spot is probably a good thing for the project and for security we think this is potentially the first step towards having you know sort of a highly modular code base and we think this will also help with interoperability so I don't want to spend too much time talking uh because well most of what I would say is already in the proposal anyway and I think many people are already familiar with this uh so I'd like to uh to really just open the floor for questions if there are any oh I'm sure there are but all right I'll be the first one um what is the commitment from the projects to do actually incorporate the library into the projects when it's available none I mean it's totally opted I believe I say that somewhere in the document it is on page well Google Docs showing pages right now it's in this my question is actually for right but my question is actually for the Satya Tharoa uh Indy and other developers right is is anybody committed to actually using this if one is available yes um from the Indy side we are are planning on using it as soon as we can we're in the middle of graduation from incubation processes and so one of the questions we have for the TSC is we would like to encourage the use of this project um and we're curious as to whether that causes any complications if we push hard to move to you know making our releases depend on this package as soon as we feel like it it meets the same stability requirement that we've had in the code that we have moved over into this project I don't see how that could read negatively on um exiting incubation so what about Satya Dan are you all committed I know you guys are contributing actively to the project right now are you are you planning on making the move yeah so what we've done so far is worked together with the other contributors on on the project there to align on a signing interface and the I'd say that we have interest in adopting this library it's not necessarily a commitment because we want to see how it shapes up but being actively involved in the development of the library the risk that we wouldn't be able to adopt it I'm planning to use it to rewrite our key signing demon that is is part of borough um I can't really see a reason why I wouldn't I'm sure it will work out well and it will be better audited than what we've got so so we'd like to use it could anybody from fabric comment Roja for that matter well of course sorry it was a mute um I guess the answer would be I don't know I mean there would have to be go bindings developed to take a look at you know what what the effort is involved in in in making that transition I suspect it would be a post 2.0 kind of thing if I don't know yes yeah we too don't know what to do now I mean we consider to use that in the future okay uh other questions comments on the proposal I'll say that uh we would expect to have a go wrapper um so so that's probably not a big issue um I don't know how compatible the fabric interfaces would be uh with what we're planning I know that Sean and Mike have done a lot of work you know kind of hashing out the the signing interfaces um to to move towards something that both indy and sawtooth can use but really we expect you know we don't expect a lot of the well indy wants to seems to want to use this immediately but we don't expect a lot of the the projects to to immediately you know jump on board but there will be some point at which a feature the projects want to use say like you know uh some application requires a NIST curve and the projects want to implement a NIST curve at some point you know with something like this we expect that it will be easier to uh to change interfaces slightly to use the crypto lib then to you know build some huge new chunk of crypto hi and this is lennard lend that one I would think in the interest of inter interoperability it's a long word on the first thing interoperability in standardization I think all the projects should sort of show support for that level you might say of advancement and standardization in terms of the new protocols new standards have been vetted tested approved for use by all the tools and platforms so could be the next major release I think each project as the approach that major release should give consideration strong consideration to adapt and adopt in the new standard in terms of the shared library thank I should also mention that most people have been focusing on the the shared signature part of the library uh or sorry the modular signature rather than the zero knowledge or or Z mix part of the library and I believe that at least some people who are working on fabric have planned to incorporate that part so even if the this the base signature library is not immediately planned for fabric use some of the zero knowledge stuff might be incorporated in fabric before that I assume people have had an opportunity to read the proposal since um Hart sent it out about a week ago uh but if you haven't you could also draw your attention to the somewhat unique governance structure within that I don't know if there's any clarifying questions that are required from from any of the community on that yeah the TLDR is basically that we're going to have you know extra oversight of this project so in addition to regular maintainers we'll have people with cryptography and security backgrounds kind of around to to look over everything and make sure that nothing insecure gets introduced into the project so how is that different than having maintainers help me understand um so the the main point is that we want uh we're going to have uh essentially sub projects so right now we have a base crypto library and a z mix and these are kind of uh essentially their own things they're they're two separate hyper ledger labs at this point and uh and well there is some overlap on the maintainer list but it is uh um you know it's different and there are different maintainers for for each sort of sub project the um what what I called the stewards in the proposal which are the essentially the cryptographers and security people whose job it is to to go over stuff and uh and review stuff are going to be sort of global and I guess the the most fundamental answer to your question chris is that um we need a lot of uh well we want to have some some sort of algorithmic and uh and cryptographic overview uh and it's not clear that you know the people that can analyze the crypto algorithms are necessarily the best coders so so we wanted to to sort of codify that role did that answer your question hey could you repeat that I didn't know I'm breaking up yeah Dave you're breaking up in here yeah big part to answer your question uh sort of I guess um no hard I guess I guess you know the I I think I understand I mean you know we have a similar problem you know in fabric and I'm sure and sawtooth has similar kind of things where you know there's people with expertise on cryptography and there's people with expertise on databases and there's people with expertise on distributed computing and messaging and and then they're just coders right and you know nobody has all of it right and um and so you do need to sort of focus you know certain attention on certain parts but you know I think you could probably do that with having some sort of I mean I I guess I'm I'm just a little bit confused about how exactly you go about you know dude does every patch have to have sign off from some security guru that wasn't clear so in practice I don't know that we're treating this that formally if that's your concern no I'm trying to understand how yeah that's all the idea here is that there's more than one category of maintainer and you really want kind of a plus one for both categories or also that you know if one category of maintainer wants to do something meaning that the just the coders want to do something and the cryptographers say it's not safe you know this governance structure or calling this out in the document this way makes sure that um doing things correctly from a cryptographic perspective is the argument that would win can you guys hear me now yes awesome okay so I've been dropping on and off the conversation so forgive me if this sounds like it's you know off topic or misdirected a little bit but there was a couple comments I wanted to jump in on um addressing Chris's concerns about like why why isn't this just the maintainer's job and and the reason is is that um well the number one reason and part of the reason that Hart and I really started thinking along these lines and I think Nathan originally as well um was that using crypto libraries is a huge foot gun people get it wrong all the time and one of the neat things about making a rust layer between the underlying crypto libraries and our main project is that we can take care of all of those foot guns make sure that the memory is allocated correctly and that it's you know initialized with random data or zeros or whatever all the the requirements are for getting the crypto protocols correct and so by having this cryptographic library we can pull all the talent from all of the teams in one place we can get it right once instead of having to go out and look at all of the implementations you know all the glue layer I mean the underlying crypto libraries are you should be using ones that have you know a long long track record of being um secure and and uh you know well defined but how you use them can be can defeat all of the the effort that's been put into the library itself and we've already seen this year several um bugs against our blockchains that were based around misuse of the underlying crypto libraries so from my perspective this increases the security of all our projects um by making sure that the the glue library we provide covers all of those potential pitfalls or at least makes an effort to do that and then if all of our blockchains code to the api then they gain from that effort and we only have to do it once instead of you know over and over and over again um and it kind of puts a nice interface for us to be much more conservative around using cryptography while we are also experimenting with doing all his proofs right and also trying all kinds of new stuff and consensus so we can continue you know being very fast and breaking things you know or not breaking things but like you know experimenting in the blockchain space but we're much more conservative at least in the interfacing to underlying crypto libraries so this makes a huge improvement in the things that keep me up at night and uh I would love to see this um be widely adopted and and the last thing about fabric adopting it the commitment I understand that there isn't a lot um that the fabric team can say at the moment but we have been able to get open source repos for the Chinese government approved cryptography and we have tentative agreements from the Chinese community to help get that into the crypto library and to also um help with writing and upstreaming patches to make fabric use the crypto library so I mean from a diversity standpoint and in that maintainership of that project it's it's looking good um we can also then um you know leverage their their interests to um drive the adoption for fabric that doesn't mean fabric will have to use Chinese cryptographic uh algorithms just means that it's coded to the library and you can then use the the algorithm agility that's part of the library's feature set to take the right algorithms for your application so anyway I'm done hopefully I don't drop off here okay thanks Dave hey Chris I originally had some I don't know confusion or discomfort also with the the with the the stewards versus maintainers thing um and heart in part convinced me that it's useful to have people that can do review particularly we're considering a new algorithm that isn't standardized so maybe less about looking at the patches that come in and more about if somebody's proposing to use an algorithm that might not be academically vetted um another thing that that brought me around to it was that I think it's okay to do maybe a little experimentation in the governance structure especially for an incubated project and we can find out if uh if having this type of of governance or or maintainer-ish role is is useful yeah I would say the big question is not around you know things that are well established like basic signatures but things on the more more advanced side so things like zero knowledge primitives uh post-quantum stuff uh non-standard hash functions uh this kind of thing like we just had a discussion well there's a discussion on the list right now about a new implementation of a hash function for instance right but you so so look I think I get it I um I guess there's there's two two pieces to this that I mean look I think it makes sense to put additional scrutiny and so forth especially on a project such as this um but you can do that in a couple of different ways um you know having two tiers is fine but then you also need two tiers of okay so how do you get to be a security maven or a steward person right how does that you know uh what are the criteria to be a maintainer right what's the distinction between the two I think becomes a little bit weird um and you could just sort of at least from my perspective you could just have maintainers and everybody sort of knows who the sort of if you will the lead maintainers are and and when something comes up they say hey you know what so and so should look at this right I mean it's all I'm saying is it could be informal as opposed to formal and when you put something in formal like that it just it can tend to sort of make the approachability and accessibility of the project a little bit hard that's all that's all I'm saying so Chris are you are you concerned about the about sort of calling this a new governance or about the specific details of adding the roles of kind of gatekeeper here it's um I I mean if we if we call the maintainers and just said that there's an additional responsibility for the maintainers in the project and it's it's a specific vetting process would you be more comfortable with that yeah I mean I I think you know again it just creates another class right and yet the maintainers are supposed to be the ones that are responsible right and and so what we're really saying here is that look because of the reasons that that Dave you know so eloquently cited about you know you don't want bad stuff to happen and so therefore you know when maintainers are revealing a patch and they're either not fully comfortable that they you know and they think that somebody should take another look at it everybody will know who those people are and they will have you know the ability to do that but then you don't you know if there's a small set I don't know it was three or four I can't remember now of these stewards and they're not around and nothing gets landed you know then that can hold things up and people can get pissed off and then they just walk away and they leave and all I'm saying I'm happy you know we we have that you know sort of a little bit in fabric you know because um you know they're they're just a very broad area of capabilities that people have to be able to deal with and the maintainers just need to sort of figure out how to how to deal with that right so um all I'm all I'm saying I think is that well you could just have maintainers and everybody sort of knows that their responsibility is to make sure and damn sure that you know this stuff is good and so you can do a two plus two and make sure that on on the patches that seem to warrant additional scrutiny that you you you have people go around and try and get it but then the mundane stuff can just go in right you know I actually agree with Chris on this one I'm going to jump in on his side on this one I you know I thought that the proposal was fine but um you know I see Chris's point in this and I kind of agree there's actually two sets of quote-unquote expertise uh in this uh library project and one is you know seasoned cryptographer who's under who understands the underlying mathematics and someone that which is not me but someone like myself who's been chasing zero days for 20 years right who can see the misuse of a library and understand the the requirements of the underlying crypto libraries and make sure that the software engineering is secure and so I really like this idea of like a two plus two um because it kind of forces like someone like myself looking at it and someone like heart looking at it at the same time right and we see it from two different perspectives I've always thought that if you came into this project and it was a duocracy and you you know had the vision of the project in mind and we're constantly doing good things and right things that you could easily become a maintainer I like it to be a little less formal um but I always I thought this steward's thing was a little less formal maybe maybe it's been misunderstood I don't yeah yeah so this um perhaps we sorry go ahead um it's just a perhaps um because I understand the point about not wanting to frustrate between two groups of people and to get code in or I would say one of the things with the crypto stuff is sometimes you might think it's mundane and it's not a mundane change but what if there were separate processes for code entry as in via maintainers and standard prs and the kind of rolling cryptographic audit whereby I don't know whether it would make sense to include some sort of boilerplate uh commentary or something in in a file but the group of cryptographers I don't know quite how you credentialize the cryptographers but I guess we can figure it out are going through continuously not necessarily at the same time as the code coming in although I realize that then makes it a little bit fragmented potentially but I guess you could have a kind of an elevation of certain code as it gets audited then some changes accrue over time and then the audit needs to be to be redone and those processes could be separate so people don't necessarily get in each other's way okay yeah I agree I agree with that statement really because um I guess the maintainers of the shared library will some of them if not all will have cryptographic skill sets as well that would be part of their expertise it may be one or two or several a maintainers so using the word maintainers within the shared library so these literally can be called upon to vet and so as long as a product a tool set adopts the shared crypto library then yes um these maintainers of the shared library become the people you would call upon or the maintainers you'd call upon to vet and provide oversight of the use of these standards and protocols in that library as long as that shared library becomes part of the the the compiled implementation so that's one way of doing it but they're all maintainers as opposed to separating maintainers with different roles within the project so it's only to provide a further level of vetting and oversight to ensure that the products on implementation in production provide a high level of safety and soundness so my security bug fix you know and and all the other areas that we need to be concerned of today all right thanks for that last note on that Leonard again let's take further discussion to chat on the tsc channel and chat hyperledger.org or to the mail list and we'll probably pick this up again next week thanks everyone yes thanks everyone have a good day bye guys yeah thanks