 Great, welcome everybody to the May 18th Hyperledger Technical Oversight Committee call. As you may be aware, two things that we have to abide by on the call. The first is the antitrust policy. So there are obviously competitors in this meeting that may exist and so we must make sure that we're not doing anything against the different antitrusting competition laws across the world. The second thing that we have to abide by is the Code of Conduct. While all are welcome here, we do have a Code of Conduct and that is linked in the agenda. Basically, it'd be nice to each other, be respectful of each other. So as we go through the agenda, we do have the standard announcement today, so I don't know who Sharon Rye, if he could just scroll down in the announcements. So the Dev Weekly Developer Newsletter goes out each Friday. If you do have something that you want to include in that newsletter, please do leave a comment on the Wiki page that is linked in the agenda. We do have some PRs that are out there that have been out there for a bit. So just put a reminder in there to remind everybody to go review those PRs. I did notice that a number of people had done that, so we're probably making some good progress towards getting the TLC members to review those. As far as quarterly reports go, oh, I'm sorry, do we have any other announcements that anybody would like to make? I'll take that as a no. So for quarterly reports, we did have the Bevel Report come in today or over the evening in some cases. So please do have a look at that. I've seen a few people who have reviewed that. The Stirling Report also came in. I wasn't expecting it, so I guess I have to go check the calendar and see if I either missed it somewhere along the line or what, but that one did come in as well this week, so please do have a look at that one. Are there any questions so far on the quarterly reports that exist that we need to discuss here in the TLC meeting? All right, I will take that as a no. I didn't see anything specific. As far as past due reports, we still are waiting on the Hyperledger Sawtooth Report. We're rapidly approaching the one month for that being due, so we'll see if we can get another reminder out to them. I didn't see any sort of responses coming back, but I also have been a bit lax in reading my Discord this week, so if anybody has any updates on the Sawtooth Report, can you let us know now? Okay, we will make sure to get a reminder out there and see if we can get that one coming in as well. So on the calendar itself, I didn't see anything as far as upcoming reports until June. So I think Cello is actually the next one that I noticed on the calendar, but as I mentioned, we do have a bevel and the Solan Report that came in for us to take a look at. So please do take a look at those in this upcoming week, and we will make sure to have those on the agenda for next week to make sure if there's anything that we should discuss, we can discuss. All right, so for discussion items today, we have three items on the agenda. The first is a request that we got from the governing board that I'll talk about. The second is that there is a GitHub issue reminder PR that Arun has put out there, and so I want to make sure that we can have a conversation about that. And then the last thing on the list is just to close out the security vulnerability disclosure task force. Any other items that anybody would like to discuss or that we should think about adding to the agenda for today? OK, so the first thing I believe I mentioned at some points at the beginning of the year that the governing board did have a conversation in the December meeting that they had their face-to-face meeting that they had where they wanted to talk about how we currently review our existing projects to understand kind of the state of those projects and what their status is. Obviously, we've been doing most of that through the quarterly review process, but there has been a specific request from the governing board to implement a review process that is potentially minimally annually, where we review the different project status and see if it's in the correct state. So if we take a look at that, it's really intended to make sure that we, as the TOC, are checking out and making sure that a project is actually in the status that it belongs in and that if we identify certain projects that don't match their current status, that we potentially change the status to reflect the current state of that project. So I'm not going to read this whole thing. Obviously, it was linked in the agenda, but we'll give some time for people to actually read it if they hadn't had a chance. I think that the main thing here is that we're seeing in other open source projects across the Linux Foundation that they typically have a process for doing project reviews and moving projects to the status. As you are probably all aware, in Hyperledger, we do have the Project Lifecycle. The Project Lifecycle is a Ford-only sort of movement, so we can move forward in the Project Lifecycle, but not backwards. So this could be a chance for us to think about that Project Lifecycle and review whether or not it's actually what we want as far as, hey, Ryan, you're looking at the swagger on the stair. So take a look at our Project Lifecycle, see if it's what we want or see if we should be taking a more, I guess, advanced approach to how we look at Project Lifecycle to match some of the other foundations that exist within the Linux Foundation. So now that I've rambled on, hopefully you've had enough time to actually review the text here and see if there's any sort of commentary or thoughts, initial thoughts on this particular quest from the Governing Board to the TOC to take a look at how we evaluate the status of projects and the state that they're in. Arun? Thanks, Tracy. So this comment is mostly based on the explanation you're providing in this call. And I'm curious to learn when you say other open source communities have a review process in place. And that kind of makes me think we do have a review process. So I'm just curious to learn more of that comment. Yeah, so I think, you know, what we have been doing in the Hyperledger Foundation is that we have the quarterly reports that we typically read. It is sometimes the case that I think we've seen it where a project will be reporting their status and everything will look great, but actually the project isn't great. And so if we look at different projects like CNCF or even the new Open Wallet Foundation project, they do have a project review process whereby they assign somebody in the TOC to actually go off and do some research about a project on an annual review process, typically, where they, you know, check to see is the project actually have contributors or the maintainers coming up to date with what's going on. Are they in the status that they expect to be in? So, you know, I know with the Open Wallet Foundation process, they actually have very specific goals for each of the states. So in the Open Wallet Foundation, they're called growth and impact is what the states are called, which would line up with our incubation and our graduate. And they basically have goals that say, you know, so many maintainers from different companies the same way that we do, but they also have goals around the fact that it's being used in production or different sorts of specifics that can be looked at across the board and say, is the project still meeting this or should they move back in the life cycle or maybe forward to an end of life, right, in life cycle to say, you know, this project actually really isn't in an impact state anymore. It's more trying to go through the growth cycle again, or it's more at an end of life cycle. And so each of these different foundations within the Linux Foundation have, you know, different sorts of expectations for their projects, as well as this review cycle where a TSE member is really responsible for going in and digging in and understanding the true state, and not just the reported state based on the quarterly reports like we do at the Hyperledge Foundation. Mabye. So would there be a matrix of checkpoints that the projects would have to do once a year or someone in the TSE review from the projects applying it? And would it be done like instead of just quarterly reports have one of those reports be the additional or do you see a different structure for that workflow? Yeah, I think that's really uptossed, Mabye, as far as what we think might be the right approach. Obviously, we can take a look at these other foundations and the process that they go through to see if there's some learnings that we can have from those different foundations. You know, I think the the main part about what we've been doing is as we've tried to look at project help, you know, with the task force last year, as we've done our quarterly reports, we haven't come up with any what I would say objective criteria yet that we can actually check to see whether or not these projects are meeting to know whether or not they're actually in like the state that they should be. So I think that's, you know, obviously for us to decide as far as, you know, how do we how do we solve this request that we've gotten from the Governing Board to to help us really understand whether projects are in the state that they should be in. And so if we can come up with that matrix, Mabye, then yeah, maybe that's the way that we want to want to go. But I don't know that I have an answer. I guess if I had an answer, I'd present that. But I haven't I haven't done that. I think that's something that maybe we should focus in on with a particular task force or, you know, and try and get the ideas from the folks here. Obviously, in the TLC, I knew there was a task force in there somewhere. Yeah, yeah, yeah. I mean, I think it's, you know, obviously we can try and have discussions with the with this group and try and come to some sort of resolution, but I do think that, you know, by having somebody kind of step up and lead lead this and really try and figure out what it is that might be a good suggestion will help. Right. What I have found in us doing these task forces is that if somebody creates something for people to react to, it's easier than just like, let's have an open discussion and try and figure it out. Right. It's always easier for people to react to something that somebody has created. Yeah, thanks, Ryan, for bringing up the CNCF one. Arun. Right. This may be a premature comment, but I was just curious, isn't the annual review process same as our quarterly review process? Well, I don't know. Is it have we been able to determine that projects need to move to a different state? I don't I don't know that we actually ask some of these, you know, sorts of questions that will help us determine are they really, you know, still moving forward or not? So I think it's I think that was the intention of our quarterly reports, but I'm not sure that it's worked in the way that we would have expected it to. It's very easy for people to say things are great and for us to believe that without actually digging in and understanding whether or not that's true. Arun. Thanks, Tracy. So I'm after this, after listening to this, I'm willing to participate in one of the review calls if it is open. And listen or just participate and observe what happens over there. Thank you. Yeah, that may be great to actually see it in process and be able to understand it better. I will try to find if there are any. Meeting notes from CNCS review processes and make those available. I. You know, I've only just started looking into this. Thanks for. Yeah, I think that's the that's the key here, right? Is we need to do some research, better understand what other projects have, see if there's something that we can do potentially differently or in addition to our quarterly reports to make this process, you know, something that would really understand what the state of a project is. I know that I had the impression based on the that December meeting with the governing board that this was going to be coming for us at some point this year and I did create a task force issue for us to be able to take a look at this. And so I'll also find that one and put the link out there. We haven't. We haven't signed up to do that one yet, but it is a one that I did expect for us to have to tackle this year. Other thoughts at this point. Concerns. Steven. I'm just thinking that, you know, is it, is it that we just need as a TOC to be more aggressive in responding to the quarterly reports that have been combined with the statistics, the metrics, I mean that, that, you know, was talked about on a previous call and that that ride generates. That certainly would have pushed a lot earlier on Ursa, for example. So we use like right now we basically are waiting on the metrics for initiating things. And is it just a question of we just need to be more aggressive. It's saying, Hey, wait a sec. We're just not seeing the metrics. Yeah, I think that's a, it's a. Good possibility, Steven. I, you know, I missed that one call. A couple of weeks back and there was some discussion that the, that was brought up around this topic. And so I was like, I don't know, I don't know, I don't know, I don't know. I don't know. I don't know. During that call and I think I, I put a message out on the TOC chat after I'd listened. Right. I was, as I was listening, I'm like, yeah, kind of be more aggressive or kind of, you know, instead of waiting three months before we take some action, we should, you know, maybe a month is kind of the place that we need to start taking some action where we don't see any sort of responses or. We have been very much. Not wanting to take action. Too soon. Right. And, you know, basically, I think there's reasons for that. I think there's also reasons to, you know, figure out what that right timing is to take action. You know, I think if we take action too soon, it's very possible that we, you know, if we take action too soon, you know, if we take action too soon, you know, if we alienate people were not seen as very welcoming and those sorts of things. If we wait too long. Then we end up with a situation where people are expecting to be able to get answers and responses or, you know, their pull requests merged and. And it's not happening. And so, you know, they get discouraged and, you know, move on to other projects and those sorts of things. So, you know, I don't think we have the right balance at this point. I don't think we are being aggressive enough, but at the same point, like where is the, you know, we don't want to, I guess, you know, hit the pendulum too hard and swing too far the other way. So I think that's for us to really try and figure out as a group and then try and determine what is the best sort of approach here. To address specific concerns or questions. Daniela. I know how to use. I just want to make a comment that, you know, a lot of the work that the TSC merging into the talk and this current TSC. Board, right, the committee, a lot of the work that you've done over the last, you know, I would say 12 to 18 months, maybe a little bit more. But I just want to, you know, I just want to make sure that we have the, the project health and review cycle to a much closer point to this than before. And so I want to thank everybody, everybody who's on the current TSC and those that were in the TSC before the last elections, because it is just gradually also helped us move the process of, you know, providing, you know, helping provide project services as a staff, to identify projects that we can help promote and, you know, bring in new contributors and maintainers and those that need extra help. So I just want to thank, it's not like, hey, the board sat around for three months and decided this was something that they were going to do. They also recognize very much that the project, the foundations, TSC and the work that everybody has done has moved us to this point where we, you know, continue maturing projects. We can do this kind of evaluation and review. So just want to thank everybody on this. It's not something that happened overnight. And there's been a lot of things already done that have put us there. And the board acknowledges that. Yeah. As do myself. Because, you know, I've been watching this whole process since 2017 as well. And the rest of the staff really appreciates it as well. So thank you for that, Daniel. I, you know, I know that every year that I have been on the TSC, we have had a discussion about project health. Obviously Corley reports is one of those action items that we took with, you know, change some of the life cycle. I think we used to call it what active network graduated. You know, we've had the task force to actually think about project health. We've, we've, this is something that I think is, you know, we're trying to definitely improve on each year. And so this is just another step in that process of how do we, how do we make additional improvements to, to make sure that we can recognize the projects that are, you know, obviously. Doing a great job and are healthy in the way that they act and behave. And then helping out the projects that need some help, right? And I think even looking at, say, the work that they've did with the best practices, the project best practices task force, right? I think that is a big step in, in helping projects to really understand what it is to be healthy in. I think it's, you know, while it's something that we did here in the TSC, we probably want to at some point do some advertisement about that so that other people are aware that this exists and that they have a resource to go look at. So yeah, any other comments before we can move on to the next topic? I think, you know, for next steps, I think what, what we should do is to think about activating that task force and trying to work through and understand these different sorts of review processes that do exist in the different foundations. Arun, if you do find a meeting and you can come back and report to us on how that actually looks and what that, how that works, that'd be great. Rai, if you find any documentation that you can share with us, I think that'll be a good input into, you know, really starting this process and moving this forward. So let's keep this obviously on our radar. And we will see what we can do to meet the governing board's request so that we can report back to them how we, how we're moving forward with this. All right, the next item on the agenda is just this GitHub issue reminder PR, Arun, that you created. I did want to make sure that you had an opportunity to talk about this so that people understood what they were looking at as they were reviewing this PR. So just maybe a short description of what this is all about and then people can take a look at the PR and review that for whether or not it's, you know, it has any issues or any concerns that people might have. Sure, Tracy. So as many of you know, the current way of reminding project teams is that we go and then ask them either on Discord private chat or we ask project maintainers to send the quarterly reports on the maintainers chat if they have one. And then we wait for the response and many times it may so happen that there's a lot of chart that back and forth that goes through. And I felt that reminding project teams to send a quarterly report should be, it's a task that project maintenance have to go through just like any other tasks in terms of project maintenance like project management that a project needs to do. And since recently, we also had a discussion around having all the projects moving their project management aspects more to GitHub issues felt like how about sending a reminder through a GitHub issue, right? So this would be assigned as a task to maintainers. It would notify maintainers as well as TLC members of a pending quarterly report. And a project team has to raise a PR and they would link the PR in the issue and they would close the issue once the issue is once the PR is submitted. So the issue acts as a reminder and any discussion will continue on that GitHub issue. And this issue would be, I know there are a few projects which has multiple repositories such as Aries where the maintainers at itself could be varying. And we can always add the respective people who the issue needs to be assigned to, which is the primary repository where we may need to raise a GitHub issue for those projects. So apart from that one gray area, I felt other things were good enough over here. So, yeah, any comments from the TLC members for this process of reminders? For those of you who are doing quarterly reports, creating an issue in your GitHub repo, does it make sense where you folks is that a place that you would typically be looking and would it jog your memory if you will to say, oh, I have to do a quarterly report for my project? Steven? A, yes. But B, quick question. Are you actually assigning it as part of this GitHub action or does it, or does it just get opened as an issue? It gets assigned. Okay, good. Good. I think it's a great idea that I think it's helpful. And it really gets assigned to all the maintainers. Is that correct? That is correct. So if you open the, the sample file, right? And so feel free to update this maintainers list, right? So over here for each of the project, I took the maintainers list for now from the GitHub teams that I could find. I'm looking into automating this. I have a CSV file with list of all the maintainers somewhere else, but if this process gets through for now, I feel this file by myself. But once this process gets through, I can try and see if we can pull the maintainers in for automatically. Okay. Cool. And so you, so in this, to deal with that Aries issue, we can just pick which repo it updates, right? So that's, that takes care of that. That's correct. And we could also customize the text that we want to add within the. Reminders that we want to send. Yeah. Yeah. Excellent. This tool works for any issue reminders, like we could schedule reminders to different projects for different things, not necessarily just the quarterly reports. Any other thoughts or comments at this point? Okay. So obviously the PR is out there. Please do have a look at it. I don't know if you have any questions or comments. I don't know. I don't know if you have any additional thoughts or feedback based on what you're seeing. And we will just let the PR process take that through. I did want to bring this up, especially just because of it hasn't been discussed yet. Any of our previous meetings and. You know, I need this PR without there waiting for people to take a look at. All right. Steven, I'm going to. Drop your hand. Okay. Thank you. Next item on our discussion for today is the task force discussion security vulnerability disclosures. From what I remember where we're at is we did have. The template that was created. And I think this is. Intended to be the last kind of closing. Session for this particular task force with. So there's been amazing comments on this. So. Just the, you know, final results. And where we're at and what needs to. You know, happen if anything else needs to happen for this. So. This one I think is yours as well. See heart. Oh, heart. Hey, Tracy. I think we may want to have. Potentially one more. One more meeting on this. What I would like to do. and I apologize for not getting those incorporated sooner but as I was counting I'm on my ninth conference in the past month. I just haven't had time as well. Hart we lost you for quite a bit of that. Sorry yeah I'm on a way to a conference again. Can you hear me Hart? Yeah I'm in the car of course on the way to another conference. So he accidentally hung up before he got disconnected. Yeah looks like he dropped. So what I heard was they need another meeting and it's unclear if it needs to be discussed. Oh Hart's back. Apologies can you all hear me now? Sort of. What if I'm the car? Do you want me to just type this in discord? Please. Okay I'll cut in and type what I want to say in discord. I just want to point out that Hart is in the middle of Silicon Valley driving in the car and can't get connection so we're really we are we are top of the line here in Silicon Valley. I just sounded like yeah he was jumping between multiple cell towers or something so that's great. So we need one more session it sounds like and there's some updates that have been made to the document that people have commented on and Hart is going to try and get those included in the document itself when he has time outside of his conferences. We'll see if he has put anything in the chat yet. So yeah anyway anything else that we need to discuss then on the security test for today? So I think the request for comments is happening in a Google Doc. The link for which is available. We can reshare that link in the TOC mailing list. I just saw Hart's messages that he would like everyone to add in comments for an address or discuss on each of the comments which is open and then take these suggestions back to open as I said take their feedback. I'm sorry I'm just being a reader of Hart's messages now. Yeah so I just posted everything in Discord. I hope it all makes sense to everyone and I hope it's more understandable than me talking on Zoom. All right sounds good Hart thank you for that. I think it definitely makes sense for us to review get feedbacks and comments in that document and then we can I guess the next time we discuss this particular task force we can make sure we have a vote to see if it's what we were all expecting as we go through that and then yeah obviously the next security task force is on artifact signing that we're going to be taking on as well so anything else then just to close out the security vulnerability disclosure task force discussion today that we need to talk about? Okay I'll take that as I know so I think the next task force discussion for next week will be Bobby you documentation and onboarding if you want to combine those or if we need to separate those at some point let me know we can separate those and then I think it's on to some of the newer task forces to get incorporated into the schedule so I will take a look and remind myself which ones we agreed to start and ensure that whoever is going to present the week after knows that they're going to be presenting the week after or starting that discussion for that task force the week after. Any other discussion items for today that we need to talk through on the TOC fall? Okay if there's nothing else then I guess we will close out the meeting for today and we will talk to you all again next week. Thank you Tracy. Yeah you're welcome. Thank you. Thanks. Bye.