 Hey Tracy. Okay Welcome everybody to the August 3rd hyperledger technical oversight committee call As you are probably all aware my two things that we have to abide by on the call. The first is the antitrust policy That is displayed on the screen So basically there's competitors on this call. Let's not Do anything that is prohibited under any of the antitrust and competition laws The second one are code of conduct, which is linked in the agenda Of course all are welcome to join this call and participate For non-smiths today, we have the standard hyperledger dev weekly developer newsletter that goes out each Friday If you do have anything that you would like to include in that newsletter, please do leave a comment for consideration on the link That is in the agenda The next three items, I think I'm going to hand off to Sean to talk to Thanks, Tracy. I'll keep this really quick. The Q3 editorial campaign is hyperledger identity If you have news announcements something you want to promote this related to hyperledger identity projects, please let us know You can send an email to prhyperledger.org about that And we'd love, you know, including things like developer showcase recommendations, etc We'd love to to get some more inbound Animo who are the the team members at Animo are really great maintainers and contributors to areas in areas framework javascript They've just announced making areas framework javascript a global framework It's a call for sponsors and partners to make it easier to build EU suitable applications with areas framework javascript There's a link there and lisi Who are using indy areas and non-creds recently announced a messaging feature for their agent and wallet and you can find out more there Thanks, Tracy All right. Thanks, Sean. Any other announcements that anybody would like to make? Okay, so, you know For quarterly reports when I put this agenda together, we have the sawteeth report that had come in um And obviously the q2 sought out sawteeth report is still out there with some questions and requests for changes But I do have a look at the latest sawteeth report Uh, we also since then have gotten the anonka areas me and the aroha Uh reports that have come in so please do take a look at those any questions about The project reports Okay, uh, so then for our discussion today, we have the uh security policy PR that arian has put out there um that we should discuss and Determine whether or not we want to approve this and get it merged in Hey arian, would you prefer to drive? Sure Sean. Um, you could continue sharing the screen. So, okay, we We get a PR that you all all see here. Um is translation of the google doc that um, I believe all of you have already reviewed And we are now formulating this proposal and then bringing it To each of the project and as discussed earlier The People infrastructure part would affect all the projects that are incubated And we require all projects to take action based on Once we get this proposal through so, um Have Like before we continue has anybody reviewed the document Is is anybody to review the document either on google docs or on the github I know tracy gave a few comments related to linking the sections Um, I did most of them. I'll update the PR in some time But is anybody to review on the document it's Yes, Peter I did to me everything seemed great in it. I didn't have uh much uh to Comment or change your quest on it Thanks, Peter. Hi Dave. Hi. I looked at it. Um, my initial question when I looked at it was Like I think the most important thing in this is Explaining how people can open a security vulnerability And I thought that was a little bit confusing in this it talked about Using the security email up closer to the top And then closer to the bottom it talked about using the github Um security advisories and there wasn't much discussion about when to use which one So I thought that part could be clarified and so Right. So, um, I can comment on on What I understood by your question and maybe we can discuss on that aspect so the So there are there are Okay, so the github sec security advisory section that you see Later in the document that talks about how do we notify? to the public of Something that has been Fixed and something that was reported Like a standard process that we should follow across within the foundation, right? I believe there was also an open question on the google doc if i'm not wrong where If existing projects existing big projects have a process defined for issuing advisories And like that should be considered in I think that goes back to You there probably from within the fabric community or or maybe the big projects that we have within hyper ledger Trying to understand if you have a process existing For issuing advisories, if not Then we would go with github security advisory as a recommendation and the reporting is In the initial stages the advisory is on the later stages And if that is confusing, maybe we can add a paragraph or maybe a clarifying Sentences in in the document If you know the exact lines, we can read through it now otherwise I noted down the feedback and go back and read through it that part And add clarifications Okay, yeah, I think if you just follow like the github docs They'll point you towards the github advisor even for the reporting stage And I think any community member can in fact go to the security tab of a project and report a vulnerability there So I think that's where people might get confused The point I'll note it down and go back and check that section And you asked about fabric itself. So we have been using the hacker one, but I'm fine switching off of that and going to either the email or the github security vulnerability reporting I think those are maybe we support both going forward, but I think those are both good options We'll stay any other comments or thoughts so, um I think if there are no more questions on this then this will impact all the incubated projects that they will have to go and update their security policies to reflect the template which is over here and um The highlighted part in the document would need to be updated for Requirements of each project based on what process or the tooling options they have within the project However, the general infrastructure of how we hand deal with a security issue from the reporting stage till the Fix and then the Release phase The documents are such a general recommendation for all the projects So as a follow-up to this the Then we would like to propose a next task force As part of within the security domain this is for signing off release binaries and and The general approach to be followed or there and a room that's the one that's already in our issues as a non-started task force, is that correct? That's the artifact signing task force It's correct. I see okay Yeah, we can definitely add that to the um The round robin of task force discussions that we have This is a good feedback Any other point that needs to be discussed? Yes Peter just a quick question about the embargo list so it is Essentially up to the maintainers to decide if the the project is too small Or big enough do you have an embargo list or is it mandated by the policy to have an embargo list question, um I think the recommendation document if i'm correct the wording that we have right now suggests that maintainers can choose to say a particular project is small enough and then Follow that statement with the arguments like why does project maintainers think that particular project is small We need to have an embargo list Any comments from the team here? Yeah, so um Sean if you wouldn't mind going to files changed Then bringing up the section If we scroll down to where it says embargo list um I think what it says at the very top once we get there is that um going There's a whole yeah the whole section that says embargo Uh, I think it says that graduated projects are recommended to have yeah here right here Uh, so the hyperlator foundation recommends that graduated projects maintain a embargo list So that's a recommendation like I should not have must if I read that correctly Okay, I Oh, sorry. I was going to ask Rama What does he think about that For cacti where he's not on the call Okay, I will just have to discuss that for cacti at the cacti maintenance building It's highly recommended that at least the reason for why a project thinks embargo list is not needed It should be captured So that people are aware. Maybe I think it's at the later. Can you scroll down a bit? Um, yeah, oh, sorry. It's it's over there the if the project does not maintain an embargo list And um Yeah, so this this part of the document would need to be edited by the project The project does not maintain an embargo list. This is because of one of the reasons That you would mention It may change because of if in the future something else happens Could we just say a embargo list is necessary? It just can be empty No, I don't know how to read that statement. Can you elaborate like if if you say it is necessary? So you're saying that the project has importance and then if you're saying it can be empty You're saying like you don't know who the user is consumers of that particular projects are It means nobody is asked to be on the embargo list surely to get on the embargo list you have to ask to be put on the embargo list I believe right, isn't there some sort of process that says You know if you want to be on the list And then get voted on So wouldn't it make sense that it everyone just have one and it's empty And it begins empty and then people are at it I mean, I think I think that makes sense even I think there's um, you know, what you're saying is basically We have an embargo list Everybody has an embargo list. It starts empty And then when people request to get on the embargo list the the security team of that project gets to choose whether or not Said request gets accepted or not If it gets accepted then now you've got a non empty embargo list If it doesn't get accepted you still have an empty embargo list And I think what that means that if the project is too small, right where they don't have The capability to to kind of handle the embargo list then basically every request gets rejected But I think it makes sense for There to be that request process coming in to to start Um To see whether or not, you know, does it now make sense because somebody's actually using this in a large scale Um way, right? I think the other thing this does is it helps us to understand who the adopters truly are Of the project because I would assume that part of the request for getting added to the embargo list is I want to get added to the embargo list because I'm using this for You know, whatever use case it is that they're using it for So I think the current proposal does not state how an entry request should be filed If an entity make what process do an organization need to follow We could structure that as a separate document in a separate Place If somebody is interested in to be part of the embargo list and this is the process that we generally advise for you to follow up However, each project we could also give an option for each project team to define their own process because the decision um Could be with the maintainers of the project It's a good point And about the compulsory embargo list and then leaving it empty I need to go back and check if that's a recommended approach I haven't heard Of a process like that Stay with us Peter I just had this idea that we could add a single small paragraph or sentence that would remind people to be careful about accidentally disclosing who is on the embargo list by discussing it on a recorded maintainer's call because It's easy to just make that mistake. Uh, you know, you dial into the maintainer's call It's automatically recorded And then it just gets swept up as the information gets published for sharing that Peter's like, um, I want to ask Opinion to this group over here So the the general idea behind the embargo list is that the detail shared to the embargo list related to project is of confidential nature Because it can it can pose potential threats if If a particular vulnerability is severe and then has potential of being exploited And there is also a risk where if there are competing organizations, which are part of embargo list And they are aware of the vulnerability Then that's another risk that we pose. So that's why it's important for For us to know make sure like the participants of embargo list are aware of All these consequences and then they they know Like they have their own responsibilities to be followed However, um It's The the list itself I don't know if needs to be kept confidential So a rune at line 213 there it does say you know that the It was 213 Basically The list itself is private in order to make sure that You're not going to have attackers basically being able to to go against those particular organizations that are using the the project so Um, I think that is important right that that embargo list does remain private within the security team Okay, makes sense. I guess this was added later part of feedback from the open assistive teams recommendation Um, in such a case, I think I agree we can add a paragraph to the maintainers Telling them importance of keeping these discussions Outside of their maintained regular calls Thanks for the suggestions Thanks for noting that Any other comments that anybody has or anything else from your end Don't raise the envelope So I think the opens that I noted down so far are the Clarification on security advisory and then reporting an incident And then read through the github security advisory page and make sure there are no ambiguities between this document that we have With the link that we have pasted The other suggestion was on the Embargo list itself add the clarification that project teams Would need to have an intake process And if possible, then come up with the process at the foundation level A general recommendation and then project teams can adapt or decide to put additional checks The final suggestion is on the Discussions like adding a clarification statements To keep the embargo list membership Information being disclosed in public calls Or all the feedback Okay, great, uh, so we'll wait then to vote on this until we get those updates in place and Um, that was actually the end of the agenda for today unless anybody has an opinion They'd like to bring up to discuss with this audience Marcus um, yeah, so I I checked um Yesterday, I guess or I found on the internet that in september there is this open source summit just learning foundation Uh conference is actually happening and then I was wondering what about um, the hypothetical for this year I guess it's a little bit too late to have something like that for this year um Yeah, I mean I was just thinking about that and maybe I could ask ask this year in in our setup to the hyperledger folks Or Tracy, if you know anything about that if there are any plans Yep for sure. Uh, so My understanding is that, um There's going to be a member summit that is going to happen this year and there's actually one in Uh, I think North America and then there's one in Uh, Asia Pacific area. Um, so if you're a member company and uh interested in attending that You should have received some information about that already um and then for the Uh hyperledger global forum the intent is to have it uh in 2024 Uh, so that my understanding is at least the last time they were Looking for the right venue for that Uh for that conference and um, I know they were supposed to be having some calls like the last time I heard So they may already have some information on that that I'm not aware of But uh, yeah, that's that's the status of that Right. I mean did you guys hear from uh from I don't know general community members and described that there is I mean high demand on such a Gathering with the community can come together and to um discuss whatever The current development things like that. So that that we maybe as a toc uh should also try to Uh to stress a little bit on on such an event or maybe not Uh in a bit such as the global forum or are we talking about such a global forum or I mean in the past You also had had those hacker firms exactly exactly. That's why I was asking Um, were you were you looking more for we also had like a maintainer summit? I think in minnesota What year? Um, so, you know, I didn't know if we were talking about maybe potentially also Looking at something like that where we're bringing together the maintainers of the project So in kind of that hack this setting that on conference setting versus the global forum You know, I don't know. I mean from my personal experience is Whatever come together is actually beneficial for any form of collaboration And if this is in form of the hypothetical reform or a hack fest or a maintainer summit Doesn't really matter so much. Uh, but I was wondering if The community actually asked for something like that if if if you heard something about that I mean I I got those questions From our internal teams But I haven't really seen questions on discord yet, but I'm also not I mean there are so many channels Yeah, I haven't I haven't seen any specific Questions in discord related to bringing together kind of the developer community Either in a hack fest or in the global forum Um, like I said, I I do know that there were some conversations about global forum In the governing board meeting that have been discussed. Um, but the date has not yet been set for that But it it is uh, you're right. It's not going to be 2023. It's going to be 2024 Yeah, all right Okay. Yeah, thanks Tracy for sharing this with us Yeah, you're welcome Anything else that anybody would like to discuss or bring up today? I heard what I think is a staff issue in the chat Yeah, apologies. My mouse has fallen on the floor And I think it's disconnected everything so I'm not able to read the chat Sean is there anything there that uh, yeah staff's aware of it I'm the only member of staff on the call today. So I'm gonna follow up with David and the team Thanks, Sean Anything else today, but I do would like to bring up before we close today All right, so if not, uh, I believe that Rama is back next week and We did talk about doing the project the cycle badging that's worse next week. So I'll definitely reach out to Rama early next week to make sure that he's Ready for that and hopefully that's what we'll be talking about next week And if we're ready for the vote on the security policy, um, we'll add that to the agenda as well Anything else that anybody would like to discuss before we close? All right, so if not, we will see you next week Thanks everyone Thank you