 All right. Welcome everybody to the November 9th Hyperledger Technical Oversight Committee call. As you are probably all aware, I think you've all been on the call before. Two things that we have to abide by. The first is the antitrust policy. So we need to be aware that there are people here from a number of different organizations and we should not participate in any activities that are prohibited under any of the antitrust and competition laws across the world. And then the second thing that we have to abide by is our code of conduct. So for announcements today, we have the Hyperledger Dev Weekly Developer newsletter that goes out each Friday. If you do have something that you would like to include in that newsletter, please do leave a comment at the upcoming newsletter or Wiki page that is linked in the agenda. The second announcement that we have is that next week looks like next week Thursday. There is a workshop that is atomic cross ledger transactions between Hyperledger Basu and Corda ledgers using a Hyperledger cacti V2. And if you are interested in attending that workshop, please do register using the link that is in the agenda. The third announcement that we have is a reminder. If you are eligible to vote in the 2023-2024 TOC election, please do cast your vote prior to November 14th at the end of day by US specific time. Any other announcements that anybody has or would like to make? I was recently approached by NIC. NIC is National Informatics Centre based in India. It's a union government institute. And they would like to have multiple sessions on blockchain technology. They were wondering if we can have a session from the community. I haven't shared any list to them, but if you are interested, please do let me know. All right, thanks for any other announcements that anybody has? No, okay. So we do have four different quarterly reports that came in this week. They were all due today. Thank you all for being early. There is a couple of things in these reports that I think we should discuss as a TOC. The first thing I think was in the report that I saw, which was actually in the questions for the TOC, I think it was. So if we could look at the report itself. And then so here we have this question of an idea that came out of the second Hyperledger Indie Ecosystem Summit about a way for Hyperledger Foundation to enable a group to collect funds for an open source objective and use those funds to enable a code contribution. So I know that there's been some work that's ongoing part in this arena. I don't know if you want to speak to that about what's happening on the basis side. And, you know, maybe we can talk about, I think Steven, you were the one who wrote this question. Maybe we can talk about what it is specifically that the Indie community is looking for. Sure. There's a lot of stuff here. So I guess Tracy, what would you like me to start with? Yeah. So I guess, you know, just an update on kind of what came out with the Basu SIG, Basu for financing that's starting in the sister project. If you could just maybe give an overview of that. What's happening there so that people know exactly what's happening. And then I think that the question then will become clear about the Indie have the same sort of support that Basu might have. Sure. So I guess some background is there are some financial companies or financial service companies that want to fund Basu development but don't have access to developers themselves. And so they want to create an organization that allows them to do this. This has been done before at the Linux Foundation in a couple of different ways. Probably the closest way is the Alpha Omega Project under the open SSF Foundation. I'm sure Arno knows all about this. But the idea is, as Tracy said, we would run this as sort of a sister project to the Linux Foundation or I'm sorry, the sister project to the Hyperledger Foundation. You know, they would be legally independent entities and we're in the process of putting together a structure for this. You know, it's a bit of a slog because we have to get signed off from LF Legal and LF Accounting. And some of these have not gone so well in the past. So, you know, some of the higher ups at the LF are, you know, want to make sure we get it right. So it's coming along sort of slowly. But that's sort of the idea. So, you know, I guess, should I pause for questions on this before we go into indie stuff? Yeah, that's good. Anybody have any questions on that? And maybe one thing to highlight on that just so that people are aware is that there are large companies that are behind this effort who are looking to, you know, provide those funds. So it's not like individuals who are trying to provide funds or things like that. It's large organizations that are involved in this. Yeah, and I'll sneak in before people start asking questions, Tracy. One of the reasons we are doing this, it is a lot of time is because we are confident that there will be, you know, a reasonable amount of money in this. You know, and I guess the question that everyone will ask is, you know, will you do this for other projects or other efforts? And the answer is yes, if we think there are enough funds to, you know, make it worth the time and effort of setting something like this up. Thanks, Hart. Steven, I saw you come off mute first, so I don't know if you actually have a question. Yeah, I mean, I think I know that gives me enough of an answer for what I need. The main question I was going to ask was just, does it become cookie cutter or is each situation new and different and has to go through the same, you know, a similar process? That's a great question. It's going to be somewhere in the middle. So once we have the documentation, you know, we can certainly reuse some of that, but there is going to be sort of like a relatively time consuming review by LF Legal and LF Accounting that is, you know, that is going to be unavoidable. They're going to want to make sure that some of the red flags they've seen in these, they're going to, you know, we're going to have to sort of explain why for every community, you know, certain pitfalls are not happening, if that makes sense. That's beautifully ambiguous. Nice. Bobby. Yes, thank you, Tracy. This is a great idea, again, because a lot of people do want to contribute, but don't have the resources or the bandwidth to be able to do it. So this is awesome. I'm not sure, and that's why I'm just throwing this out there, but doesn't the Linux Foundation have a crowdfunding site that maybe we could just put the project up there and run everything through that? It does. It does have something on LFX, but we would want something that was a little bit more structured and had a little bit more communication baked into it, right? So we avoided duplication of features and everyone could coordinate. Got it. Thanks. All right, Peter. Might be to implementation specific of a question, but do you know if they're planning on having in that sister foundation full-time employees, contractors or some sort of kind of structure? No. So it should be relatively light from an oversight perspective. So it would be probably us as staff spending a little bit of time on it. But these organizations generally do charge some overhead. So I would imagine the organization would pay for hyperledger staff time, but I would imagine that that time would be quite minimal once it gets set up. Does that answer your question, Peter? Almost. Sorry. I think I didn't clarify it. I meant the people who end up doing the vericlic-based contributions. Sorry. Yes. So there would be contractors, I believe. The goal was to do it in sort of small chunks. You know, I'll say the BCGov code with us program has come up many times in discussion. So, you know, Steven can, yeah. I was going to say, have you considered using that? I mean, it is just outstanding as a way to do things. That has actually been fantastic because lots of people are saying, lots of people, the LF have suggested that these are very hard to get to work. And I say, well, we have one in our community that already works. So that's been very great that you all have done that. Yeah. I just wanted to follow up on the alpha omega part that Hart mentioned because he's right. I mean, so just so you know about OpenSSF and what's interesting is within OpenSSF there is this initiative called alpha omega, which is specially funded, which means there is a few companies that give extra money dedicated to this initiative on top of their membership dues. And I mean, we're talking millions of dollars every year. They give it's Google, Microsoft, and I think they've been joined by Amazon now. But and so they do this kind of like, they have their own staff and they are a bunch of initiatives and they do give money to certain projects to just to try to improve the security posture of those projects. But I would think that they would feel like this is too small a fish for them because to give you an idea, I mean, the the initiatives they've been funding, it's like OpenGS, right? They want to secure Node.js, which obviously, you know, they are looking for maximum impact. And I'm afraid they would feel like a project like this is too small for them. Oh, we're not trying to get funding from them. We're just discussing this as a funding model. Ah, I see. Yeah, so I can tell you a bit more of that. I mean, the Linux Foundation does have this notion of special funds. Yes, an SIF. That's correct. And so there is there is precedent for that. The challenge is not the legal framework to handle those funds, right? It's to get the money in. Well, the legal framework is also a challenge, but well, but it exists. So that's the good news, right? There is already a setup. It's been done before we can reuse that. Well, we're going to have to change it a little bit. I think even Alpha Omega is probably going to change their funding structure to some degree as well, or at least the legal framework behind it. All right. Any other comments, questions? Stephen, did you think that's answered the question for the TOC that was placed here in the report? Yes, the biggest, I guess, one other question, which is how far along is the Bay Zoo work? And there's a decent chance that this aligns with the Bay Zoo work. So I am kind of interested how far along that is and whether anything can be said about that yet, or do we just wait? Probably at this point, just wait. I hope I'll have something more concrete in a few weeks. All right, great. So that was one thing from the project report. The other thing that I saw was, I don't know your comment this morning or last night, whenever it was, that you sent it and I was asleep on the Aries project report, specifically about the Aries framework JavaScript wanting to move to the Open Wallet Foundation. And you wrote that this is something that the TOC should talk about and see if there's, you know, to better understand this and also to see if there's any sort of position that we have or would like to take on this particular movement, if you will, to the Open Wallet Foundation. Yeah, that's correct. I mean, I think that's a significant event that we need to understand. I mean, so the statement says that there's already a fork that has happened. And my first question is, well, why did these people feel they were better off working in the other foundation than coming back to Hyperledger and say, hey, you have this dormant project we want to resurrect, which we have a process for. So I'm curious to know why they felt they was better to do it over there. But more generally, you know, how do we want to draw a line? Do we feel like, yeah, that makes sense, you know, and because this seems to be specific to the .NET framework, but it seems odd that we would have one piece over there, the rest here. And I'm like, well, if we feel that this makes sense, why don't we move everything related over there. But, you know, I don't know. And that's my point is we should figure out what that means for us. Yeah, Stephen, did you want to talk about some of the conversations that have happened in the early community about this? I think we've got .NET, JavaScript, and then Python that are three different phases of what might happen here with these projects. Okay, .NET one is, I find it irritating. I've made that fairly clear in that it was basically abandoned by the open source part of it was abandoned. They continue to develop the products based on it. And so there continued to be releases and things of products based on it. But the .NET one didn't produce anything. And then with OpenWallet is OWF seems fairly aligned with what's happening in Europe in this area. And the developers that had a fork of .NET were based in Europe. And so they saw an opportunity to revive interest in what they were doing, even though they were essentially doing it, not doing it in the open anyway. But anyway, an opportunity to move it into the foundation of the day, if you will, and make some noise there. So I don't really care about that one. The areas framework, JavaScript is far more interesting. The story is fairly similar. The primary maintainers of that framework are based in Europe. Their opportunities and where they are using areas framework, JavaScript is in Europe. So they're interested in staying aligned with that. And therefore, OWF kind of makes sense from that perspective. And so they're they're, and they're feeling like the Aries brand is weakened, is weaker than the new things coming out of, the new news coming out of OWF. So therefore they should, that it's a good opportunity to move and perhaps gain some more attention by shifting the focus away from the term Aries. So it's largely marketing and trying to gain interest in the work that's going on. And it is to some degree adjusting the direction of the frameworks away from the historically indie base to a ledger agnostic, more neutral implementation that can deal with things like open ID for PCs. So that's the background of what's happening. It's difficult, it's open source, it can get ugly in places in that different people have different opinions and it's hard to get enough consensus to say, okay, let's do this. It's not totally obvious which is the right way to go. And so there is a fair amount of work just in simply moving from one from one Linux foundation to a different Linux foundation. So LF foundation to a different LF foundation, I should have said. So people are concerned with that amount of work. That's a bit of the background. Tracy, you've got a really good view of all of it. Yes, I do. And I was involved in some of the conversations with the Aries community for those of you who don't know on the call, I am also the open wallet foundation technical advisory council chair. So I get to see all of this from both views. So trying to wear multiple hats and stay very neutral. One way or the other is obviously a challenge. But I do think that it was quite interesting to be involved in the early discussions with the Aries community about when open wallet foundation first started, is this something that we want to do? Is this not something that we want to do? I had actually came out of those conversations thinking that the community he had settled on sticking with the Hyperledger foundation. And some of the reasons for that are obviously the maturity of the Hyperledger foundation, the things that the Hyperledger foundation offers as far as things like meetups and workshops and the training and all of the sorts of things that we've built up in this community over the last six, seven years, whatever it's been. And so I think it was an interesting thing when the .NET framework showed up. And I think it may have been a bit of a push when that happened and got accepted into the open wallet foundation to the Aries framework JavaScript maintainers. I don't know if that's the case or not. It's just my feeling of like, oh, well, if they've made it over there, maybe we can make it over there too. But I think one of the things that the Aries framework JavaScript maintainers have done really, really well is to communicate their desire to move and to try and get input and feedback from the community on whether or not the community thinks that's the right thing to do. They opened a discussion specifically on GitHub. On this particular topic, there's been obviously people who have responded who think this is a good idea, who have encouraged this to happen. And so I think after they got some feedback from the Hyperledger community, they also then opened up that same discussion to people within the open wallet foundation community to discuss whether or not the open wallet foundation people think this makes sense or not. I don't know that they've gotten as much input since then from folks in the open wallet foundation community. But I do think that they have taken some steps to make sure that people are aware of what's happening and trying to get input from the community. I think that's a good thing. I do think that there is a question that I have and that I've had since the open wallet foundation started, which is how do we work across these two communities, Hyperledger Foundation and the Open Wallet Foundation, because I do think that there is a lot of work that's been going on here in the Hyperledger Foundation that is focused on identity with Aries, indeed, and on creds. I think that the work that has been done here has been fantastic. It's actually, I think, made a lot of noise, not bad noise, but good noise out there in the world, in the ecosystem. And I think that there's been tremendous movement forward based on the work that the group has done here in the Hyperledger community. And so there's always been this question of, okay, there's going to be some things that are new and different coming into the Open Wallet Foundation, but there's still this connection that exists. And how do we make sure that we're collaborating across the communities? I think this becomes even more important now that we're seeing this potential split divide amongst the different Aries projects between the Open Wallet Foundation and the Hyperledger Foundation. And so, for me, it's more about making sure that the good work that's started here continues. However, that continues is really going to be dependent on the community, making sure that they're staying close and collaborating together. I don't have a good answer. I've never had a good answer for where things should go or shouldn't go. And so, yeah, I guess that's my add to what Steven's already said. And would love to see if other folks have any additional thoughts or feedback questions? I don't know. Yeah, so thank you both for the background there. It definitely helps a little bit to understand. And to be clear, I mean, to get back to one point Steven made, I mean, this is open source. We cannot stop people from forking projects and take it somewhere else. And obviously, my point wasn't about, you know, should we make a stink about it and somehow prohibit this? We can't. It was more, I think it's important that we understand the motivation behind those movements because, you know, if there's, so it sounds like this is mostly marketing driven maybe. And it's like, okay, maybe that's the way it is. There is not much we can do if that's the case. What I don't want is people to say, yeah, we're going somewhere else because we cannot work here. I would be concerned by that. And I would want to understand, you know, what is it that's not working for them that they feel they have to go play elsewhere? That's really what I was, you know, motivated by. And then overall, you know, I would do to ask the question if, you know, it's felt that that's the, it's better to keep everybody together. Should we just say, well, then maybe we should encourage more movement? Where do we draw the line if that's the case? Thanks. Yeah. Thanks, Arnold. Stephen. So a couple of things on that. First of all, I think I will strongly say that because Hyperledger works so well, it's not a slam dunk that we that everyone shifts over to open wallet. I think if both existed when the time Aries was created, it might have made sense to put it in the open wallet. But there's there was a strong feeling amongst a number of people in Aries that said, man, there's nothing over there. And we would have to start from scratch. And we have so much infrastructure tooling skill and experience in Hyperledger that, man, we would be starting from sticks and stones if we went over there, you know, went over there. So I would definitely underline it's definitely people don't aren't interested in moving because things aren't working here. The second thing I was going to say was that Aries kind of operates almost like different projects. So the different frameworks in Aries are almost independent and had been independent of one another. And so that's why you see differences across that there's not a a common voice coming out of the Aries communities. Basically, each one was almost operating like a different Hyperledger project. It's actually brought the communities that you know, we for a long time didn't have that many, you know, some people from different frameworks showing up at the Aries working group meetings. So that was troubling. We're now getting that more often that everyone's showing up at the meetings. I'm just going to add one more. I think the last thing is I think the identity, you know, the digital identity world is sort of at this point evolved into four or five different sort of camps. And what you're seeing is the Hyperledger groups are considered sort of one of the camps. Open Wallet is now the home of one of the other camps. And I think that's where again, why there's not a slam dunk. Oh, we should be in one place or the other. They're perceived as being there's perception amongst the participants of, oh, well, if we go to Open Wallet, we're espousing this worldview. If we stay at Hyperledger, we're espousing this worldview and so on. And I think that's probably the biggest complication going on here is that it sort of is a marketing move. It's a push to a different set of principles, if you will, or a feeling like you're shifting principles. So I think that's where a lot of the angst is coming from. All right, thanks, Steven. Any other comments, questions? No? Okay. So then we did get two other reports in. I haven't seen anything major in those reports as far as comments, but are there any questions on any of the other project reports or anything that I may have missed in the ARIES, Indie reports that we should have talked about? Okay. So then the discussion that we had on the agenda, although we just had great discussion and thank you for bringing those points up. But the other item we have on our agenda today is the security artifact signing task force. And so Arun, I don't know if you want to take us through kind of an update of what we're doing here in this particular task force. Thanks, Tracy. So I had to work on GitHub action so that we could reference that and create a proposal for the rest of the projects. I did not get time to work on that. I'm sorry about that. But we could review or summarize what we had discussed in the previous meeting. The last update that we had were discussions on using the tools which were available out of the box through open SSF. And we also had discussions about what it will it make sense to have our own six doors recur artifact. Would it make sense to just continue using the one available through the open SSF as a public instance? And then we did discuss about different artifacts that we are going to generate from within the hyperledger projects in terms of what it makes sense for us to have different approaches for creating signatures for them or should we look at a common approach and the conclusion or the discussion turned towards having these sign artifacts to be stored within the GitHub as a release artifact. So whenever we produce any kind of artifact which are a cargo file or a crate or a binary or any outcome of our build, we would like to have a GitHub action which would create a signature and then store the public and the verifiable information so that the signature on those can be verified by consumers. That's the discussion that we had so far. That's the summary of the discussion. I did not get a chance to work on GitHub action. I'll make sure that before the next meeting we have that updated so that we can go through the GitHub action and the proposal. The other thing we could possibly talk about is to talk to different projects such as Bible or Shallow or some other projects that utilizes the hand charts and ask them if they can introduce this component, the cosine or the policy controller which would verify if images that they're pulling in have been verified or if the images could be verified after pulling in. Arun, I have a question about that last bit they were talking about. Like the policy controller where it says that it can be used to verify if images have valid signatures before the women. Is that policy controller looking at all images or just a set of images? Because what I'm concerned about is if we have certain images that have the signature and certain images that don't have the signature would this basically stop the deployment from happening completely or would it just know that I should be looking for signatures, valid signatures on these particular images? It's a good question. I was purely focused on the Hyperlegia Produce Artifice but if those projects have dependencies for pulling which are not generated over here that would become difficult for us. Or we could provide this as a recommendation or a best practice if at all can be followed and then we can leave that to the users of the projects. Any other questions on these topics? Tracy, over to you. Again, sorry, like I could not get time to work on it of action then. Yeah, no problem. That's fine. So then any other topics that anybody would like to discuss today? Okay, so then next week the task force discussion is the badging life cycle task force discussion. So I know there is a meeting I think tomorrow. Is that correct, Burma? There is one on the calendar but I don't think you will need it. I think last time at the number we talked about the conclusions with our schools and I think nobody had an issue. So my next to do is to just put it out on a page and sorry I haven't had time until now but I should in the next three or four days. So I will put something out maybe by Monday or so and give us my chance to do it and maybe we can have a vote on in the next meeting. Okay, sounds great. So look for some information coming from Roma that summarizes and puts together the specifics around what we've already discussed and we can review that hopefully have a vote next week. So with that, if there are other items that we should also talk about next week, definitely let me know. I'll make sure to get that on the agenda. But without we can close out today's meeting. So thank you everybody for attending and thank you for the great discussion.