Office Hour meeting minutes​

System team​

• n/a

Security team​

• An updated list of Security related TRGs are available after this PR has been merged

FOSS​

• The footer of the Eclipse Tractus-X website have been updated
• Community days are getting closer, more info can be found on this page

Open planning / community​

• New dates with blockers will be added to the website for release 24.12 soon, keep an eye on them! There will be a news entry when they are available
• Starting with the next release (24.05) QG4 reviews will be mandatory to do in pairs every committer can get familiar with the process. A committer can't review their "own" products

Discussions​

• You can read about Eclipse roles and how to become one here
• There is a new board work in progress on GitHub that could be a replacement for the current Miro board we use for the Office Hour
• Kubernetes 1.30 is available now, but consortia clusters are still on 1.27 (which is the LTS version). This should be aligned as TRG5.10 describes our goal otherwise.
• For release 24.05 you can open an issue for security assessment in the sig-security repository. This support won't be available starting with release 24.08
• There is a problem currently with the calendar files on the website for. It is being investigated and an update will be provided soon.

Committer meeting - meeting minutes​

Open Planning Participation of committers​

The open planning is one of the most important meetings. I think 14 (of 41) committers were present, but only two used their voice ;) what about the others?

=> Maybe we should talk more beforehand, about the importance of the meeting. Responsibilities and expectations of attendance.

Label structure​

The labels on the features are very important for dependencies and filtering. Yes we have a lot, but we need more ;) but on the other hand we can also delete some ;)

Suggestions:

New needed​

• ssi
• data-sovereignty
• policy-hub
• policy-registry
• issuer-component
• authority-registry

=> discussed -> create the labels

• open-discussions (color: red)
• Prep-P14 -> maybe Prep-R2412 -> do we need the specific prep label?
• Prep-P15
• Standards (marks tickets which have impact on standards)
• Breaking Change (marks breaking change tickets)

Changes needed​

• miw => rename to identity-wallet

Delete (probably we need to discuss this once since a deletion has impacts…)​

• kit (reason: each kit has an own label already)
• foss
• go
• PI12 (ideally we just inactive it to not lose it on the old tickets)
• Prep-P11 (ideally we just inactive it to not lose it on the old tickets)
• Prep-P12 (ideally we just inactive it to not lose it on the old tickets)
• Project management
• Test results

Additionally I like to suggest a clear color coding​

• All Product labels - ocean blue
• All Prep-Pxx label – grey
• All highlight labels – red
• All UseCase labels – green -> can we delete this?
• All Expert group labels - yellow

=> HTML color code is used

Clean Board​

My feeling is, we will have round about 60 features for 24.08 -> all good. Happy about it. But on the board itself we have more than 200. I understand its good to have some features in inbox/backlog... but i think the gap is to big ... and i think a lot of them could be deleted ;(

=> discussed and decided: Friendly reminder -> after a specific amount ot time the issues are deleted automatically

Views an project board​

The views (tabs) should be cleaned up) which views are still needed?

• Feature view (issuetype feature) -> for Expert Groups / Committees / Developer
• QGate View (issuetype realease_ac)
• ???

Future workingmodel​

Instead of miro we could work with GitHub Project as agenda/issuetracking. e.g. example board

=> lets try it

Custom Attribute​

Since we work together e.V/Open Source it would be beneficial if we could map the features to the related expert (groups) therefore i would like to discuss a custom attribute, which holds the related committee/expertgroup (dedicated list) -> This would help to filter and also get a better feeling

=> prepare a poc -> Tom , Stephan

Featurequality​

Since sometimes the quality (how is a feature described, did you clarify your dependencies, did you talk to your committer, is the time allocated) i would like to extend the feature template to guide a little bit more. For example a checklist like:

• [ ] i have talked to dependent components
• [ ] i have talked to my committers
• [ ] i will contribute on this features
• ...

-> mention the release process via link in the template, keep the template simple -> link the contribution guidelines

Office Hour meeting minutes​

System team​

• Number of previous KIT versions of the home page have been reduced. (this speeds up the compile process by 3,5x)
• System team is working on collecting the OpenAPI specs (as alternative to SwaggerHub)

Security team​

• Invicti DAST scans are available now. They are not part of the next QG.
• Heads up regarding the XZ backdoor awareness mail on the mailing list

FOSS​

• Committer elections are important to prevent hostile project takeover (especially in the wake of the XZ Utils backdoor )

Open planning / community​

• n/a

Discussions​

• Reminder that there will be a "tandem mode" review for next QGate:
  • one reviewer from System team and one committer from the projects for each QG Check
  • the "project committer" can not review his/her one project

Security Office Hour meeting minutes​

Announcements​

• SAST: CodeQL workflows seems successfully well integrated
• KICS, Trivy, GitGuardian and Dependabot tools will continue as it is.
• No new updates

Office Hour meeting minutes​

System team​

• Several TRGs in Draft
  • See TRG 0
  • Dedicated PRs will be raised to gather feedback before publishing

Security team​

• Veracode license finally expired
  • Dashboards still accessible
  • No new scans can be run
  • CodeQL is the replacement
• Security TRGs live. See the "TRG 8 - Security" section in Release Guidelines

FOSS​

• n/a

Open planning / community​

• n/a

Discussions​

• Dependabot PRs
  • In general: keep your dependencies up to date. Keep the DEPENDENCIES file in mind. Ask committers for help, if you don't have one in your team.
  • Specifically Docker base images: If dependabot suggests to upgrade the base image to a new major library version, that you do not support. Ask a committer to tell dependabot to ignore the dependency
  • Specifically Chart Releaser Action: Should not be an issue, but we can investigate if the upgrade would raise issues (1.4.1 to 1.6.0 in this case)
• Are there updates to API versioning
  • No one in the call had an update
  • The Discussion is untouched for a while
  • If this is an issue for anyone, please push that topic again

Security Office Hour meeting minutes​

Announcements​

• SAST:
  • Veracode - Offboarding: Last reminder, license terminates on 30-March-2024
  • CodeQL - Onboarding- Workflow Setup: TRG 8.01
• DAST security scans are not part of the next release 24.05 (Updates will follow through the QG Acceptance Criteria)
• KICS, Trivy, GitGuardian and Dependabot tools will continue as it is.

Office Hour meeting minutes​

System team​

• Investigating slow website build times
  • Local builds (and CI) take increasingly more time (~13 min for static build with empty caches)
  • Heap size has to be increased on some machines
  • Potential source: Versioning of the KITS and keeping all the versions

Security team​

• Some teams are already migrating from Veracode to CodeQL. Great! Remember to also remove Veracode workflows in this case.
• PR to publish the Security TRG section will be raised
• Snyk will not be part of the Security TRGs and therefore not mandatory. Best practices and how-tos will still be provided in sig-security

FOSS​

• Getting started guide improved
  • Does make it easier for new-joiners
  • Please link to this guide instead of duplicating information
  • If anything is missing, feel free to raise a PR or open an issue

Open planning / community​

• Tractus-X "Stammtisch Munich". See Matrix post
• Old consortia office hour meeting will be cancelled. Open meeting link is now well known.

Discussions​

• People have been receiving on- and offboarding emails for the Tractus-X contributor team in GitHub
  • Unclear what triggered it
  • If you are committer, you don't need to also be part of the contributor group
  • In case you lost a necessary group assignment, please reach out

Office Hour meeting minutes​

System team​

• Collaboration call for shared Ownership for Release 24.05 we will have a tandem mode for the upcoming release and searching for responsible through the mailing list
• Please review the current Draft-TRG´s
• Archived repositories
  • ssi-docu
  • daps-helm-chart
  • daps-registration-service
  • managed-identity-wallets-archived
  • tractusx-quality-checks

Security team​

• Updates to Acceptance Criteria and that DAST (dynamic application security testing) scans will not be considered
• Friendly reminder to check out the Security Office Hours and the Security Office Hour Minutes

FOSS​

• Congrats to Rohan Krishnamurthy as a new committer in our community.
• No open feedback or veto to archiving repositories that are out of purpose

Open planning / community​

• Current planning around the 2. Community Days Event, feel free to join
• Infosession Processes, Methods Tools for next release 24.08 will present on monday planning meeting

Open Discussions​

• Committer Matrix Chatroom i now available for us within the Eclipse Tractus-X.
• Release Day information to release day insights (YouTube)
  • Impressions for release process from Hanno, new standards and topics like SSI and further breaking changes
  • Working together with the community

Security Office Hour meeting minutes​

Announcements​

• SAST: CodeQL transition is ongoing, PRs to add corresponding workflows is ongoing. Veracode license will expire at the end of March, so everyone is encouraged to review their workflows to ensure a timely transition to CodeQL.
• DAST: Invicti license will expire at the end of August and already exceeded the website limit. There will be no DAST tool required for the next Quality Gate.
• Secret scanning
  • Gitguardian is currently set up, but Gitleaks is a potential successor.
  • Testing of Github secret scanning is still in progress.
• TRG 8.0 has been published as a draft, adjustments as PR are warmly welcome.

Open Discussions​

• none

Office Hour meeting minutes​

System team​

• n/a

Security team​

• TRG 8.01, 8.03, 8.04, 8.05 first drafts are created, final versions will come soon
• Be patient with CodeQL, could be tedious since it does provide a lot of findings

FOSS​

• New commiter election is open for Rohan Krishnamurthy. Please visit the page and make your vote!

Open planning / community​

• Role of the committer is being discussed, it will be presented in the next committer meeting. Basic role descriptions come from the Eclipse Foundation, but we want to specify in Tractus-X what else can be expected from a contributor, commiter and project lead.
• Association release process and Eclipse Tractus-X needs to be aligned as the first is managed by the association and the second should be driven by the community.

Open Discussions​

• We should align on how and where a migration documentation should be created for products. This would ensure that upon Breaking Changes the upgrade processes can run smoothly with a guide available for everyone. The guide could include property, configuration, API changes and everything else that would affect the upgrade process from and old version to the new. A draft will be available on a working model that could be implemented by the products soon. A TRG could include information on where these guide should be located and in which format.