October 2020 - Idpy-board - lists3.sunet.se

Notes: idpy Board call, 9 January 2019

by hlflanagan＠sphericalcowgroup.com

Attendees: Heather, Roland, Christos, Ivan, Mike, Leif, Chris Action items: * Heather to draft the survey text re: Note Well (assuming the board votes in February to agree to using a Note Well rather than a formal CLA) * Ivan to update the Security Incident Response plan to indicate that issues will be logged and kept indefinitely * Heather to send out a calendar invite for TIIME and a doodle poll for the call after that. Notes: 1. Signing Board Participation agreement 2. * Still waiting on legal approval to do this (Mike). Can not make any formal decisions until this is done. 3. CLA or Note Well? 4. * Expect to handle existing contributors and new contributors differently. * o We can always ask all existing contributors if they think they had permission to contribute code via the note well (rather than sign a CLA). “Here is the Note Well we’re adopting for all future contributions. D you believe you have any problems accepting this? Do you believe you might not have been able to accept it for your previous contribution?" o If individuals don’t respond, may need to consider what to do otherwise. We will send the survey, send a reminder, then start trying for personal contacts. And if none of that works, we’ll consider what code they’ve submitted and determine if we can do it a different way. Some of their code might already have been redone so we aren’t as in an urgent a situation with regards to their contribution. * What about the JOT libraries? This shouldn’t be a problem since only Roland has contributed. The OIDF might want a CLA from Roland (that is a separate conversation). * Leif strongly in favor of a Note Well (see draft here: https://github.com/IdentityPython/Governance) rather than a traditional CLA. We want it to be easy for people to contribute; there is an expense when lawyers are brought in, and lawyers often don’t understand what we’re trying to do. 5. Commons Conservancy 6. * Christos has been discussing this within GEANT. GEANT does not have a final answer regarding IPR, but should have a final answer by the end of this week. They needed clarification that all the idpy material would remain in the open source domain. 7. TIIME? 8. * Roland and Mike will not be there; will dial them in from 4pm to 5pm CET (last hour of the developers meeting) * We should create an e-vote mechanism; perhaps launch at a meeting and let it extend for 3 days for people not able to attend. * Agenda: voting on CLA, Note Well text, IPR, possibly an update from the developers meeting, talk about how to use an intern 9. Adding new projects to idpy 10. * pyFF split - the JavaScript component on the front end does not fit into idpy; that component belongs with the RA21 governance group. The backend remains part of idpy. This kind of evolution, since it’s not entirely removing the project, a Board decision. Leif withdraws his request. * FYI https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-… 11. Incident Response 12. * Ivan has created the incident-response list. Ivan will add the board members to this list, as well as some of the key developers for the various projects within idpy. * o This came up as result of the following almost-bad security issue: https://github.com/IdentityPython/pysaml2/issues/578 * There should be a page on the website re: how we recognize security research. (Some researchers contact developers expecting bug bounties. We can’t pay for this, but we can offer ‘payment’ in terms of recognition.) Look at SUNET’s website for an example. https://www.sunet.se/security-researcher-acknowledgments-for-sunet-services/ * o Heather to follow up on this and add it to the website. o Ivan to update (and Chris to review) the security incident response plan to be explicit that each item is logged and kept indefinitely in GitHub. 13. Next call - Heather to send out a doodle poll for end of February/beginning of March

1 month, 2 weeks

4
4
0 0

Notes: idpy Board call, 13 October 2020

by hlflanagan＠sphericalcowgroup.com

Attendees: Ivan, Roland, Leif, Chris, Heather, Christos Absent: Mike Action items 1. The Dev team needs to come up with a few key points on change management and semantic versioning first, which will apply to projects, and then inform and educate the Board on what that all means 2. After Board agreement on the change management requirements, reach out to the djangosaml2 maintainer and verify they will be willing to adhere to these requirements Update since our last meeting (see https://github.com/IdentityPython/) • Status of volunteer engagement - seeing largely the same people participating. Given we always have the same people, we continued to be constrained in what we can do to improve the projects over on • Where are more resources required? • Until we improve our documentation, we won’t be able to bring new people on to participate. • Documentation is happening at two levels, at the architecture level and at the code level. Ivan is responsible for the architecture level, but it has not been as high a priority as feature enhancement, security issues, etc. We do have volunteers helping with some of the code-level documentation (Hannah Sebuliba). Not every project is in the same place with regards to the available documentation; OIDC libraries are better off than the other projects. • We also need “how to” documentation, on top of documenting the code and documenting the architecture. • An interesting example is the Norwegian federation team where the developers wrote the first pass of the documentation, but the group that did the implementation were required to improve (and probably rewrite) the documentation. • Our documentation needs at every level are very complex; this is powerful software with many options for implementation. It would be best if we had a strategy to use our resources most efficiently, but we’re limited by what volunteers we have and where their skills/experience lay. Proposal for a new project to be brought on board (See https://dracc.commonsconservancy.org/0025/ for a reminder of how we add new projects to idpy.) • https://github.com/knaperek/djangosaml2 (see email to the board from 15 September, subject line: "idpy 2020 board meeting and a new project") • There is a concern about expanding the idpy product catalog without a proper way to manage the whole catalog. Is this production grade? What is the release management process? • The Dev team needs to come up with a few key points on change management and semantic versioning first, which will apply to projects, and then inform and educate the Board on what that all means, then Quality of the project and how we manage our projects overall • We should be asking each idpy project to follow a consistent release management process and a consistent testing process. The tools we use, how we use them and invoke them, as well as the policies around them, whether we use docker images, etc. • We do have templates for issues and PRs, but they are optional. Similarly, people do not always include tests. • Process is no guarantee of quality. If our ultimate goal is quality improvement, then we need to figure out how to get there then determine what policy is need to keep us at that level. We need the culture to evolve to overall improvements, so the team makes its own rules. • Review is how we manage quality. This ties back to the architecture documentation, so that more people can do the review than just Ivan because they understand how it all fits. • Perhaps tag as “future” all items that are not 100% vetted. • IdentityPython is not so much about turnkey solutions as it is about building tool kits. • The different idpy projects are very different in terms of scale - pySAML2 has been around for 16 years and has an enormous following, whereas the OIDC libraries have a group of 5 committers. There is unlikely to be one model that fits all. • Can we at least get to an agreement to use semantic versioning across all projects? Board nominations for 2021-2023 • 3 slots, currently filled by Leif, Christos, and myself, will be open • Note that Heather’s role is also “At-Large Director of Identity Python" Thanks! Heather

5 years, 1 month

2
1
0 0

IdentityPython Board Agenda & Reminder: 13 October 2020

by hlflanagan＠sphericalcowgroup.com

Date/time: 13 October 2020 @ 17:00 UTC Zoom link: https://us02web.zoom.us/j/85021594049?pwd=dWwzTG5vTGpmSXRCZXdzOHFSZXRtUT09 Meeting ID: 850 2159 4049 Passcode: 953486 Agenda 1 - Agenda bash 2 - Update since our last meeting (see https://github.com/IdentityPython/) • Status of volunteer engagement • Where are more resources required 3 - Proposal for a new project to be brought on board (See https://dracc.commonsconservancy.org/0025/ for a reminder of how we add new projects to idpy.) • https://github.com/knaperek/djangosaml2 4 - Board nominations for 2021-2023 • 3 slots, currently filled by Leif, Christos, and myself, will be open 5 - AOB Thanks! Heather

5 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

Idpy-board October 2020