Attendees:
Heather, Roland, Christos, Ivan, Mike, Leif, Chris
Action items:
*
Heather to draft the survey text re: Note Well (assuming the board
votes in February to agree to using a Note Well rather than a formal
CLA)
*
Ivan to update the Security Incident Response plan to indicate that
issues will be logged and kept indefinitely
*
Heather to send out a calendar invite for TIIME and a doodle poll
for the call after that.
Notes:
1.
Signing Board Participation agreement
2.
*
Still waiting on legal approval to do this (Mike). Can not make
any formal decisions until this is done.
3.
CLA or Note Well?
4.
*
Expect to handle existing contributors and new contributors
differently.
*
o
We can always ask all existing contributors if they think
they had permission to contribute code via the note well
(rather than sign a CLA). “Here is the Note Well we’re
adopting for all future contributions. D you believe you
have any problems accepting this? Do you believe you might
not have been able to accept it for your previous
contribution?"
o
If individuals don’t respond, may need to consider what to
do otherwise. We will send the survey, send a reminder, then
start trying for personal contacts. And if none of that
works, we’ll consider what code they’ve submitted and
determine if we can do it a different way. Some of their
code might already have been redone so we aren’t as in an
urgent a situation with regards to their contribution.
*
What about the JOT libraries? This shouldn’t be a problem since
only Roland has contributed. The OIDF might want a CLA from
Roland (that is a separate conversation).
*
Leif strongly in favor of a Note Well (see draft here:
https://github.com/IdentityPython/Governance) rather than a
traditional CLA. We want it to be easy for people to contribute;
there is an expense when lawyers are brought in, and lawyers
often don’t understand what we’re trying to do.
5.
Commons Conservancy
6.
*
Christos has been discussing this within GEANT. GEANT does not
have a final answer regarding IPR, but should have a final
answer by the end of this week. They needed clarification that
all the idpy material would remain in the open source domain.
7.
TIIME?
8.
*
Roland and Mike will not be there; will dial them in from 4pm to
5pm CET (last hour of the developers meeting)
*
We should create an e-vote mechanism; perhaps launch at a
meeting and let it extend for 3 days for people not able to attend.
*
Agenda: voting on CLA, Note Well text, IPR, possibly an update
from the developers meeting, talk about how to use an intern
9.
Adding new projects to idpy
10.
*
pyFF split - the JavaScript component on the front end does not
fit into idpy; that component belongs with the RA21 governance
group. The backend remains part of idpy. This kind of evolution,
since it’s not entirely removing the project, a Board decision.
Leif withdraws his request.
*
FYI
https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-…
11.
Incident Response
12.
*
Ivan has created the incident-response list. Ivan will add the
board members to this list, as well as some of the key
developers for the various projects within idpy.
*
o
This came up as result of the following almost-bad security
issue: https://github.com/IdentityPython/pysaml2/issues/578
*
There should be a page on the website re: how we recognize
security research. (Some researchers contact developers
expecting bug bounties. We can’t pay for this, but we can offer
‘payment’ in terms of recognition.) Look at SUNET’s website for
an example.
https://www.sunet.se/security-researcher-acknowledgments-for-sunet-services/
*
o
Heather to follow up on this and add it to the website.
o
Ivan to update (and Chris to review) the security incident
response plan to be explicit that each item is logged and
kept indefinitely in GitHub.
13.
Next call - Heather to send out a doodle poll for end of
February/beginning of March
Hello idpy Board members!
I hope this message finds you well and neither sick nor suffering from smoke inhalation. It has been quite some time since we’ve had a chance to meet, and we have a few things to cover as a board:
1 - We have a request to add a new project under the idpy umbrella: djangosaml2. I’m copying the note from Giuseppe de Marco about djangosaml2 below. See https://dracc.commonsconservancy.org/0025/ for a reminder of how we add new projects to idpy.
2 - We should think about the 2021 board selection. There are 3 slots, currently filled by Leif, Christos, and myself, that will be open. Individuals are always welcome to re-nominate for the Board.
I’d like to get a call on the calendar to catch up on idpy activities, discuss the new project, and talk about plans for 2021 and beyond. If you would, please fill out the doodle poll by the end of this week:
https://doodle.com/poll/ckh357gcctrekqvd
---
Subject: djangosaml2
Hello everybody,
As you may have guessed from the subject of this email, I have the pleasure of presenting here djangosaml2, in anticipation of its migration to Identity Python.
In CC Jozef Knaperek, former contributor of pysaml2 and person who from 2016 to date has maintained the fork of this project, now hosted in the personal github, which today has a fair audience and satisfaction within the Django community.
Here is:
https://github.com/knaperek/djangosaml2
As is evident, djangosaml2 is an application designed for Django Framework, written above pysaml2 that presents closely related goals to this. This is why we believe that bringing djangosaml2 to idpy can be quite natural, and if we want it also advantageous, for the possibility of increasing its community.
Currently the project is published on Pypi and the version release policy, and acceptance of contributions, depends on validating the code by running unit tests (Tox over Github actions). The coverage of djangosaml2 is currently less than 80% in the v0.40.1 but higher than 90% for the v1.0.0 version (see branch of the same name). The latter is in the process of being released and it might be a good opportunity to release it directly within idpy.
The versions from v0.19.0 to v1.0.0 were made possible by a great enthusiasm, which arose within its community, manifested following the first interactions for the requalification of the project, as regards the feedback offered both in the issues and in the PR pending. Having given so much trust activated several contributors in a relatively short time makes us optimistic about the general resilience of the project, such as to think about the good health of its community and not least the possibility that this project could hopefully continue to live on external contributions only.
In any case, the people that are glad to present here djangosaml2, for whom we undertake the commitment of a management over time, are Me and Knaperek. I know that we have not written everything but rather we fear we have written too much. We are available to answer in this thread on further organizational and managerial aspects of the project.
Sure of your kind reply, we greet you
---
Thanks! Heather
