Attendees:
Heather, Roland, Christos, Ivan, Mike, Leif, Chris
Action items:
*
Heather to draft the survey text re: Note Well (assuming the board
votes in February to agree to using a Note Well rather than a formal
CLA)
*
Ivan to update the Security Incident Response plan to indicate that
issues will be logged and kept indefinitely
*
Heather to send out a calendar invite for TIIME and a doodle poll
for the call after that.
Notes:
1.
Signing Board Participation agreement
2.
*
Still waiting on legal approval to do this (Mike). Can not make
any formal decisions until this is done.
3.
CLA or Note Well?
4.
*
Expect to handle existing contributors and new contributors
differently.
*
o
We can always ask all existing contributors if they think
they had permission to contribute code via the note well
(rather than sign a CLA). “Here is the Note Well we’re
adopting for all future contributions. D you believe you
have any problems accepting this? Do you believe you might
not have been able to accept it for your previous
contribution?"
o
If individuals don’t respond, may need to consider what to
do otherwise. We will send the survey, send a reminder, then
start trying for personal contacts. And if none of that
works, we’ll consider what code they’ve submitted and
determine if we can do it a different way. Some of their
code might already have been redone so we aren’t as in an
urgent a situation with regards to their contribution.
*
What about the JOT libraries? This shouldn’t be a problem since
only Roland has contributed. The OIDF might want a CLA from
Roland (that is a separate conversation).
*
Leif strongly in favor of a Note Well (see draft here:
https://github.com/IdentityPython/Governance) rather than a
traditional CLA. We want it to be easy for people to contribute;
there is an expense when lawyers are brought in, and lawyers
often don’t understand what we’re trying to do.
5.
Commons Conservancy
6.
*
Christos has been discussing this within GEANT. GEANT does not
have a final answer regarding IPR, but should have a final
answer by the end of this week. They needed clarification that
all the idpy material would remain in the open source domain.
7.
TIIME?
8.
*
Roland and Mike will not be there; will dial them in from 4pm to
5pm CET (last hour of the developers meeting)
*
We should create an e-vote mechanism; perhaps launch at a
meeting and let it extend for 3 days for people not able to attend.
*
Agenda: voting on CLA, Note Well text, IPR, possibly an update
from the developers meeting, talk about how to use an intern
9.
Adding new projects to idpy
10.
*
pyFF split - the JavaScript component on the front end does not
fit into idpy; that component belongs with the RA21 governance
group. The backend remains part of idpy. This kind of evolution,
since it’s not entirely removing the project, a Board decision.
Leif withdraws his request.
*
FYI
https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-…
11.
Incident Response
12.
*
Ivan has created the incident-response list. Ivan will add the
board members to this list, as well as some of the key
developers for the various projects within idpy.
*
o
This came up as result of the following almost-bad security
issue: https://github.com/IdentityPython/pysaml2/issues/578
*
There should be a page on the website re: how we recognize
security research. (Some researchers contact developers
expecting bug bounties. We can’t pay for this, but we can offer
‘payment’ in terms of recognition.) Look at SUNET’s website for
an example.
https://www.sunet.se/security-researcher-acknowledgments-for-sunet-services/
*
o
Heather to follow up on this and add it to the website.
o
Ivan to update (and Chris to review) the security incident
response plan to be explicit that each item is logged and
kept indefinitely in GitHub.
13.
Next call - Heather to send out a doodle poll for end of
February/beginning of March
Wrongly sent only to Christos.
> Begin forwarded message:
>
> From: Roland Hedberg <roland(a)catalogix.se>
> Subject: Re: [Idpy-board] satosa - oidc
> Date: 24 October 2022 at 15:20:06 CEST
> To: Christos Kanellopoulos <christos.kanellopoulos(a)geant.org>
>
> Christos,
>
> It goes without saying that I’d prefer us to use the eduTEAMS implementation.
> Given the effort you have put into it, it’s at the top of the list.
> But, we need it to be public.
>
> I’d prefer that you would just publish what you have and we can go from there.
> That you have a private branch where your higher demands on software quality is met is not a problem to me.
>
> If you plan to wait until idpy-oidc has stopped changing then you will have to wait forever. Or at least until I stop being
> responsible for the package.
>
> There is always going to be new RFCs, Internet drafts, OIDF standards and industry specifications that we want/need to support
> if we want to be noteworthy. And that forces us to add/rewrite/refactor idpy-oidc.
>
> I try to keep people informed about such changes at the bi-weekly idpy meetings.
>
> The standards I’m working on right now are CIBA and OIDC Federation. Both of which demand some basic changes..
>
> Please send me an invite to your Thursday call and let's go from there.
>
>> 24 okt. 2022 kl. 14:56 skrev Christos Kanellopoulos <christos.kanellopoulos(a)geant.org>:
>>
>> Hello Roland,
>>
>> Of course, we do not have to use the eduTEAMS implementation. Having said this, once again we are hindered by the the changes in the underlying libraries. In September the development team has migrated the frontend to the new OP library, but our testing has showing that the new implementation is not stable for production use. At this point we are not sure whether it is a problem in the OP libary or the way it was integrated. I believe we will have more information on Thursday about this. Perhaps Ivan can say more about this.
>>
>> We have already given access to a number of people in the private repository, but we have not seen any contributions yet. I would be happy to add you and/or other trusted people in the private repository and also invite you in our Thursday call if you have the time to help in realising a stable version that we can open source.
>>
>> Christos
>>
>> On 24 Oct 2022, at 14:34, Roland Hedberg wrote:
>>
>>> Sorry for the confusion! I meant satosa-pyoidc not satosa-oidcop.
>>>
>>>> 24 okt. 2022 kl. 10:23 skrev Roland Hedberg <roland(a)catalogix.se>:
>>>>
>>>> Hi!
>>>>
>>>> This situation with EduTEAMs not releasing their satosa-idpy-oidc integration is really hurting IdPy.
>>>>
>>>> I think we should give up on EduTEAMs and instead bring in Giuseppe’s implementation.
>>>>
>>>> As long as we keep satosa-oidcop on line as the ‘official’ IdPy SATOSA-OIDC package we loose a lot of
>>>> help in making our own OIDC implementation better.
>>>>
>>>> — Roland
>>> _______________________________________________
>>> Idpy-board mailing list -- idpy-board(a)lists.sunet.se
>>> To unsubscribe send an email to idpy-board-leave(a)lists.sunet.se
>>
>
Hi!
This situation with EduTEAMs not releasing their satosa-idpy-oidc integration is really hurting IdPy.
I think we should give up on EduTEAMs and instead bring in Giuseppe’s implementation.
As long as we keep satosa-oidcop on line as the ‘official’ IdPy SATOSA-OIDC package we loose a lot of
help in making our own OIDC implementation better.
— Roland
