Attendees:
Heather, Roland, Christos, Ivan, Mike, Leif, Chris
Action items:
*
Heather to draft the survey text re: Note Well (assuming the board
votes in February to agree to using a Note Well rather than a formal
CLA)
*
Ivan to update the Security Incident Response plan to indicate that
issues will be logged and kept indefinitely
*
Heather to send out a calendar invite for TIIME and a doodle poll
for the call after that.
Notes:
1.
Signing Board Participation agreement
2.
*
Still waiting on legal approval to do this (Mike). Can not make
any formal decisions until this is done.
3.
CLA or Note Well?
4.
*
Expect to handle existing contributors and new contributors
differently.
*
o
We can always ask all existing contributors if they think
they had permission to contribute code via the note well
(rather than sign a CLA). “Here is the Note Well we’re
adopting for all future contributions. D you believe you
have any problems accepting this? Do you believe you might
not have been able to accept it for your previous
contribution?"
o
If individuals don’t respond, may need to consider what to
do otherwise. We will send the survey, send a reminder, then
start trying for personal contacts. And if none of that
works, we’ll consider what code they’ve submitted and
determine if we can do it a different way. Some of their
code might already have been redone so we aren’t as in an
urgent a situation with regards to their contribution.
*
What about the JOT libraries? This shouldn’t be a problem since
only Roland has contributed. The OIDF might want a CLA from
Roland (that is a separate conversation).
*
Leif strongly in favor of a Note Well (see draft here:
https://github.com/IdentityPython/Governance) rather than a
traditional CLA. We want it to be easy for people to contribute;
there is an expense when lawyers are brought in, and lawyers
often don’t understand what we’re trying to do.
5.
Commons Conservancy
6.
*
Christos has been discussing this within GEANT. GEANT does not
have a final answer regarding IPR, but should have a final
answer by the end of this week. They needed clarification that
all the idpy material would remain in the open source domain.
7.
TIIME?
8.
*
Roland and Mike will not be there; will dial them in from 4pm to
5pm CET (last hour of the developers meeting)
*
We should create an e-vote mechanism; perhaps launch at a
meeting and let it extend for 3 days for people not able to attend.
*
Agenda: voting on CLA, Note Well text, IPR, possibly an update
from the developers meeting, talk about how to use an intern
9.
Adding new projects to idpy
10.
*
pyFF split - the JavaScript component on the front end does not
fit into idpy; that component belongs with the RA21 governance
group. The backend remains part of idpy. This kind of evolution,
since it’s not entirely removing the project, a Board decision.
Leif withdraws his request.
*
FYI
https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-…
11.
Incident Response
12.
*
Ivan has created the incident-response list. Ivan will add the
board members to this list, as well as some of the key
developers for the various projects within idpy.
*
o
This came up as result of the following almost-bad security
issue: https://github.com/IdentityPython/pysaml2/issues/578
*
There should be a page on the website re: how we recognize
security research. (Some researchers contact developers
expecting bug bounties. We can’t pay for this, but we can offer
‘payment’ in terms of recognition.) Look at SUNET’s website for
an example.
https://www.sunet.se/security-researcher-acknowledgments-for-sunet-services/
*
o
Heather to follow up on this and add it to the website.
o
Ivan to update (and Chris to review) the security incident
response plan to be explicit that each item is logged and
kept indefinitely in GitHub.
13.
Next call - Heather to send out a doodle poll for end of
February/beginning of March
Attendees:
Chris, Roland, Heather, Ivan, Christos
Slides: https://docs.google.com/presentation/d/13QL_QRmxZQkLrHYAizoUqTdVZLlQnkwjLMv…
Notes:
• 2022 highlights
• also add that we have an official docker image for Satosa
• note that all but the CryptoJWT should be noted as archived; replaced by idpy-oidc
• Status of current work
• Considering future idpy projects
• GÉANT+SUNET+SURF were awarded a grant that will allow them to roll out a wallet in the academic space. Part of this work will be developing these capabilities for Satosa, and turn Satosa into a digital wallet. Everything on this slide will need to be added to Satosa, and work needs to start now. There will be a dev team from SUNET working on the wallet, and GÉANT will run the pilot on their infrastructure. This work is expected to be in a public space, though it is on top of the OIDC front end that's still private (but that is expected to be moved to the public space very soon). By this summer (end of August) we need to have the PoC ready. The list on the slide will be separate libraries.
• pySAML2 has been stable; the work happening now is to support the new REFEDS entity categories, updating the python version, and typing. When we look to the future projects, they are all OIDC related. So what will happen to pySAML2? We can keep developing and adding features, but should that be our focus? Is it time to shift this purely into maintenance? What impact does this have on the logging issues that intertwine between Satosa and pySAML2? It is possible for these to drift such that the logs could look very different depending on the protocol. They will always look somewhat different because they are different protocols.
• Roland's refactoring of idpy-oidc will be presented as a PR soon, and that will need to be verified against the eduTEAM work. When that's done, the code will be in sync and all future work will be in the public space. For logging, will need to be able to follow an individual as they move between protocols; we shouldn't let the two libraries drift too much when it comes to logging. This needs a broader architecture discussion. The library does not have the context of what is using it, which makes logging very difficult. We will need to have sponsors for this work given the scale and human resources to do this.
• Heather + Ivan to organize a dedicated call for this to determine scope. Heather then will discuss with the board the opportunity for sponsors. Funding can continue to be in-kind with organizations who are willing to contribute their resources and code, and we can also start looking for sponsors to the project overall and routing money through IdPy
• Should idpy have its own funding and development capacity? Or is the way we're working now sufficient and appropriate for this project? At least for logging, the restriction has been that in-kind contributors see this as important, but too big to handle.
• FedCM - Two things here to remember - browsers are changing, and, separately, FedCM may be a solution to help bridge the impact with the protocols. One thought is that this is an entirely separate authentication flow. In all cases, these changes may change how idpy libraries work. The FedCM API is likely incompatible with how we handle authentication today. SAML would need a new binding, OIDC would need new features as well. The idpy board needs to be aware of these changes and potentially have a voice in the proposals and take a position. Are our sponsors willing to fund the work here? If they don't, will we lose the opportunity to influence the work positively?
• Heather to schedule another board meeting in March after the FedCM hackathon to discuss outcomes and next steps
Thanks! Heather
Hello idpy Board members!
As a reminder, our annual call is scheduled for Tuesday, 7 February 2023 at 09:00 UTC -8. If you did not receive the calendar invitation a few weeks ago, please let me know!
Our draft agenda and a few slides are available online (I originally sent this with a PDF but that made the mailing list software reject the message as too large)..
Thanks! Heather
