[Idpy-board] Notes: idpy Board call, 9 January 2019

FYI, Microsoft legal is now fine with me signing the board document. How do you want that done? Scanned paper, DocuSign, etc.? -- Mike From: Idpy-board <idpy-board-bounces at lists.sunet.se> On Behalf Of Roland Hedberg Sent: Thursday, January 10, 2019 11:27 AM To: Heather Flanagan <hlflanagan at sphericalcowgroup.com> Cc: board at idpy.org Subject: Re: [Idpy-board] Notes: idpy Board call, 9 January 2019 On 9 Jan 2019, at 20:58, Heather Flanagan <hlflanagan at sphericalcowgroup.com<mailto:hlflanagan at sphericalcowgroup.com>> wrote: Attendees: Heather, Roland, Christos, Ivan, Mike, Leif, Chris Action items: * Heather to draft the survey text re: Note Well (assuming the board votes in February to agree to using a Note Well rather than a formal CLA) * Ivan to update the Security Incident Response plan to indicate that issues will be logged and kept indefinitely * Heather to send out a calendar invite for TIIME and a doodle poll for the call after that. Notes: 1. Signing Board Participation agreement 2. * Still waiting on legal approval to do this (Mike). Can not make any formal decisions until this is done. 1. CLA or Note Well? 4. * Expect to handle existing contributors and new contributors differently. o * We can always ask all existing contributors if they think they had permission to contribute code via the note well (rather than sign a CLA). “Here is the Note Well we’re adopting for all future contributions. D you believe you have any problems accepting this? Do you believe you might not have been able to accept it for your previous contribution?" * If individuals don’t respond, may need to consider what to do otherwise. We will send the survey, send a reminder, then start trying for personal contacts. And if none of that works, we’ll consider what code they’ve submitted and determine if we can do it a different way. Some of their code might already have been redone so we aren’t as in an urgent a situation with regards to their contribution. * What about the JOT libraries? This shouldn’t be a problem since only Roland has contributed. The OIDF might want a CLA from Roland (that is a separate conversation). JWTConnect not JOT. Actually there are 3 groups of JWTConnect libraries, one per language (Python, Java and JavaScript). Each group contains 4 libraries/packages (cryptojwt, oidcmsg, oidcservice and oidcrp). The group we talked about here were of course the Python one which we should use the name JWTConnect-Python for as that matches what’s in the OIDF GitHub repo. 4. * * Leif strongly in favor of a Note Well (see draft here: https://github.com/IdentityPython/Governance) rather than a traditional CLA. We want it to be easy for people to contribute; there is an expense when lawyers are brought in, and lawyers often don’t understand what we’re trying to do. 1. Commons Conservancy 6. * Christos has been discussing this within GEANT. GEANT does not have a final answer regarding IPR, but should have a final answer by the end of this week. They needed clarification that all the idpy material would remain in the open source domain. 1. TIIME? 8. * Roland and Mike will not be there; will dial them in from 4pm to 5pm CET (last hour of the developers meeting) * We should create an e-vote mechanism; perhaps launch at a meeting and let it extend for 3 days for people not able to attend. * Agenda: voting on CLA, Note Well text, IPR, possibly an update from the developers meeting, talk about how to use an intern 1. Adding new projects to idpy 10. * pyFF split - the JavaScript component on the front end does not fit into idpy; that component belongs with the RA21 governance group. The backend remains part of idpy. This kind of evolution, since it’s not entirely removing the project, a Board decision. Leif withdraws his request. * FYI https://github.com/IdentityPython/IdentityPython.github.io/wiki/Adding-and-… 1. Incident Response 12. * Ivan has created the incident-response list. Ivan will add the board members to this list, as well as some of the key developers for the various projects within idpy. o * This came up as result of the following almost-bad security issue: https://github.com/IdentityPython/pysaml2/issues/578 * There should be a page on the website re: how we recognize security research. (Some researchers contact developers expecting bug bounties. We can’t pay for this, but we can offer ‘payment’ in terms of recognition.) Look at SUNET’s website for an example. https://www.sunet.se/security-researcher-acknowledgments-for-sunet-services/ o * Heather to follow up on this and add it to the website. * Ivan to update (and Chris to review) the security incident response plan to be explicit that each item is logged and kept indefinitely in GitHub. 1. Next call - Heather to send out a doodle poll for end of February/beginning of March _______________________________________________ Idpy-board mailing list Idpy-board at lists.sunet.se<mailto:Idpy-board at lists.sunet.se> https://lists.sunet.se/listinfo/idpy-board — Roland It is curious that physical courage should be so common in the world, and moral courage so rare. -Mark Twain, author and humorist (30 Nov 1835-1910)