BRIDGE: https://zoom.us/j/661303200?pwd=TFdRd0c2MTJUem8xa252UGJHTE1Mdz09

Passcode: 209247

We will start our meetings by mentioning the project's Antitrust Policy, which you can find linked from the LF and project websites. The policy is important where multiple companies, including potential industry competitors, are participating in meetings. Please review and if you have any questions, please contact your company legal counsel. Members of the LF may contact Andrew Updegrove at the firm Gesmer Updegrove LLP, which provides legal counsel to the LF.

Attendance is taken purely upon #info in Zoom Chat 

Zoom Chat Log 

07:00:21 From Fernando (Fred) Oliveira to Everyone : #info Fred Oliveira, Verizon
07:00:37 From Alla Goldner to Everyone : #info Alla Goldner, Amdocs
07:00:45 From Dong Wang (China Telecom) to Everyone : #info Dong Wang, China Telecom
07:00:57 From bin.yang@windriver.com to Everyone : #info Bin Yang, Wind River
07:01:14 From Andreas GEISSLER (DT) to Everyone : #info Andreas Geissler, DT
07:01:15 From Yuanhong Deng (China Mobile) to Everyone : #info Yuanhong Deng, China Mobile
07:01:29 From Magnus Buhrgard to Everyone : #info proxy Magnus Buhrgard (Ericsson)
07:01:43 From Yuanhong Deng (China Mobile) to Everyone : # Info proxy Yuanhong Deng, China Mobile
07:02:21 From Jason Hunt to Everyone : #info Jason Hunt, IBM
07:02:24 From SaiSeshu (Huawei) to Everyone : #info Seshu, huawei
07:03:06 From Ranny HAIBY (Samsung) to Everyone : #info Ranny Haiby, Samsung
07:03:12 From Srini Addepalli (Intel) to Everyone : #info Srini Addepalli, Intel
07:03:16 From Niamh Core (EST) to Everyone : #info Niamh Core, EST
07:03:29 From Timo Perala (Nokia) to Everyone : #info Timo Perala, Nokia
07:07:21 From Kenny PAUL (LFN) to Everyone : #AGREED extension on exceptions to M2 of one week, due to extended arch review schedule to June 29
07:10:18 From Catherine Lefevre to Everyone : #info, AT&T Catherine lefevre
07:16:54 From Catherine Lefevre to Everyone : kudos to the new CPS committers
08:17:17 From Kenny PAUL (LFN) to Everyone : #AGREED on pursuing a POC - we need to identify where to run the POC.  
08:17:40 From Kenny PAUL (LFN) to Everyone : #AGREED on pursuing a POC for ScanCode.io - we need to identify where to run the POC.  
08:27:16 From Catherine Lefevre to Everyone : I am sorry I need to drop - hosting a call in less tjan 5 but i have covered integration lead item at the beginning of the call
08:29:06 From Kenny PAUL (LFN) to Everyone : 'https://www.surveymonkey.com/r/LFNDevForumJune21

Zoom auto-transcript service - These are often translated incorrectly and can be misleading. They are NOT Authoritative!   Information as to why .
They are included here as a time stamp cross-reference for the recording only!  The notes above this line and the actual recordings are authoritative. 

07:03:59 Transcript turned on, transcript is now running.
07:04:08 Everybody's muted when you come in.
07:04:17 Please keep yourself muted unless you're speaking, you can use star six to unmute yourself. If you happen to send me a private chat message in zoom it will become part of the public record when I cut and paste everything into the meeting minutes.
07:04:32 As always, we'll start off by talking about our anti trust policy.
07:04:38 You can find this policy link from the left in the project websites.
07:04:52 Policies important, we've got multiple companies including potential industry competitors, participating in these meetings. Please review if you have any questions please contact company's legal council members of the lF may also contact Andrew up the
07:04:56 growth at the firm Gizmo up Grove LLP.
07:04:59 They provide legal counsel to the Linux Foundation.
07:05:03 Stop share Let me start share.
07:05:09 Okay.
07:05:11 When I miss while I'm talking note
07:05:17 with check on the release status.
07:05:22 I'll pull the vote up here real quick.
07:05:36 To see vote.
07:05:43 Okay 10 votes over the edge so that is approved,
07:05:52 guess I should get the
07:05:56 message Sharon Plunkett into the minutes should night that would be polite.
07:06:10 Um, anyway so that's approved.
07:06:12 David anything else you want to touch on.
07:06:17 Yeah, I just wanted to recommend that we extend the resolution of the exceptions for him to buy one week.
07:06:29 And this is because some of the architectural reviews were scheduled on June 29, so that pushes us out a little bit.
07:06:40 So, if we could get up pound agree on that.
07:06:47 Anyone have an issue with that.
07:06:53 Going once, going twice.
07:06:58 mark that as agreed.
07:07:01 Thank you. And then I also just wanted to mention.
07:07:07 Our next milestone is out quite a ways, August 26.
07:07:13 I did just publish the tasks, late yesterday.
07:07:18 I still need to update the milestone status page.
07:07:37 I also wanted to know that for em three we only have tasks for the projects there are no tasks for requirement owners, and all, if you could, socialize that with the requirements subcommittee, that would be helpful.
07:07:42 also wanted to mention.
07:07:45 I appreciate the eagerness of some of the PTS and hopping on these tasks, right away, but some of them are kind of time sensitive so for example the, the license scan.
07:08:01 You know those those emails from Stevens little come out, monthly, and so it doesn't make any sense for a task that's due in late August to review the license scan results to close that right now.
07:08:22 So, some of those tattoos, there's one or two of those tasks that are time sensitive so please leave those open until you know we get with him, say a week of the three scheduled date
07:08:38 for the rest of the update just, there's a link there to my weekly update. I sent the email out yesterday I know all of you, eagerly await it and read it cover to cover every week, but if you have not.
07:08:56 If there's a link there in the agenda. And that's it for me, Kenny unless are any questions.
07:09:13 Thank you so much.
07:09:16 anything. Rowling's related.
07:09:19 Not for my second.
07:09:26 I know that it's not listed on here but I know that there have been some.
07:09:31 Seems like some ongoing problems and sorry to kind of blindside you without talking about this.
07:09:39 But it seems like there have been some, some.
07:09:43 Well, problems on a, on a kind of a reoccurring basis
07:09:49 with I think it's Jenkins fan unavailable.
07:09:54 Yeah, I think I experienced that last week and I can check with my team and see how, how often have the experience of recently.
07:10:07 I can keep an eye on that and and see what's going on.
07:10:14 Seems like it's happening a couple times a week and there was one we're going just yesterday where everything got really slow. And then it picks back up again.
07:10:26 I see, let me let me take a look. I know I took care of it. One, the last week but yeah, maybe my other team members, jump in on this week's one so let me let me, consult with them and see what's going on.
07:10:48 Also, it looks like there was a burp just a half hour, hour ago where Garrett wasn't kicking off Jenkins jobs I had to go manually recheck and remerge
07:11:02 was in triggering jobs on bush or on what on Porsche or merge. Okay.
07:11:10 But is it working right now.
07:11:13 I think it's working again.
07:11:15 Yeah.
07:11:17 This strange.
07:11:20 Whatever it is, it seems to be the problems we're having or intermittent which is always fun to try and diagnose.
07:11:29 And yes, but
07:11:34 I yeah I'm seeing if it being mentioned a few times so I thought it was worth bringing worth bringing up.
07:11:48 Yeah, thanks for bringing it up.
07:11:53 I'll take a look.
07:12:01 Okay. Catherine Thank you.
07:12:09 Okay. Um,
07:12:14 let's see here, Catherine Are you on with audio Yes, um, did you want to discuss the
07:12:27 integration.
07:12:30 Did you want to discuss the integration discussions you've been having.
07:12:38 Can you hear me.
07:12:39 Yes.
07:12:42 Yes. So, um, I would say maybe more than one week ago, I have been discussing with different carriers.
07:12:53 We have deployed own up in production. So it's, it's most of them nearly, or humbled to use it in production.
07:13:04 And so I've been talking to Barry Canada, orange, China Telecom, Verizon, that's Telecom.
07:13:19 And we are still waiting feedback from China Mobile, but the we're all in agreement that we have to play an active whole to support the integration integration link.
07:13:26 The integration team sorry.
07:13:31 Um, you know we have also defined the minimum tsp scope.
07:13:36 So the next step that I need to discuss with my peers, is really always split the minimum score between all of us, depending on what we can contribute, have, and we will see members.
07:13:54 Unfortunately, I was not able to do further progress and was not able to attend the integration team last. This week, new to a couple of reasons.
07:14:05 But that's the intent to have this caviar of it.
07:14:11 And again, anybody is open to join us, was the objective is really to split the staff from a leadership perspective but also support with some of our team members one weekend, the DP one critical function that we were in don't define the bus.
07:14:31 So in the meanwhile, he does not mean that the integration team is not doing anything I think if you go to one of this meeting you will see the team is already quite autonomous, and they are focusing on a set of activities that was defined by Morgan and
07:14:51 order of the members.
07:14:53 But if we want to continue to provide support I'm sure that the locations of the gaping is not just the wizards but the problem of others.
07:15:06 Or, if we want door to door ensure that the the the someone locally, will be satisfied.
07:15:24 Stability perspective, but again the scope of the minimum to see the scope defined by the TSP called integration. If we want to make it happen.
07:15:26 We will need to engage ourselves.
07:15:29 So we don't have any one full time allocated. But we hope with this can your audience.
07:15:37 We can cover the gap and continue to have a great certification of our platform. So that's where we are with our recognize.
07:15:47 Since one week. I've been flew down in the grid program that I did on the previous week.
07:15:54 And you, you to a lot of conflicting issues, but I tend to resume the dialogue with my peers and with the integration team, starting on Monday. For more to come.
07:16:08 This is where we are. Don't know if you have any questions.
07:16:20 Welcome. Thanks Catherine.
07:16:24 I put.
07:16:25 Last week we had talked about committed promotions for CPS
07:16:32 brought that into the meeting and it's for this week.
07:16:38 Just to make sure that we capture it so congratulations.
07:16:45 Welcome, welcome new competitors.
07:16:54 had some discussion on.
07:17:02 We had some discussion on the status of projects which I had sent out to the TASC in terms of what's unmaintained and what's not.
07:17:16 There was some confusion about
07:17:23 the actual status of logging in that context.
07:17:31 The proposal.
07:17:34 Let me see here.
07:17:41 Okay, one second,
07:17:56 just easier to do that way.
07:18:00 Um, so one of the things that happened was that
07:18:06 the decision was made to
07:18:16 archive it.
07:18:19 But there was also the discussion of having
07:18:27 the filters moved somewhere else, that part of it has never happened.
07:18:39 No, I think, just to add to the discussion. So, that's the proposition.
07:18:45 I was building with the support of the project team and also might give you the form of logging.
07:18:54 Before the lady that I've already forgotten the name, sorry for that.
07:18:59 And it was clear that if we have to complete your project there are still some libraries consume by this week on projects.
07:19:09 If you are a Java project, you might still use the logging. So for go the end the looking creature.
07:19:19 If you have a bite on projects like we have seen that the globe muddling anywhere.
07:19:24 And you will use the dialogue or library.
07:19:28 So, in order to move forward we have to we have to devise some owner will maintain the, the centralized library, because it's better to keep these library compliance like we do for all parents.
07:19:43 Instead of asking each project to include this library in the hippo TV TV, and it means that the change might not be
07:19:56 a line from one project to another one.
07:20:01 So we don't define the committee will continue to maintain this library, I think there were one or two people from at&t for the Java.
07:20:13 And we have, Mike. Mike you, Mike. Mike Hello, I need to follow up with him if you take the best of the company we have Michael was accepting also took over the Python library.
07:20:28 It was related to a requirement of Columbia, if I remember well, to ensure that all the bison path was aligned with what should be the JIRA requirement PhD to.
07:20:43 So we notify the people we had an agreement at that time with om to all the free library somewhere, similar to Oprah home but all behind was hosted by integration team.
07:20:58 But in this concept of the time discussing with the design, and Morgan.
07:21:04 The agreement wants to put on all one.
07:21:07 But again, we, we notify people we don't define the project umbrella.
07:21:13 But we never ship.
07:21:16 These library.
07:21:17 So we can completely guide the login.
07:21:23 So, I, I would suggest that we resume from where we stopped.
07:21:32 And we continue the different instruction which was in non defined the composition.
07:21:39 If we want to fully archive logging and number
07:21:46 two and that's the name of the, you can see actually you're still given we have Elena, with maintaining the logging analytics.
07:21:58 We are the two library of sitting in for the bylaws.
07:22:04 Mike Hello, I was the committee as well but again I need to follow up.
07:22:09 If my kilo is still part of the open source community.
07:22:17 And you any question based on what I've shared today.
07:22:28 Catherine Do we know that there are projects still using these libraries. Do we know how many there are still using them as that that might be a useful piece of information.
07:22:42 We can go back to this project and ask if they have been implementing an identity.
07:22:52 I know a video was was one of the options.
07:22:56 But if you look at the requirement of the video. There was also a request.
07:23:01 Whoever switch with them. I know, either you for what you're looking to do a video or either for some project they can continue to consume the library.
07:23:14 So with this company, ever deployed this project in production.
07:23:20 They can offer the two options.
07:23:24 The weekend take an action and discuss that during the PTO call on Monday.
07:23:31 If the nickel home project we're using the Python library or the driver library.
07:23:37 Still, consuming it, and then we can also make a call to the community as well, like we always do when we want to
07:23:50 move something you don't maintain first and then.
07:23:55 But my understanding is that yes there are still projects using the Java library.
07:24:01 I don't know, for Python but we can take an action.
07:24:29 Any other feedback.
07:24:31 Any other feedback concern, action item.
07:24:36 Let's have an action item called it's called a video call.
07:25:16 But, Amy, what's the proposal, because, honestly.
07:25:22 We have not yet so the login issue. I guess them.
07:25:27 Right, I guess. No, I was just trying to figure out if there's still a lot of usage of these libraries, then yes we have to find a home if there's if there's only maybe one or two projects, do we take a different approach that that was my only thought.
07:25:45 The problem is that we need to maintain until there's an identity somehow triggers. Look, it's an important capabilities for operational readiness.
07:25:58 Okay, then. Then I don't think that we have an action on that, in that case then I don't think we have an action item for the PTS call.
07:26:06 I think we just need to proceed the way you're about the way you were going.
07:26:11 I just think it's dated will will just be asking for data that we don't.
07:26:16 That isn't going to make a difference on on how we proceed.
07:26:20 So, don't bother collecting it.
07:26:27 Okay, so, So, what are the next steps, then
07:26:34 I guess it's the finalized implementation of the proposal.
07:27:14 Welcome to previous schools I am not sure what problem we tried to solve. Originally, it is clear we didn't find a nice implementation of the proposition but I believe that the focus on that has been raised because there was a concern.
07:27:35 Well, the, the discussion came up in terms of talking about
07:27:43 shocker. I think shared the architecture diagram.
07:27:48 And the discussion of projects that are unmaintained state
07:27:58 that we're not represented as unmaintained so that was the Easter egg hunt that that I went on for that resulted in this in this email.
07:28:17 Okay.
07:28:20 So
07:28:24 I guess, we've got logging currently in this rather odd state.
07:28:35 It's not clear to me what the next steps actually are finishing the implementation or finishing the proposal.
07:28:45 What are the next steps that need to be finished.
07:28:49 Specifically,
07:28:52 the next step is to.
07:28:56 The next step is man what it is in the local man so it's too big. The commuters to me Sure we have somebody on the bison.
07:29:08 I know that we have a comatose on those of us who have no concern.
07:29:13 And then we remove this library under some way.
07:29:20 It means that all the project will need to address their phone fine.
07:29:27 Yeah I know all the details so in addition was not there.
07:29:32 And then one of these library I moved to decentralize the report on the M.
07:29:38 Man, we can declare the rest of the, of the project archive on, and we will follow what was defined.
07:29:50 As of, of the termination, if you process with the key item is really to move the library.
07:29:59 From a centralized perspective.
07:30:04 And what I have highlighted are what's what what is to be moved.
07:30:11 And siloed anti lock, because there was also still a question.
07:30:26 By look is the Python version.
07:30:20 I don't know why I was missing because I think I was dealing dialogue, separately item six, and I know the items have been addressed.
07:30:34 At the item six, and I know the items have been addressed. Anyway, shocker just, just to the clarification. Right.
07:30:42 And I want to bring the discussion up a level. Right. I don't want to, you know, I'd like to stay away from the details of the tactical tactical details in terms of which library we're going to maintain and so on so forth.
07:30:55 I think the strategic question they have is the following.
07:30:58 Logging is an existing component, understand that there is a challenge we have some challenges in terms of maintaining that component.
07:31:09 However, though, there is yet another effort that is focused on creating yet another logging infrastructure
07:31:22 question that I have is a high level without, without talking about the details.
07:31:29 And this is I guess a decision that we all have to make. Should we have a login function.
07:31:36 And if the answer is yes, then should we move ahead with the existing login function, or should we spin off yet another theme to start to look at an alternative.
07:31:55 Look login it's, it's really a capability which is a function and I don't speak with my PC as I'm speaking with my at&t so I mean when when you are on production.
07:32:09 You really need to have an opportunity to, to understand what's going on within your application, not only from a debugging perspective but there are a lot of information that are still in the locks.
07:32:25 And therefore from my side and anybody should expose itself, it's a mishap.
07:32:34 It's either a capability that we can implement, who was centralized library so at least we have a common behavior in each application.
07:32:44 But we have to have different libraries depending on the code base or either there is another way right I know we should look at the cloud native, there are some
07:32:56 open source like younger whatever,
07:33:00 which are also implementing similar capabilities, but you need to understand the format, right, everything as tools to do need a blogging is not enough.
07:33:11 You need to be sure that the information collecting by the different.
07:33:17 The different application is meaningful, otherwise from an operational perspective, the guides will be lost if you need to understand log of ANSI with only from the local, so you could not work so that's why there was some time spent on the specification.
07:33:34 So what I tried to say it's not only about the tools, or the way to implement looking mechanism, it's also about 55, the content of this lock.
07:33:46 So, if you want to replace it.
07:33:49 That's, that's okay. Right.
07:33:51 But you will need to reject the requirement, the format.
07:33:59 Understanding the back will issue the backward compatibility.
07:34:02 Because some people are already using this, the login requirement as it as it has been written.
07:34:08 And then you need to make an assessment based on what it is existing on the mascot tween don't define what is the best open source to generate your, your blog there.
07:34:20 This was these as you see on a silicone rain but look for the younger funded dirty the tones of open source to do it. So to recap, I would stick to the library, because it's some as heck, until somebody implement or up with another way to doing things,
07:34:47 but we need to be cautious about the, the content of the locks, because if you start to change the content of the locks.
07:34:57 It might be an issue for people who are already using it in production.
07:35:11 So, any, any feedback from anybody and me I'm talking to you with my agency
07:35:19 drew me a critical functionality for my company. I'm not your fear CJ when I was talking before, but I want to invite people or companies who are using an app to comment as well.
07:35:44 maybe check it out. That's something you could discuss with your team members.
07:35:49 But I know.
07:35:51 I certainly can. Yeah.
07:35:54 And we know, we also need to consider. And again, I'm not following up everything in detail, but my understanding is that the security subcommittee, as some plan to announce the log.
07:36:09 Especially to get information about the containers whatever but I'm sure I will and Amy can give you the details so the need is there, how to do it.
07:36:21 We have a nice, we have a solution today. But, but, as I said, it's moved to a centralized people enough on or do we need to add something.
07:36:32 I will not say this but do we need something different.
07:36:35 Yeah, I think the question. The reason I'm asking the question is that should we right i mean it's a decision point.
07:36:43 Should we continue to maintain the existing infrastructure, right, and then if they identify any gaps that we may have, and address those gaps or, excuse me, should we fork or for another effort.
07:37:04 So, to me it to me it doesn't make sense to fork off another effort to do the same thing, right. So talker I think that you bring up something interesting and I think that that's something that beyond is addressing with a lot of the service mesh which
07:37:19 is to Katherine's point you actually have to have normalized security or normalized events that are collected in your log files otherwise as Catherine said, there's no way of correlating them the, the analysis becomes different, you don't really know
07:37:36 what you're looking at.
07:37:39 And then, typically like for security events you typically, send those off to some type of a centralized log management system.
07:37:47 And I think that that's really the place where, where by having this logging project that we had to maintain.
07:37:56 And, you know, we kind of lost the maintenance of it that that's where we started looking at other alternatives to get those logs to more of a centralized log management system document what it how Look how events should be logged, what what the what
07:38:13 the data set the metadata associated with an event should be, and then have a method to get them into, so that an operator can pull them into a centralized log manager.
07:38:26 Yeah. No, I understand. Now I understand that fully interesting. So I think you are going to need though, right, because we're rehashing the same thing over and over again.
07:38:32 Yeah, we're not, I'm not arguing beneath my argument, my, my point is, if this is something that is really needed. Why should we fork off yet another effort because there is another effort that's going on right now, looking at the login function.
07:38:49 So let's consolidate our efforts to, to continue to maintain what we have because we think it's very useful.
07:39:01 I mean, that's my point.
07:39:05 Sure.
07:39:07 I think that's a very valid point.
07:39:09 So, but the question is who's going to maintain that. And I think that was what Catherine said Who do we have who will maintain it.
07:39:23 The existing logging that we have the question should be though should not be let's go off and look for another alternative. Right.
07:39:27 The question is should be focused on how do we maintain the existing infrastructure.
07:39:36 You speak to the library by by the project, not the complete project itself right, only the C library so that mentioned. Right, yeah.
07:39:47 Yeah, I'm kicking it lived up high level though, capturing just for a reason.
07:39:52 Right.
07:40:02 I I continue to support the Java library.
07:40:07 But I need to find an identity. I need to follow up with the person who was committing for the title.
07:40:15 It's Michael.
07:40:18 I apologize I forget the company name, so I don't know if we have a gap in demo steeple on the title or not.
07:40:26 But there's Gemma covering it.
07:40:31 And I think we have at least two. Two people
07:40:38 committed to to do some announcements so that's why you see sometimes so activities based on the issue refined form of production site.
07:40:52 So it's it's it's.
07:40:56 Michael Gagliano that you're speaking of.
07:41:02 Yeah, he's from dt, and the last commit was in August of 2020.
07:41:15 We just need to see that. Again, there is no point to do changes if if the library stable, but we need to be sure that somebody.
07:41:25 We make the change even if we do not define the library.
07:41:32 We can follow up offline, to see if my mic to their name.
07:41:38 If the nice guy is still willing to help us on a book proposal, or if he has been reassigned to other activities I cannot answer on the call. We need to have an action for that.
07:41:57 I'm discounting currently as far as competitors go on the project we've got 12345678 capital C competitors.
07:42:15 So they might not be.
07:42:18 I do not say, I'm not saying they're active I'm saying that currently.
07:42:22 That's what's in info dot Yammer,
07:42:25 probably need to clean up as well.
07:42:29 Because I don't believe that all active.
07:42:32 I think for Java we have given and Elena.
07:42:36 We were announcing the departure of Brittany at one point on the own up to see the other computer I don't know by name so I need to check
07:42:48 before me there are two three.
07:42:50 before me there are 233 potential people to on the Java side, given and Elena, and Michael. Michael for the bite them, and looked away if the older that you have in mind are still active.
07:43:07 I was looking at the insights for the past year.
07:43:14 I'm just stuck in here let me drag the window over.
07:43:22 So they've been 16 commits over the past year.
07:43:53 This is this is all the contributions to the project it's not
07:44:01 the insights we currently don't have the capability to carve out capital C
07:44:08 matters versus just you know contributors. So it's just predators in general.
07:44:17 But, I mean obviously not seeing a lot of activity.
07:44:23 Library of credit staple.
07:44:26 I mean, library exists in six years.
07:44:33 At least on the Java side.
07:44:37 So you don't necessarily need to announce a lot.
07:44:40 When you have something stable, which is good news.
07:44:50 So this is what I have highlighted here is this still valid from the discussion we have had.
07:44:56 I believe it is.
07:45:07 Anyone disagree with it, and we can we can we can discuss the beaten vide on the call. And we need to be validated micro is still okay to perform some other changes in there is an issue with the file library.
07:45:19 Definitely Michelle and Eli from dt of course will be, will contribute that statue wouldn't be an issue because I mean it's his, we are, they are working as well for the om and integration project so already at least the integration project and is still
07:45:35 continuing work on that.
07:45:37 So no problem.
07:45:40 Thank you, Andrea.
07:45:43 I think from a commitment.
07:45:47 We have the feedback from Andreas myself that we are good to go.
07:45:56 We also need to refresh in one building and talk with the BTS, but I would suggest that we go through again to the proposition with the detail because now it's just an implementation discussion is not only a decision this discussion.
07:46:14 And maybe I would suggest that the move to the next item, because we have only 45 minutes left.
07:46:25 crystals, Alexander Are you on the call.
07:46:29 Yes, hello.
07:46:31 Hi. Did you want to share,
07:46:38 say just a moment.
07:46:43 There you go.
07:47:03 Okay, so.
07:47:06 Yep.
07:47:07 Okay, so we'd like to talk a few words about using scan code for generating Docker as well. And this is all generally linked to discussion that we had some time ago on the mailing list and discussion that we had in the TASC that all that is really not
07:47:30 distributing only the source code or binaries that are built from the source code, but we are actually distributing ready Docker containers. And according to the article published by lF, and based on analyzes bite by lawyers, eat, you're distributing
07:47:50 a Docker container. You're responsible for going through the compliance process for all the components that you're distributing within this binary Docker container.
07:48:03 So currently we have sonar and we have other tools that are showing people whether they are direct dependencies and will they are using in which versions, and this is probably what most of the license scans is based on, but we do not have that kind of
07:48:22 to.
07:48:23 But we didn't have that kind of tool for food containers that are being capital the next week. And based on the TASC decision we do not want to be three components in in those containers, because they're really the compliance process for GPO betrayed,
07:48:45 it's not that it's impossible but many companies do not want to handle that, and don't want to use open source projects that include GPO betrayed and generating these s boom is at first step to achieve the license compliance, because it gives you the
07:49:07 the exact knowledge on the components that are included in your package, it may be, create in may be used for both the license compliance, but it also may be used by by sec GM for scanning for known vulnerabilities.
07:49:29 And the info that you get is what packages or other stuff there is what versions, it has, and with licensing as. So, it's the whole package of what's necessary for profit entities.
07:49:49 And we already have a tool that kind of does that. It's called Aaron, it's integrated in weekly integration chain but we believe that it really likes visibility, and because it's kind of slow.
07:50:06 It takes quite some time to run the scan and also the results are being uploaded
07:50:13 the scans are executed on the, on all Docker images, currently are in the om repo.
07:50:23 And the results are uploaded to the integration to the logs from testing so usually only integration team is looking into that
07:50:36 stuff. Have you looked at the Nexus IQ product that does container scanning.
07:50:43 Because it it, we actually are licensed for that, and I think it collects everything that you're looking for. Not only that, not only the stuff that the Nexus IQ for software composition analysis does but also the information about what's in a container.
07:51:00 So as Docker Hub Docker Hub also we have free container scans.
07:51:06 But we have to enable them.
07:51:11 I've checked Nexus aq what they had on the page.
07:51:17 I think it was in December 2020.
07:51:21 And what they found that they do this comes by checking the Docker file so they didn't scan the base glass, and all the layers that that come from importing the base base image so.
07:51:41 As of, then the discounts are not sufficient to generate rate compliance dogs. Okay, great. That's great information.
07:51:52 Thank you, but it might have changed since then.
07:51:58 And that's the Docker Hub, I have no idea what how it works with, I've seen some scrapes from Docker guys for for this on GitHub, and it's.
07:52:19 Those are simple bus crepes. They cannot perform any meaningful analysis and their reports to not contain necessary information to generate actual compliance that can station.
07:52:38 Okay, okay. So, yeah. So, going through to the next slide, Why not other tools.
07:52:47 First of all, we tried 10, and at the beginning, now they studied had some design flaws security design flaws.
07:52:56 Because it executes binaries from the containers.
07:53:08 While in ch route, it's still executing some unknown binaries from containers that we didn't know if we can trust them, and it requires Docker sock access.
07:53:18 It also fast quite often the two underlying technology use like overlay fast. Dr library the Python locker libraries.
07:53:28 Not very reliable, and both art and pathology, do not support Docker or defense fast and developing that would take a bit too much time when there is a tool that does exactly that.
07:53:48 So, how could we integrate it with on up scandal diabetics Image, Image terrible lesson input. I think recently NPR has been managed to provide just a link to the darker.
07:54:08 So it could be downloaded.
07:54:10 Jenkins would be to pass such terrible or.
07:54:15 or link to discount code IO, and after triggering the job, it would provide a URL to to this come in Derek, which would essentially provide the feedback to developers, and everyone interested in those containers.
07:54:36 At the moment, when, when they change them.
07:54:40 See, the general idea of integrating that would be to keep it as close to the container release process as possible. So, as soon as Jenkins reveals the container.
07:54:57 It should upload it to scan code and then whenever results are available just post them to Gary so that people who are submitting container updates have really prompt information about the content that they're actually going to publish
07:55:22 gone.
07:55:24 This integration in the long term would we would need to rethink how we handle Dockers entirely because we produce a lot of snapshots and publish them, which would also require to go through the compliance steps.
07:55:43 Discount Code IO goes into their in direction of automating everything that's possible to automate.
07:55:51 So, the burden on people are releasing containers should be as low as possible.
07:55:58 But it might still require some manual work.
07:56:02 So having to do that for each snapshot might not be might not be feasible.
07:56:09 And we need to also think about if we when we add the compliance that,
07:56:19 to only release stalkers when the compliance documentation is actually generated and approved
07:56:28 and.
07:56:31 Yep. So, in terms of what we would need would be some compute resource, where we could around scan code itself, and we would like to try to integrate that with with Jenkins.
07:56:50 Probably it would be best to not do it for all projects at once, but but have some, you know, sandbox or single project who could volunteer to, you know, to have at least one Docker image scan this the storage requirement that we have here is only view
07:57:22 the ability to scan all the images but obviously if that's an issue we could start with a little bit smaller on the other reason for that requirement is that we were actually working on downloading all the packages, all the code for everything that's
07:57:33 in the container so we can host it somewhere separately and link to it in the compliance docs later.
07:57:43 So, scanning Docker will a single image will actually result in in a bit of more space, taken by themselves, because of those downloads.
07:57:54 Yeah. And the main reason why we aren't doing that is the
07:57:59 you know the experience from the automotive industry that the guys who are dealing with licenses, with licenses that people tend to remove from the internet stuff that they no longer need.
07:58:15 So, if we are, if we want to host Nexus containers, I mean all have containers in Nexus for quite some time and I believe that for now we are not removing them at all.
07:58:29 At least for for the release of versions, then it means that we should also keep the copy of the source code for those containers. Just because someone may have already remove that from from the internet.
07:58:44 Because someone was using I know a boon to 1404 or 14 the 10 as their base image, and no one keep the service, go for it for that.
07:59:01 So the question for the DSC is that if to DSC into fit.
07:59:10 If you think it would be possible to get those resources to deploy scan code IO, and try it first on a single project. And then we see how it goes, how it works, we will share the experience with you once again and we will see if we can go and expand
07:59:29 that further to the other projects.
07:59:35 So, requirements that are listed here that's, that's the do proof of concept.
07:59:45 So Alexander, do you believe that book for proof of concept or single Docker image, we could, we could easily have that.
07:59:55 Okay.
07:59:56 Yeah.
08:00:08 Before we move.
08:00:07 I guess you want to do a few see because, did you perform an assessment, we build our existing solution and have your comparison metrics understand you, you compare them in scan.
08:00:25 code.io, you see any other identity as well because I know sometimes we go, we wanted to move absolutely with them.
08:00:31 I'm glad we didn't do.
08:00:35 So we actually we did, we tried it, right, we did and he gave us an important experience and really enjoyed interesting results I would say right and he led to reduce it to significant reduction of GPO between packages.
08:00:53 But in, in the context of, we were also based upon that trying to move the lF 10 by itself is often not very precise.
08:01:11 It's only as good as the package manager on the container is. So, if we have packages that were wrongly marked as have wrongly marked licenses by by their maintain us in some specific districts, we will get the wrong information.
08:01:31 If we go with strangled al we download the source code becomes this core source code. And we know actually what what licenses. The code, use their hat hats.
08:01:55 It's, it's a lot more precise and meaningful information.
08:01:57 So, so the very, you know the concern is the need is clear.
08:02:07 Right. The meat is clear.
08:02:09 Having a tool that does it and based upon things you say yes, this looks like the better tool what what I'm what I'm concerned about is that we get into not
08:02:24 is, is the tool of the Month Club, because that that that's my concern
08:02:34 that whole kind of darkness is quite new.
08:02:49 10 is is quite new project and scan code has been working on adding the support for quite some time.
08:02:56 there might be some better tools, somewhere down the line, but to be truthful. 10 has been relying on scan code as a plugin to improve,
08:03:11 to improve the precision of their scans and scan code tool kit is also the base scanner for.
08:03:21 I think art.
08:03:27 It seems to be the, the industry standard in open source. As for the scanner itself as can code IO here serves us as a rapper as a server application that gives us UI, and to perform possibly other steps like license compliance, etc.
08:03:51 And it's easily expandable.
08:03:58 It employs the concept of pipelines. So, so we can easily add stuff there, and remove
08:04:10 any seems it's worth us of now going into their this direction, and it doesn't seem that other tools are planning to do outside support, like art or solitary.
08:04:21 Okay. So, just to be 100% clear here.
08:04:28 We are not saying that's can code IO is the best tool in the world.
08:04:35 Can we guarantee that that it will do all the job that we need now.
08:04:53 But, can, can we say that at least we can try and it seems to be a right way to go, and it is open source and actually we're already submitting sample requests there for the functionality that we find missing down the road, we're already doing that so.
08:04:59 And it seems to be you know the feedback from the community seems to be great.
08:05:05 And we believe that at least for now, it's a step forward from from, you know, compared to what we are getting from turn and how much you know how accurate the discounts are.
08:05:22 So, I believe that, even if it's not going to be at tool that we will use in five years or anything like that because the world is changing, and the internet industry is in general are starting to bank more attention to containers so some better tools
08:05:42 may appear, but for now we haven't found a better tool that provide all this stuff that that we need. This one also is not providing everything, but the gap seems to be way smaller done in other projects, and it seems that it's rather straightforward
08:06:08 to contribute back to the upstream, and get the gap fixed and less buggy, from what you guys have said it's less buggy in general. Yeah, yeah and then the direction that we want to go, is the direction that the tool is heading towards that.
08:06:25 So, we're not, we won't have to fork out.
08:06:32 And we can just commit to upstream, and
08:06:37 have all the benefits that come come from submitting patches top three.
08:06:43 So, would
08:06:47 this potentially be something that could be run on the lab servers and I'm saying this in the context of.
08:06:58 We know that the until lab that Wind River is maintaining that's going away.
08:07:07 Intel has graciously going to provide us with eight servers.
08:07:12 We are currently trying to find
08:07:17 a location to have those installed set up.
08:07:21 There's going to be.
08:07:23 Even though the hardware is being donated. We're going to have a significant cost in terms of this is going to be going somewhere where we actually have to pay people to maintain it.
08:07:36 So, the eyes and hands, that will actually be doing this.
08:07:44 We're going to have to carry a monthly op x cost for, we do not know what that's going to be yet. So if the potential could be that, that, that hardware, could be used to potentially house this
08:08:05 that that would that would probably be a good thing just in terms of how we're thinking about where it's going to go.
08:08:16 So, it can be literally anything, it can be Asia resource, it can be OpenStack research, it can be a server, as you said, it doesn't really matter from this capital.
08:08:30 io perspective, the only thing that these require, is to have an access to that server, it can be via VPN, or anything like that. And to make sure that we are able to communicate between on our Jenkins and scan code that that will be Ronnie go on that
08:08:50 stuff.
08:09:04 And for the tool. It's not only designed for talkers, so we might also scan the project's themselves there, or something gather, if, If needed, and it might be.
08:09:26 If we compare the results.
08:09:36 We might resign from paying for for some other tools that are paid for now. If the results are good enough.
08:09:40 Yeah, but there's obviously a nice comparison and and evaluation right yeah that the priority us for now, for us, are our Docker images.
08:09:55 Can we use a journal subscription or can we use compatible movies.
08:10:02 Because we have talking about P. We'll see. So it's just too long throw them all the tools may be.
08:10:08 Try one or two projects.
08:10:11 And to see how it works.
08:10:15 Yeah, I think we can.
08:10:19 Okay, we just, just let us know where the resources and and let it know how we can communicate those resources with Jenkins and we are more than happy to use that.
08:10:34 Okay, so Kenny what's your preference when zebra lovable, we, we use Amazon is your subscription.
08:10:44 Well, my, I mean, my, my, my preference wearing wearing my budget hat.
08:10:53 knowing that we are already, way, way over budget as is would be the the resources that cost us, the least
08:11:12 is the week even for that. Oh, yes.
08:11:17 If there is, if we can get the access there and with the knowledge that it's going away very very soon.
08:11:31 So this one was more thinking about something we can still access, because we don't know if they disappear now or later, until we have the new solution.
08:11:50 I guess I wouldn't I wouldn't want to spin up a new
08:11:56 a new Azure instance for this.
08:12:02 Why I would recommend against that.
08:12:14 So I think we are potentially in agreement for Brian WC but we need to have an action item to end on define where we can deployed the PLC.
08:12:27 Yeah, I'm not sure we will have a conclusion today. We need to crack as an action item and come back to the team.
08:12:36 So,
08:12:40 Alexander, just ask kudos.
08:12:43 Good work on this.
08:12:47 In terms of looking at the at the tool sets to use.
08:12:52 Catherine's right we just need to figure out where we're going to run it for the, for the PLC.
08:12:58 OK, cool, so we are just looking i mean i i well i spoke out of turn there because I am not the TASC.
08:13:09 I didn't hear any of those QC members may be the condition or.
08:13:15 I think it's something important, important to perform to increase your professional headiness and improve the quality of software but is there any question, objections feedback from other team members because you have been quiet today I've only heard
08:13:37 I only asked for it.
08:13:38 But I want to give you an opportunity to cook.
08:13:44 Yeah, Catherine Hi. Hello. It's been a long day for any other piece of spoke today.
08:13:49 But I think I like the idea of what is being proposed here I'm not against it but one thing is, it is too early to actually come to any conclusions on this because we have been seeing a lot of alternatives for this right i mean it's not new that we are
08:14:01 talking about it.
08:14:03 about it. So I think one concern, which I would have is, I mean when river has been up and down, I mean it's been on and off right for quite a while.
08:14:11 So, next time when we take a resource like this the most important thing which we have to take into consideration is the durability of it.
08:14:18 Because, I mean thanks to orange for giving us another alternative which is sustainable right now for some time, but for the long term. Not many people are able to use that resource and we have a dependency on at&t.
08:14:32 Sorry on the, on the intervention overlap.
08:14:35 So it will be better to actually think for a long term sustained spring as a plan B and that should be the goal for us going forward. So just.
08:14:48 Hello.
08:14:56 We need to understand the next step with the intellect, because I so we. They were both to provide a brand new lab to the seller, an open action over only providing the hardware.
08:15:10 Yes. Yeah.
08:15:23 And, and the actual support of the lab. Hands and eyes, doing the rack stack cable label, anything like that.
08:15:30 Is, is going to be coming out of the own app budget.
08:15:34 Right. Another issue which will be will be the onus of it right because so far integration team had been doing the kudos job on that, but now we will take it right who will be responsible for that.
08:15:43 So that is really the next step which we have to consider.
08:15:49 Because we have we are talking about the integration team workshop in action items we, I mean, the work.
08:15:56 That's one of the things that responsibility that we've talked about needing to right in the beginning, right.
08:16:04 Yeah, I'm trying to just put the other words these two are related items so I want to make sure that we consider them to good.
08:16:16 Yep.
08:16:19 Good job Christophe and then this seems to be a good start. But my only concern would be to take that into consideration while moving on.
08:16:30 Yep, sure, thank you for your feedback.
08:16:34 Okay, is there any disagreement on pursuing a proof of concept.
08:16:43 If not, I will mark it as a pound agree and move on with the with, you know, acknowledging that we need to figure out where we're going to run the PLC.
08:16:55 If we have the equipment.
08:17:00 Is the equipment. And the ownership.
08:17:11 Okay. Oh, drop that in in some agreed.
08:17:22 I guess it should be more clear, a PLC for scan code IO.
08:17:42 There we go, that's that's probably better for everyone.
08:17:48 Okay, we are coming up to them on
08:17:57 little less than 15 minutes left. I'm only wanted to talk about an XML security issue.
08:18:11 And you need to share.
08:18:16 I actually volunteered. Tony for this item scheme up by me, the PCL meeting on Monday, Tony Can you speak to this.
08:18:28 So, I can, am I sharing no I'm not sharing. Sorry.
08:18:36 So as part of the second is continuing efforts to eliminate a variety of errors have been pointed out by.
08:18:47 Thank you for sharing them
08:18:50 by Sona cloud.
08:19:01 Amy and I and have been writing these JIRA tickets against various different applications for a set of issues, and in Honolulu we picked one set of issues that were
08:19:12 that we wanted the applications to focus in on. And in this release we picked another set of issues that we wanted applications to focus in on and we filed a series of JIRA tickets.
08:19:26 Things like external and XML external entity is an example of one of these issues, and David ran across one of these the other day and I didn't realize they're really critical.
08:19:45 Yes. These are.
08:19:55 They're either critical or SAR cloud marks was either critical or blocking or not. These are things that we need to fix. So we've been filing the spirit tickets to, to get the applications to fix them.
08:20:04 Just having them in the solar cloud hasn't been sufficient for them to for the big deals to do that but filing these JIRA tickets has gotten traction and good majority of the these issues have already been fixed by the PTS or their designated people that
08:20:26 they've designated, and that's great. So I'm
08:20:32 there there's still more work to be done. And when these are finished, there will be another set of issues that we will bring up for Jakarta.
08:20:45 So hopefully that brings everybody up to date on where the SATCOM is with these sets of issues, and what we're trying to do, and answers David's questions as to what they are.
08:21:01 So thanks.
08:21:03 Yeah, thank you.
08:21:05 As I mentioned, we discussed this in the PTO meeting on Monday as Tony mentioned I came across this when I was doing some other tasks and JIRA and I was just a little startled because it was described as blocking and high priority and so on and I, I knew
08:21:24 nothing about it. And so we talked about it in the PDL meeting and we just agreed that it would be worthwhile to, you know, just given the severity of it, it would be worthwhile to just make the TASC aware of this issue and ongoing efforts to resolve
08:21:47 it.
08:21:47 So just for your awareness.
08:21:56 So looking at, I'm looking obviously going to keep plugging away at this but.
08:22:03 So looking at getting this in as a best practice, and then potentially promoted to a global requirement
08:22:14 in short order for Jakarta is that what I heard.
08:22:19 So, these are all.
08:22:22 They actually fall under this one of the CI categories of eliminating security issues. Okay, within a certain timeframe. And so part of the CI badging global requirement that we have has a section.
08:22:45 Part of it that says to eliminate the,
08:22:50 the security issues that were pointed out by Sona cloud.
08:22:56 Okay, I
08:23:00 coordinate heading off in a row in the wrong direction there sorry about that. Yeah, this is a and fixing the security issues identified, that's, that's a standing item.
08:23:15 Yes.
08:23:20 And if you scroll down on this you'll see a reference to the.
08:23:31 The raq that these are all related to.
08:23:58 Okay anyone have any questions.
08:24:09 Thanks so much, Tony.
08:24:11 You're welcome.
08:24:17 Any updates.
08:24:21 Back SPC tech UAG.
08:24:28 And
08:24:37 the CFP was for the one summit, that was submitted.
08:24:44 So correct.
08:24:49 Correct. Yeah, just wanted to highlight that we have been submitted pre proposal ugly to cover the work perform, who the task force but also in those being a lot of you.
08:25:05 So they will be one for entrepreneurs to provide an update of where we will be in October.
08:25:13 You know integration between magma, and also own up until the more depending on where we are.
08:25:21 And to a cool portfolio then we'll cover the CNS movement if stuff falls.
08:25:31 So one proposal, we focus on on Etsy packaging Etsy CNS packaging and more in the civil and then we'll focus on the year cnn fo Mo, so I don't know, honey.
08:25:47 See shoe, Lucas, if you want to provide more detail.
08:25:51 But that's the plan and beyond. And that's the plan so let's hope we will be selected so we we have this segue to promote the great work that we do in order to reposition or not, not only as a network automation platform but also for others.
08:26:19 Thanks Catherine. Okay.
08:26:32 Bye guys, just move to the next items.
08:26:25 Just to remind people, maybe we should put the time, the time of the owner point of pride for have been moved to 7:30am PST.
08:26:37 As you know it's a be weekly call, and it's organized on July, 7.
08:26:45 And then I give the floor, in case of honey of chemo wants to provide any of these regarding the folder delete with wiki to the top.
08:26:57 Yeah, I don't think we have any updates and to be honest with all other things going on I haven't had a chance to do much about this. So, I am considering requesting some more help on that.
08:27:17 Definitely myself and the mall, so far has been preoccupied with other things so we welcome any other volunteers who want to help with that.
08:27:36 Thanks Ronnie.
08:27:41 Okay, deadlines and such, we talked about integration.
08:27:47 Honolulu awards I'll be kicking those off soon but TLC two dot o edits is at the top of my priority list next to some things for the governing board.
08:28:02 The
08:28:06 action items from the June, event.
08:28:17 Don't I guess we can, looking at those in terms of
08:28:24 going going through the list of the projects or were, were there specific known action items that we took as a, as a collective body
08:28:45 move on because I don't know the answer to that one.
08:28:50 Pick your meeting will be cancelled due to a holiday coming up, please please please please please please please please please please please please please
08:29:02 fill out the survey, if you went to the event wings and thank you please please please links in the chat window for that,
08:29:13 really, really important to us. I can't, I can't stress that enough.
08:29:17 So if you attended the event, just go in and fill it out for us.
08:29:24 And then get the one summit coming up in October.
08:29:29 These are closed. They closed on the 20th.
08:29:34 Anything else from anyone.
08:29:37 Can you run question which I came across and even I have is, how are we going to have this setup and event. I mean, they said that will be, will hybrid right now which will actually include both the virtual as well as physical, but if the participants
08:29:53 are together, like we have a participants going both from in one one topic if we have like for example a panel which has both the people.