2020-12-09 Meeting Notes

Date

Attendees

Heather Greer Klein

Kate Lynch

Rob Kaufman

James Griffin

Nabeela Jaffer

Juliet Hardesty

jen young

Discussion items

TimeItemWhoNotes

Process for vulnerability reporting and messagingHeather

Ilkay's idea for mapping issues and user storiesHeather

Fedora 6 update and questions about forming a testing groupHeather

Populating the roadmaps document with partners

From last meeting discussion:

  • Consider: should we reach out to individual partners and guide them in filling out the roadmaps alignment document, based on features they're publicly interested in/working on.
  • Determine ways to demonstrate the value of the roadmaps alignment document.  Evaluate how it could be used as part of the code reclamation project.
    • Look at which feature sets we can focus on (example, analytics, REST APIs), and follow up with specific partners.
Kate

Codifying PO processKate

Google shared driveHeather

New meeting day/time?Jen

Notes


  • Process for vulnerability reporting and messaging
    • We got a report of a vulnerability in Hyrax last week.  What do we do with these?  Process is roughly 1/2 documented.  Heather reached out to Mike Giarlo regarding this, and she is picking up finishing this documentation.  
    • Partners are supposed to "get the alert 4 weeks ahead" – 4 weeks ahead of what?  Why wait to tell everyone?
      • The idea is to give some benefit to Samvera Partners.  This is also a security issue if it goes to everyone on the list first.  Everyone knows that their repo has a security hole in it first, so it makes sense to prioritize the Partners as implementers. 
      • As soon as we find out, we should let the Partners know about the vulnerability, and then let the PO can let them know when there is a patch. 
    • Another idea: keep the vulnerability sphere of knowledge small until we have a technical solution in place.  If something requires a quiet fix before we can afford to be loud about it, we should delay it going out to the tech list, as the tech list is public.  It would not be reasonable to put the burden of protection all onto one implementer to fix.
    • Another idea: this should be taken on a case-by-case basis to determine how to safely roll out information.
    • Path forward: send out to partners to reach out to their technical contacts, "this has been received."  Send out to the relevant PO and Tech Lead as well, and ask them how they want to address it/parse out the information.
  • Ilkay's idea for mapping issues and user stories –> kicking to next meeting
  • Fedora 6 update and questions about forming a testing group
    • Heather met with David Wilcox; he said that, once there is a beta for 6, they would like a testing group specific to Samvera.  This would be coming up in January.  Is this a reasonable thing that we could put out a call for?  Yes.
  • Populating the roadmaps document with partners → postpone to next meeting
  • Codifying the PO process
    • Kate taking on, and will share with this group for feedback.
  • Google shared drive
    • Heather has been creating drives for every group that wants one.  This group needs one too; Heather will make one and share it with each member.
  • New meeting day/time?
    • This date/time seems not to be working so well anymore.  Let's distribute a Doodle poll and see where everyone's schedules align. Jen will distribute this.
    • Next meeting is 12/23 – cancel?  Yes, postpone until January.

Action items