2017 06 15 TSC Meeting

Hyperledger Project

Technical Steering Committee (TSC) Meeting

dummyfile.txt

June 15, 2017 (7:00am - 8:00am PT) via GoToMeeting

TSC Members

Arnaud Le Hors


Binh Nguyen


Christopher Ferris

Yes

Dan Middleton

Yes

Greg Haskins

Yes

Hart Montgomery

Yes

Mic Bowman

Yes

Murali Krishna Katipalli


Richard Brown

Yes

Sheehan Anderson

Yes

Tamas Blummer

Yes


Resources:


Hackfest Planning (Todd Benzies)


Hyperledger Fabric drive to 1.0 (Chris Ferris)

  • Cut a beta release last week.
  • Intended to do weekly release cadence, but after discussion yesterday did not feel quite there with timing for another release.
  • Need to fix some security bugs, improve documentation, get new process for publishing binaries and sample apps.
  • Currently determining if ready for a release candidate or beta 2.
  • Seeing good uptake -- the beta has been out for 1 week today and already has 400 downloads.
  • Established a set of exit criteria that Fabric team is looking at for its 1.0 (other projects are welcome to leverage this)
  • Starting to engage with license and crypto export scans
  • Q -- talk more about non-Apache 2.0 dependency?
    • CF:  with Go, the dependencies need to be in Go path when you build binaries.  Two ways to do it -- a) ask everyone that ever wanted to build to go install n dependencies in their environment b)  vendor the dependicies (and have a dependency tree included in the repo). Go does not currenlty provide a means to dynamically create this.  Working with Tracy/Steve on reconciling and will pull together a proposal for the best path forward.


Project reporting (Tracy Kuhrt)

  • Tracy walked through the proposal & template
  • Help keep TSC informed on progress of projects, and ensure some oversight (are regular releases happening, diversity of developers, etc.)
  • Discussion
    • Monthly could be too frequent, consider quarterly (or more automated updates monthly, with deeper dives quarterly, unless something in the dashboard shows as “red” and triggers more review)
    • The focus for the TSC shouldn't be what can be automated, or what is easiest. It's what does the TSC need to follow about a project to be able to perform its oversight role adequately. If it doesn't, and we end up with a number of dead projects, it'll reflect poorly on the project and the TSC, and may tempt the Governing Board to have to perform that kind of oversight itself. Oversight somewhere is not optional.
  • ACTION:  Tracy to take this to the mailing list and try to capture the measures that we are looking for to be able to ascertain the health, strength, and diversity of each project.


Security Code Audit and Pen Testing Process (Dave Huseby)

  • As part of 1.0 releases, engaged with several security audit firms to do a code review and pen testing to establish a floor, as well as have someone outside of maintainers look at the code.
  • Have connected with 3 vendors to provide this service and currently reviewing SOWs
  • Needed annually?  Dave: No, not necessarily.  Just want to be able to establish a baseline; then manage the changes and maintain integrity of code base.
  • Is “lines of code” part of the billing mechanism?  Dave: rough numbers is fine, they are trying to understand general volume, not billing per line of code.
  • Dynamic analysis vs. pen testing?  Dave: Dynamic analysis is part pen testing, but it is mostly fuzzing.  See how deeply they can penetrate. Can be translated into CI system.
  • When it comes to pen testing -- what are expectations for hosting environments?  Do projects need to set aside time for this? Dave: Depends on the vendor company we work with.  They will need to know how to set one up.
  • We’ve established that a code scan (and pen testing, ideally) is a requirement for projects going to 1.0.  It is important to fund from the Hyperledger side to both provide and independent audit and also to make sure all projects under Hyperledger umbrella get at least a baseline scan.  That said, we don’t want to introduce this as a hold-up right now for the projects imminently headed to 1.0.