Hyperledger Project
Technical Steering Committee (TSC) Meeting
Hyperledger Project - Technical Steering Committee (TSC) 06.15.17.mp4
June 15, 2017 (7:00am - 8:00am PT) via GoToMeeting
TSC Members
Arnaud Le Hors | |
Binh Nguyen | |
Christopher Ferris | Yes |
Dan Middleton | Yes |
Greg Haskins | Yes |
Hart Montgomery | Yes |
Mic Bowman | Yes |
Murali Krishna Katipalli | |
Richard Brown | Yes |
Sheehan Anderson | Yes |
Tamas Blummer | Yes |
Resources:
- Rocket.Chat: chat.hyperledger.org (you can use your LFID to login)
- Github: www.github.com/hyperledger
- Wiki: https://wiki.hyperledger.org/
- Public lists: lists.hyperledger.org
- Information on the TSC Members can be found at https://www.hyperledger.org/about/tsc
- Meetings: wiki.hyperledger.org/community/calendar-public-meetings
Hackfest Planning (Todd Benzies)
- Beijing Hackfest / June 19-20, register now / agenda (draft) wiki -- just hit 146 registrations!
- Future Hackfests
- Final call for US/East Coast preferred dates http://doodle.com/poll/e6qgduebztu3rvac.
- Europe -- October/November timeframe -- Todd to send Doodle poll
- Get in touch with Todd (tbenzies@linuxfoundation.org) if you have venue space in either location
Hyperledger Fabric drive to 1.0 (Chris Ferris)
- Cut a beta release last week.
- Intended to do weekly release cadence, but after discussion yesterday did not feel quite there with timing for another release.
- Need to fix some security bugs, improve documentation, get new process for publishing binaries and sample apps.
- Currently determining if ready for a release candidate or beta 2.
- Seeing good uptake -- the beta has been out for 1 week today and already has 400 downloads.
- Established a set of exit criteria that Fabric team is looking at for its 1.0 (other projects are welcome to leverage this)
- Starting to engage with license and crypto export scans
- Q -- talk more about non-Apache 2.0 dependency?
- CF: with Go, the dependencies need to be in Go path when you build binaries. Two ways to do it -- a) ask everyone that ever wanted to build to go install n dependencies in their environment b) vendor the dependicies (and have a dependency tree included in the repo). Go does not currenlty provide a means to dynamically create this. Working with Tracy/Steve on reconciling and will pull together a proposal for the best path forward.
Project reporting (Tracy Kuhrt)
- Tracy walked through the proposal & template
- Help keep TSC informed on progress of projects, and ensure some oversight (are regular releases happening, diversity of developers, etc.)
- Discussion
- Monthly could be too frequent, consider quarterly (or more automated updates monthly, with deeper dives quarterly, unless something in the dashboard shows as “red” and triggers more review)
- The focus for the TSC shouldn't be what can be automated, or what is easiest. It's what does the TSC need to follow about a project to be able to perform its oversight role adequately. If it doesn't, and we end up with a number of dead projects, it'll reflect poorly on the project and the TSC, and may tempt the Governing Board to have to perform that kind of oversight itself. Oversight somewhere is not optional.
- ACTION: Tracy to take this to the mailing list and try to capture the measures that we are looking for to be able to ascertain the health, strength, and diversity of each project.
Security Code Audit and Pen Testing Process (Dave Huseby)
- As part of 1.0 releases, engaged with several security audit firms to do a code review and pen testing to establish a floor, as well as have someone outside of maintainers look at the code.
- Have connected with 3 vendors to provide this service and currently reviewing SOWs
- Needed annually? Dave: No, not necessarily. Just want to be able to establish a baseline; then manage the changes and maintain integrity of code base.
- Is “lines of code” part of the billing mechanism? Dave: rough numbers is fine, they are trying to understand general volume, not billing per line of code.
- Dynamic analysis vs. pen testing? Dave: Dynamic analysis is part pen testing, but it is mostly fuzzing. See how deeply they can penetrate. Can be translated into CI system.
- When it comes to pen testing -- what are expectations for hosting environments? Do projects need to set aside time for this? Dave: Depends on the vendor company we work with. They will need to know how to set one up.
- We’ve established that a code scan (and pen testing, ideally) is a requirement for projects going to 1.0. It is important to fund from the Hyperledger side to both provide and independent audit and also to make sure all projects under Hyperledger umbrella get at least a baseline scan. That said, we don’t want to introduce this as a hold-up right now for the projects imminently headed to 1.0.