Kimball: people didn’t know how to fill in some of the security requirement questions. What are you planning to do about it?
Jonathan: one thing we found valuable was looking at how the other projects had answered the questions, provided the best primer, especially if it’s a similar project. If there’s a project that’s close to getting to silver, just finishing up that project and publishing it so other projects can model themselves after it can be a valuable way to approach it.
Nick: don’t intend to relitigate the discussions, but would point out that we’ve covered a bunch of times the Gold requirements are probably not achievable, we threw caution to the wind in OpenEXR to pass the requirement of having a security expert, we don’t actually have security experts in order to exercise the system and get the project fledged. As a responsible participant, I would say that if we took a 3 hour YouTube seminar and got qualified as a “security expert”, that doesn’t fulfill the need from the requirement. So having that as a requirement puts an unachievable bar if we’re going to be responsible about it. So the requirements may not make sense.
Kimball: some of the requirements about encryption / SSL don’t apply to OpenEXR, some of the requirements are N/A to our projects. Maybe N/A doesn’t apply.
Nick: we could “fork” the requirements, “our” Gold standard could be the CII requirements minus specific problematic requirements.
Jonathan: there are no ASWF projects with Silver, the previous requirement was Passing, not silver.
Ken: what prevents us from setting up our own requirements? OpenVDB has been chasing down steganography, could be done in OpenEXR. That’s a legit concern specific to us. What can’t we define our own policy?
Scott: OpenAssetIO may need some of the other requirements such as proper SSL implementation, so we may need to think about what future projects may need to face.
JT (chat): Most ASWF projects, especially the early ones, are actually libraries and not full fledged user facing applications. The standards / CII requirements seem more geared towards the latter.
Erik Strauss (chat): our new Review Initiative will have full fledged end user applications, so it feels like some tiering by type might be necessary.
JT (chat); maybe agree to have an accepted list of specific N/A answers for ASWF projects. Also maybe some questions can be clarified in a similar way or maybe qualified with a context? This is kind of like putting addenda in the document rather than collected in the footer.
Scott: (chat) Would it be worth contacting the group that created the requirements and have a discussion with them to figure out what we can opt out of or etc? (JF comment): the “Further Background Info” document link has comments from the authors, and John Mertic has been going back to the others for clarifications to questions raised by CI WG discussions.
Sean: looking at OpenSSF best practices, there does seem to be room for criteria that are not applicable, as well as “must” vs “should”. Is there a path to Gold that can be met? Even the Musts have ability to opt out. There are criteria that allow the option of opting out, and some that don’t. Are these pathways there for a reason.
Kimball: that’s the ask: if projects have questions about some of the requirements, that’s what CI WG wants to know about.
Sean: is there a process for validating that a requirement is met? JF: was left to TSCs in the past. Kimball: we haven’t had a graduation review recently, so maybe that needs to be part of that process? Sean: would that be the only time this would occur? Kimball: could be done at project review time, a continuing checkpoint. Sean: would be useful for individual TSCs to “preview” an evaluation, would be great if the TAC could put eyes on it, instead of waiting for review time.
Sean: at AWS we have “security guardians” who are consultants who can help projects, does LF have something like that, or should TAC call out certain people as SMEs that can move between teams and help consult on the process, as opposed to everyone having to learn the same lessons.
Kimball: John is not here today, but we should bring it up with him. Andrew/Michelle? Michelle, we do have someone with those resources, but John would know best, so I’ll ask him directly.
Tony Micillota: DNeg contributions to OpenVDB? Ken: would it make sense to discuss this on OpenVDB TSC? Every Tuesday at 10AM? Tony: DNeg we had someone who was contributing a lot, but they left, we seem to have a highly customized implementation of OpenVDB, is there a reason it wasn’t merged back in? Curious on how to move forward on that. Ken: yes, the TSC would be the best place to discuss this, and would be great if you have someone you could designate as a TSC member. ASWF calendar for OpenVDB TSC meetings.
Larry: have we covered the CII badge requirements? Kimball: yes.
JF: larger runners are available. Andrew: open a LF ticket to try out, free until end of month. Ken: OpenVDB super excited about it, working very well. Larry: on OSL, recently set up analysis jobs, ordinary jobs are working inside ordinary runners, but analysis builds are long enough that we can’t make it pass of normal builds, have to run them nightly. For that one section, if we had a faster runner, we could make it part of every PR check without a 2 hour delay.
Andrew: we know the cost per minute, the question is what do we anticipate the usage to be. Can we get a feel for how much it would be utilized to get an idea of how much it’s going to cost. For projects using CodeBuild / Jenkins, usually takes 1-2 months to get a good idea of what the cost is going to be in the long run. Until we start getting charged and start getting info from GitHub on usage, while we get the beta for free, we don’t get usage stats. Kimball: Board manages the budget. Andrew: this would come from the Cloud resources budget, but don’t know how much that is, John would have a better idea. Kimball: we can delay this for a bit.