2021-04-30 Meeting notes

Date

Attendees

Discussion items

TimeItemWhoNotes

Agree on a new meeting time/cadenceTeam

Decided to move the meeting to 11am every Friday for 30 minutes. Mike will send the updated meeting invite.


Review Security Team Charter and ProcessesTeam

Review the document that lead to the group's formation, discuss our processes and effectiveness to date.


Actions:

  • Created a team charter - need to review/tweak as necessary (including sub-bullets)
  • When we are asked to approve designs, changes, etc... we are able to provide our opinions but we are not an "approving" body.
  • We should recognize when we need to identify an individual to "own/drive" issues.
  • Need to ensure we revisit security issues after their initial review - perhaps set aside one meeting per month for this sole activity 
  • Need to document our discussion of each issue

Review discussion on Github membership requestsTeam

Per Email discussion: 

When a dev needs to be added to a GitHub team, we need that request to come from a known party, e.g. another dev or a PO, who can vouch for them. It is difficult/impossible to vet these requests independently. 

Can we just announce this as a policy at the Tech Leads meeting tomorrow? Probably we need a “guideline” document at dev.folio.org or a page on the wiki. Alternatively, since this feels like a security policy, should the security team own this, vet this, be responsible for announcing and documenting this, etc.? Whomever the owner, there is a strong desire from DevOps to keep the policy really simple.

Our thoughts are:

  • Seems reasonable to ask POs or Tech Lead to approve the addition
  • Is this a Security issue or a Tech Council (process) issue? Security Team makes the recommendation to the TC - who issues the policy

 Review open Security issuesTeam 

Review the Kanban board

Axel to provide a summary of SSO issues and a recommended path forward.