2020-10-02 Meeting notes

Date

Attendees

Discussion items

Review Kanban board ​

TimeItemWhoNotes

SNYK follow up

Julian will explore the CLA and send the message to the #developer channel.

CLA has been approved and message sent to channel. Need to look at which projects we want to set watches on. If it runs from the web site, currently some false-positive reports for Java projects (when run from Maven it works OK). Still looking into how we can make it work properly. Julian will look at it but not super high priority.


 Review Security IssuesTeam Review Kanban board

Safe harbor, policies

Have sent Safe Harbor Statement/Acceptable Use Policy to Lawyer at Duke for review - after agreeing to review, they declined to comment due to possible conflict of interest (with Duke being a contributor, participant and user of FOLIO). What next? - Mike Gorrell  to reach out to OLF lawyer again for a quote.


Security Project/Jira cleanup

1) No progress on this item

  • Can the Security Project be setup so that new issues automatically set the Security Level to FOLIO Security Group PLUS the Creator (who might have additional context/etc)? 
    • Confirmed how to get this done - need to coordinate changes to permissions scheme and security scheme for the Security project with JIRA admin (some dependencies with other settings/projects).
    • Try to completely next meeting

2) New Item:

https://folio-org.atlassian.net/secure/ShowConstantsHelp.jspa?decorator=popup#SecurityLevels lists these Jira security levels:


FOLIO has 3 Core Teams: Platform, Functional and Concorde, see FOLIO Developer Directory
@mdg Two security level descriptions are missing, can you add them?

In JIRA the security group "FOLIO Core Team" used the "External Developer" (which includes all developers in the project user group for its list of members. In other words, presently, there's only one list of developers that's actually being referenced in that security group - all developers in the project, even though it implies it's only "the Core Team".

Do we need/want to have separate groups for all 3 core teams as well as the  - No - make the JIRA security group reflect reality. Mike Gorrellto do this.


List of Personal DataTeam

Per our slack discussion and the Reporting SIG's request for the maintenance of a list of Personal Data, we need to recommend next steps.

Reference Articles 30 and 32 of GDPR

Recommend that the project maintain a list and include it as team's definition of done. Whenever a new field is introduced or a field is changed, Product Owners should consider whether it may be used to store Personal Data and the list should be maintained.