2020-01-08 Meeting notes

Owned by Mike Gorrell
Last updated: Jan 08, 2020
2 min read

Date

Attendees

Discussion items

TimeItemWhoNotes
15 minSecurity Audit question

Mike Gorrell and Marko Knepper

Review plan for security audit and discuss suggestion raised by a core team developer - perhaps it would be the best to identify the most security related parts of the existing code (e.g. Okapi or RAML Module Builder) first and to initiate a manual security related review by the team. The idea behind is to get the most of the external security audit afterwards and to avoid that the audit reports facts that are already known

Note that the plan is for the audit to start in early February. After discussing we think that between resource unavailability and the value that an independent 3rd party documenting a comprehensive assessment that we should stick to the current plan. Note also that we still need to nail down the details as far as which environment and what resource provides access and answers questions for the vendor. Will consider outside of the TC meeting between Mike, Mark and Jakub which environment(s) and/or resources make the most sense.

10 minFOLIO Security Policy

Craig McNally and VBar

What are the next steps for the Security Doc that has been approved by the Tech Council?

https://docs.google.com/document/d/1H5hLpqEuneZ3_bEVYS5LZaNBm31xbSl4dwCoydKDFLw/edit#

Next steps: 

  1. We need to provide guidance and some notion of "safe harbor" so that people can feel free to report bugs/problems and not be concerns with legal implications. The thinking is that this should come from the OLF. Should be done by OLF Legal Council. Mike to raise with Ginny Boyer for action.
  2. Need to define the support policy in terms of which versions will be supported and addressed with this policy. Should be defined by the Product Council - ideally completed by March 31, 2020. Mike to raise issue with Jesse.
  3. Need to define the process by which this group is selected. This is not an honorary role - this is a commitment and work will need to be done as soon as issues come up. Will be dependent on any new FOLIO governance structure.
  4. Create a presence for security - including a place for this document to live so that it's public and available, and contacts, reporting methods and email addresses to be used are clear, how the members may (or may) not be mentioned, contacted, etc. Should be done by the (new) team
  5. Ideally target July 1, 2020 to have these completed


30 minWOLFcon TC

Review WOLFcon Agenda:

  • Dev Communications best practices - Zak and Jakub to coordinate to host this meeting
  • Architectural Blueprint - facilitate discussion on specific topics - Vince to take lead in hosting this meeting
  • Tech Debt - What is the latest status and most critical items that need some decision by PC? Mike to take the lead in prepping for this session
  • Open Forum - Tech Governance - TBD who facilitates this meeting.

Agreed to review plans at next week's meeting.