2019-10-02 Meeting notes

Owned by Craig McNally
Last updated: Oct 02, 2019 by Tod Olson
3 min read

Date

Attendees

Discussion items

TimeItemWhoNotes
5min

Progress Check - Definition of Done 

Mark Veksler

  • Common DoD items - to be included in individual team's DoD. Mark is reviewing guidelines that TC came up and each team's DoD. Not all teams are consistent and not all teams have posted their DoDs. Mark will be summarizing and categorizing. Some will be "required" and others will be "aspirational". We may need to establish certain standards (i.e. logging, instrumentation, etc.). Mark will need a few more iterations. We can check back in on progress weekly. Mark will share the doc within the next two weeks.
???Reporting and visibility of zero-day bugsAll
  • The situation is when a security vulnerability has just been "discovered" 
  • Discuss how this should be handled
    • Who should be able to see these?
    • When are details made public, etc.
  • Ian Walls shared the KOHA model:  

    "The Koha community has the following procedure posted:  https://koha-community.org/security/.  Essentially, they define a Security Team of release managers/maintainers and other folks known in the community (many of whom have assumed those roles in previous releases).  Issues are filed into a separate project, presumably with tighter access controls.  Once the fixes are made, they're backported into all supported releases, and the community is notified to install the latest updates to their current version."

Proposals/options:

  • There should be a security team for FOLIO who can review and assess impact ('blast radius')
  • That team decides things like
    • how public/private details of vulnerability are
    • urgency of action
    • Solicit input into specific actions to be taken
  • Determine what the communication channels and timings are for all activity
  • Likely a private/closed list for public installations to receive information about vulnerabilities
  • Establish public policy for Security/Vulnerability patches
  • Also determine which releases are supported going forward.
  • ACTION ITEM: Need someone to dig into this and work with a group of qualified set of people to establish a policy outlining how these will be dealt with. Craig volunteers to get this started (smile)


???Security Issues - Releasing fixesAll
  • There were a bunch of security issues created last week, w/ varied priority. 
  • When will these be released? 
    • Part of Q3.2?
    • Wait until Q4?
    • Possibly a Q3.3 security release?

Need to get Jakub's input. Feeling is that we need to create a Q3.2.x as a security release. Need to also account for backporting (and timing). 

(side note - we need to decide on a better way to label/name/number releases as well as how to determine what the policy is related to prior releases and which will be supported)


Update on DEBT-6 - Getting issue details... STATUS

All

Performance and Longevity Testing update. From last meeting:

How can we break this problem up?

  1. Environment - Core Platform
  2. Defining the test scenarios (which tests, how many of each, what data is needed, how big a dataset, etc.) ← Likely community product owner-type
  3. Building the tests themselves - Core Functional ( ? )... some teams have created sets of Jmeter tests - these may be useful too. Would be helpful to leverage all teams to build these tests
  4. Collect and/or create data to be used - Mike and Tod to query Sys-Ops, potentially need to augment and/or curate additional data. Harry K might have a standard set of users
  5. Identifying which tools can be used to profile the application so that we can assess the results

Updates:

  1.  Mike Gorrellto speak to Jakub Skoczenabout creating tickets for this
  2. Tod Olson has collected some scenarios from the community. Will share with Mike Gorrell
    1. Siska offered that Chalmers could share their Circ and Acq scenarios,
    2. There was a request to also exercise mod-user-import, add/update 80,000 users,
    3. No other specific scenarios were offered.
    4. Additionally, Chicago would be able to draft some concrete scenarios.
  3. No update
  4. Tod Olson is investigating what data sets U-Chicago and others might be able to contribute. 
  5. Mike Gorrell will have a set of tools for review/discussion by October 16th meeting.


Action items

  •