Meeting Agenda for 25 Oct 2022

Antitrust Disclaimer

Attendance

Attendance is taken purely upon #info in Zoom Chat

Agenda Items	Presented By	Presos/Notes/Links/
Welcome	Ben Courliss
Progress on Open SSF Badging	Ben Courliss	https://bestpractices.coreinfrastructure.org/en/projects/4300 Question: does scanning/analysis software done by IBM internally count?
Discuss Lab disk issues	Joseph Pearson
All-in-one Mongo DB issue	Joseph Pearson
Q/A and Wrap up	Anyone

Build process discussion for OpenHorizon Artifacts. Need holistic view of process documented and issues created in order to make progress.
Ben Courliss Investigate Anax changelog script - https://github.com/open-horizon/horizon-deb-packager/blob/master/Makefile#L56
Ben Courliss Create some issues around implementing VERSIONING and CHANGELOGS
Ben Courliss Create issues for release notesLook into what the EdgeX Foundry does for their release notes. There may be a GitHub Action available to reuse.
Define plan on how to address security vulnerabilities.
- Maybe have a wiki page to start with - Akraino and EdgeX Foundry wikis may have something we can base off of
  - https://github.com/lf-edge/edge-home-orchestration-go/blob/master/.github/SECURITY.md
- Have TSC members (WG chairs) on private email list where users can submit vulnerabilities
  - Speak with Kendall who may have started to create this list via groups.io
- Potentially look at using Syft to output a CycloneDX or SPDX file that can be joined with a CVE database to produce a vulnerability report from images
  - https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html
TESTING.md to address testing policy for new functionality (required unit tests, etc)