OSS Supply Chain Working Group Jan 16 2023

[robmoffat]

Date

Tue 16 Jan 2024 - 9AM EST / 2PM UK

Untracked attendees

Name	Firm	Comment

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes
• Review DevOps SIG project board
• Add Items Here
• AOB, Q&A & Adjourn (5mins)

Decisions Made

• Decision 1
• Decision 2
• ...

Action Items

• Action 1
• Action 2
• ...

Zoom info

Join Zoom Meeting

• https://zoom.us/j/94904595244
• Meeting ID: 949 0459 5244
• Passcode: 545224
• Find your local number: https://zoom.us/u/aesEqmNODb

Github Repo: https://github.com/finos/devops-automation/

Project Board: https://github.com/orgs/finos/projects/33

Mailing List: Email [email protected] to subscribe to our mailing list

[robmoffat]

Rob / FINOS 🔸

[karlmoll]

Karl Moll / FINOS

[mimiflynn]

Mimi Flynn / Morgan Stanley

[robmoffat]

Minutes

1. Discussed Agenda for Feb.

JM: Would like to get Brian Ingenito along to talk about his work on SBOMs.
MF: Has invited him.

2. LLM Models - Intersection with Supply Chain

JM: Would like to find someone to speak about this subject. Increasing volume of email / queries about this.
MF: Was in SPDX / CycloneDX / SBOM meetings, they're talking about this issue too. They had an SBOM implementer from Dell talking about the hurdles they're hitting.
RM: Discussed that this is being discussed at TOC, FINOS Board and finos/open-source-readiness#226
RM: "Manchurian candidate" scenarios - AI trained with back-doors.

3. Deliverables for the Year

JM Would like to deliver:

1. Documentation specific to highly-regulated environments. somewhat like OSR/OSFF.
2. A repository of known good OSS components would be too much and not that useful, but instead, amalgamating meta-data from different sources to produce a scorecard for a piece of software. Might include things like:
   • Tidelift
   • End-of-Life data (see Nov meeting. This is being added to the SPDX spec). Using old code is a problem.
   • JFrog etc. has CVE reports.
   • Ideally, a single source that can be maintained, useful to everyone. "Making data actionable." A service with an API.
3. A "Getting Stated" reading list.

RM Mentioned: https://osr.finos.org/docs/bok/Activities/Level-2/Supply-Chain-Security which could do with a review.