[TOC Meeting][Public] 2024-11-05 - TAG Updates

[mrbobbytables]

Host: @angellk
Note Taker: @TheFoxAtWork

Recurring Items

• LF Antitrust Policy
• Review Open Votes (REMINDER: Check both Issues AND PRs)
• Review & Assign projects in moving levels backlog
• Review TOC Work Board

Agenda

• TAG Updates Index
• TAG Contributor Strategy
• TAG Security

TOC Attendees

• Emily Fox
• Karena Angell
• Ricardo Rocha
• Dave Zolotusky
• Cathy Zhang
• Dims
• Duffie Cooley
• Lin Sun

[riaankleinhans]

/cc @jberkus @CathPag @geekygirldawn
/cc @PushkarJ @mnm678 @eddie-knight

[TheFoxAtWork]

Quick reminder:
@jberkus @CathPag @geekygirldawn
@PushkarJ @mnm678 @eddie-knight

[TheFoxAtWork]

Notes for today:
Karena was our facillitator.
General House Keeping - LF Anti-trust policy, CoCC reminder
Review of the backlog - TOC members, please review the backlog to identify if projects are ready to be picked up by TOC members. Most common outstanding issues are security self-assessment and adopters listing.
Skipping the TOC work board - the TOC will have substantial changes during KCCN.

TAG Contributor Strategy updates, Catherine Paganini

• Still collecting updates from the groups, the doc will be updated as they come in
• Deaf Awareness Month activities
• Contributor Growth and Maintainer Circle is on hold- actively recruiting
• LFX Term 3, Google Summer of Code, CNCF mentoring program
• Submitted a mentor/mentee workshop in for KCCN London, designed to pair marginalized and underrepresented engineers with existing community members.
• KCCN SLC - lightening talks, open space discussion, Sign language course (check out the DEI Community Hub) More activities here
• New BIPOC Initiative - first community meeting and a second is scheduled for later today
• BVI - blind and visually impaired initiative, looking for more members may be a platform access issue.
  Questions:
• any sponsoring for these kind of activities and any KCD DC's that included these accessible elements
  • The guidelines for accessibility are a great resource: https://contribute.cncf.io/accessibility/deaf-and-hard-of-hearing/
  • Google slides have live captioning (requires you to be close to your laptop)
  • Live captioning is expensive
  • KCD UK had accessibility working
  • we really need a cost effective solution for live captions, that considers networking with others (an area where live captioning doesnt exist)
  • Sponsors to cover the cost of interpreters would be ideal.
    Calls for Contribution:
• Contributor Growth Working
• Maintainer Circle
• BVI Working Group

TAG Security updates, Marina Moore

• Currently only have 2 chairs, lots of technical leads but they are not interested in pursuing Chairship
• several upcoming whitepapers
• 2024 roadmap is in the phases of closing
  • Supply Chain Whitepaper v2 will drive updates the Controls listing
  • automated governance reference architecture maturity model in the works
  • Zero Trust whitepaper is wrapping up, reviews still needed
  • the Japanese translation of the Cloud Native Security Whitepaper V2 is near complete
  • Compliance WG is official!
  • TAG reviewed all their TAGs - made sure they had a designated lead and a tag leader assigned (someone who knows what is going on) https://github.com/cncf/tag-security?tab=readme-ov-file#working-groups is a nice table that shows this.
  • Trying to set up an APAC meeting again, 1 tech lead is organizing and pulling this together, several workstreams in that region as well
  • Ongoing Assessments - Dragonfly is in the works, OQS Providers First non-CNCF Project assessment)
  • TAG Security has a KCCN Kiosk, the goal is to share a lot of the whitepapers
  • Skipping the security slam for 2024 but is scheduled for KCCN India, pushing to 2025, the leadership team was asked to hold off due to transition away from clomonitor. Clomonitor is used to track progress towards a projects goals in the security slam. There are a lot of metrics out there, but what demonstrates how to improve project security. Ideally, the Security Baselines joint effort with OpenSSF and the corresponding probes would assist in measuring and tracking those improvements.

Questions:

• Does TAG Security extract highlights or common issues from projects that engage in assessments?
  • because we create groups per project, there isnt sufficient continuity to pull that together
  • we've noticed projects disengage after they request a joint-assessment, the true value of this process comes in the back and forth exchange with the project
• Clomonitor going away? LFX Insights? Could someone confirm which is which and when things move?
  • LFX Insights uses CLOmonitor today, but is looking at the OpenSSF scorecards. We’ll get the latest plan for you by next meeting.
• What working groups were spun down?
  • Cognitive top ten and at least one other group spun down.
• From your experience with the process, do you have lessons learned or insights that would benefit other groups looking to do the same review?
  • be well organized, get community feedback, make sure things are meeting actively once you've defined a point of contact. What they hope to make it sustainable is there is always a point of contact.

Reminders:

• TOC TAB meeting at KCCN!
• Get those state of ecosystem reports in so they can be read in advance. be prepared to discuss:
  • CNCF TOC: State of the Ecosystem Due NOV 1st 2024 #1448
  • [TOC Meeting] TOC + TAG Leads @ KubeCon NA 2024 #1471