finos
DevOps Automation SIG Meeting - March 20 2025
Date
Thursday, March 20 2025 - 12pm ET; 4pm UK
Untracked attendees
| Name | Firm | Comment |
|---|
Meeting notices
-
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
-
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
-
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
-
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
- [x] Convene, roll call, welcome new people
- [x] Approve previous meeting minutes
- [x] Standard approach to SDLC/change controls - repurpose the existing Automated Change Management working group to work on this - Aaron Searle, @ashukla13 Toby Weston, @meekrosoft
- [ ] Defining standardized approaches for automated controls and change management automation
- [ ] Shared specs for audit trails and compliance documentation
- [ ] Potential reference implementations that illustrate best practices
- [x] Working Group updates
- Code Evolution at Scale - @masterkhal @mgasca
- Backstage - @cnygardtw
- [x] Using LLMs for OSS dependency cluster analysis - Cyberframe
- [x] AOB, Q&A & Adjourn (5mins)
Decisions Made
Decisions Made
- [ ] Decision 1
- [ ] Decision 2
- [ ] ...
Action Items
- [ ] Action 1
- [ ] Action 2
- [ ] ...
Zoom info
Join Zoom Meeting
- https://zoom.us/j/94904595244
- Meeting ID: 949 0459 5244
- Passcode: 545224
- Find your local number: https://zoom.us/u/aesEqmNODb
Github Repo: https://github.com/finos/devops-automation/
Project Board: https://github.com/orgs/finos/projects/33
Mailing List: Email [email protected] to subscribe to our mailing list
Evolution @ Scale use cases - https://github.com/finos/devops-automation/issues/235
PR for proposed input/output change to the Governance Framework (moving away from architecture only) involves collections of threats, risks, and controls - and leading to an open testing suite which could be brought to regulators (eventually) Potentially useful for SDLC group for Governance https://colineberhardt.github.io/ai-readiness-fork/
-
Reviewed previous meeting minutes - approved.
-
Discussed repurposing the Automated Change Management working group to focus on standard approach to SDCL/Change Controls. The issue agenda details the intended new focus of the group and proposed new leads.
- Update cadence to twice monthly, already scheduled second Tuesday or each month, add additional on the fourth Tuesday of each month.
- Aaron & Toby introduced themselves and their aspirations for the group.
- Take away to discuss the CALM Controls framework and if it would be useful for some of the objectives of the SDLC standardisation and specification.
- Mike Long asked for an overview of the controls framework, pointed to the CALM talks, takeaway to arrange an intro to CALM at a future DevOps Automation WG.
-
Working Group Updates
- E@S
- Khal - the group has started to collate use cases (see comment above)
- Miguel updated next call #240
- Mike Long asked if the scope of the group included things like IasC and delivery pipeline; Khal confirmed it does. Karl highlighted overall with CFI and how the group can help inform that project.
- Backstage
- Working on implementing an instance to run in FINOS
- Discussions continue, once ready Karl to propose to FINOS / TOC as to how this should be hosted / where will it live / etc.
- E@S
-
Continued prior meetings conversation on OSS dependency risks
- Tobias shared the following:
- https://www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/
- https://www.bleepingcomputer.com/news/security/github-action-hack-likely-led-to-another-in-cascading-supply-chain-attack/
- https://github.com/advisories/GHSA-7x29-qqmq-v6qc
- Asked do participants see their security practices / posture have changed over the past two years.
- General consensus that things have continued to improve / integration into SDLC pipelines.
- Mike added that one of the risks isn’t just the use of OSS dependencies but injection into the build pipeline.
- Tobias shared a diagram showing some supply chain attacks and how the executed, highlighting that the attack is outside the organisation but gets brought in.
- Agreed that Cyberframe will plug in to the rejuvenated Automated Change Managed WG and help bring the OpenSFF perspective of how we need to increase the security of our build pipelines.
- Tobias shared the following:
Emailed [email protected] to request the Automated Change Management WG to be scheduled on the fourth Tuesday of each month in addition to the second Tuesday as agreed.
@tobyweston / @aaronsearle can I ask you both to take a look at the existing Automated Change Management WG page and consider how you would like to update it to better reflect the intent and objectives of the group as it is re-org'd.
You can see some examples of other groups in the current E@S and former AasC pages.
Please raise a PR against this page with your proposed changes.
@aaronsearle I have sent you an invite to the SIG maintainers group. @tobyweston I can't invite you as you're not yet a member of the FINOS GitHub org, if you let me know once you've been through your firms process to get onboarded then I can add you too.
@rocketstack-matt Do you know if the new schedule will aleady start this month with a meeting next week, or will this be from April going forward?
@meekrosoft / @tobyweston / @aaronsearle - we've realised a second monthly meeting on the Tuesday at 11:00 EST will clash with the monthly Architecture as Code WG, which will likely have attendance overlap.
@ashukla13 and I inclined to move the Automated Change Management WG to 10:00 EST for both monthly occurrences to avoid this. Can you confirm if this works for you before we make the change?