13 Replies
I've been working through this. Will continue for the next several hours, and each day this week. Here's what I'm seeing, and my plan. If this isn't sounding right to anyone, please holler.
The short version:
* Yes, the non-required checks for license and security are failing.
* We don't want to interrupt forward dev so, until addressed, the checks are non-required and shouldn't block merge etc.
* And YES, this is unclear because of the "Big Red X on the builds" problem
* So I'm keen to address it, and that's the focus of my goals this week.
* "Addressing it" requires fixing problems one by one in the entire stack - JS and Kotlin, Security and License, until everything is green.
* So please keep ignoring the "Big Red X" unless @leordev and @finn-tbd can find a way to at least calm the "Big Red X" into something ignorable
The details:
Security
* I just got the Version Alignment PR upstream for
web5-kt. This gives us consistent versioning for all subprojects of web5-kt.
* So now I can start from the bottom of the dependency tree up, and start addressing security vulns. "Bottom up" means in order: "web5-kt, tbdex-kt, developer.tbd.website.
* There's also stuff going on with the JS suite of impls and I'll work with the upstream teams to put focus on that. Will file issues for those and advocate for their fulfillment.
* @dayhaysoos-tbd - we also have some direct dependency issues on developer.tbd.website. Will you please look in Snyk and FOSSA for the security issues flagged directly by the Dev Site (ie. not brought in via Web5/tbDEX JS/Kotlin)? Ping me if you need help accessing this info, else I'm sure @leordev can give you orientation into these services.
Licensing
* I have been working with Legal on a set of license policies in our FOSSA scanning service. They're very close. As soon as I get a ✅ from Legal, we'll apply those new policies into the appropriate codebases.
* Those new policies should turn most, if not all, of the license checks green. Again, from the bottom up - web5-kt and web5-js first, then tbdex-kt and tbdex-js.
* Again, @dayhaysoos-tbd - I'm seeing some direct license alerts related to developer.tbd.website itself, some brought in via Docusaurus. I'll draw up a license policy for the Dev Site which is likely different from those used by our SDKs, and claer that with Legal too. Anything that we can't address through the new policy, we'll have to address manually.
@techgirl1908 So you and others have a comprehensive view of all issues needed to get to ✅, I've created a filter on a Project Board to track all of this work across upstream projects and the Dev Site. Will be populating that with inventory starting tonight.Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
I know it's a lot. This will be great when done - hardened tech stack and clean, green slate for PRs and builds across projects.
End of night summary:
* I've cleared
web5-kt of security vulns identified by FOSSA. This PR is in the hands of the upstream team now.
* Snyk is still angry about some stuff, and there aren't upgrade paths to solve 'em.
* Checks are still red because the security stuff and license stuff are run together and I haven't addressed license yet for web5-kt.
* Tomorrow is another day.
* @leordev, I opened an issue about FOSSA checking on the Kotlin testsuite on the dev site.Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
Update on sec vulns. I have fixes pending and will coordinate their merges and releases with @jiyoontbd. This will make the sec vuln checks ✅ for both
web5-kt and tbdex-kt.
* Licensing checks will still fail, so red X on Kotlin projects will continue until I take that on next.
But: progress!
Board for this work (scroll to right to see the bulk of what I've inventoried so far "In Review" and "Done")
Because I have to prioritize Artifactory as urgent, I need to hold off on the license work I had hoped to get over the line this week. Details here.
cc: @jiyoontbd @devRel ^ Means a bit longer to get green checks; thanks for bearing with
^ @dayhaysoos-tbd Can we #adhoc-huddle when you're available to go over sec and licence stuff for the Dev Site? I've been handling Kotlin suite first and there are also JS things I'd love your perspective on tackling.Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
Yup, when you're free
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
@dayhaysoos-tbd Yeah! In Slack, got private screens to share 🙂
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View
Commented on PR; thanks @dayhaysoos-tbd !
With the sec/license issues resolved in the upstream SDK projects, I'm putting my attention on the dev site. Admittedly I'm less awesome at this as it's JS ecosystem.
@dayhaysoos-tbd I've started tracking this work in https://github.com/TBD54566975/developer.tbd.website/pull/1271. One of the upgrades I've done to
vite is resulting in pnpm test:browser hanging/failing.
I set some time with you tomorrow to review; maybe you've got hot ideas why this upgrade is making the test harness time out and how we can resolve.
Get those flowers ready, @techgirl1908. 🪻
This PR clears all sec vulns in the dev site.
@dayhaysoos-tbd Let's see if we can get the Docusaurus v3 upgrade into main, and then I'll be able to get us to ✅ , full stack, all the way from Web5 to tbDEX to Dev Site.PR checks, if rebased on
main, should be ✅ from here on out.
Thanks for your patience, y'all. Because of this piloting our scanning services, our stack is protected. There are details to sort through, and @leordev and I will keep fine-tuning. As of today the TBD ecosystem is all set on license and sec vulns for tbDEX 1.0.
Unknown User•4mo ago
Message Not Public
Sign In & Join Server To View