Attendees:

• Paul Baker paul.baker@modusbox.com (PB)
• Pedro Barreto pedrob@crosslaketech.com (PSB)
• Miguel de Barros miguel.debarros@modusbox.com (MdB)
• Johann Foley johannes.foley@sybrin.com (JF)
• Sam Kummary sam@modusbox.com (SK)
• Simeon Oriko simeonoriko@gmail.com (SO)
• Michael Richards Michael.Richards@modusbox.com (MR) (Chair)

Apologies:

• Godfrey Kutumela godfreyk@crosslaketech.com (GK)

Absent:

• Lewis Daly lewisd@crosslaketech.com (LD)
• Istvan Molnar istvan.molnar@dpc.hu (IM)
• Justus Ortlepp justus.ortlepp@gmail.com (JO)

Agenda:

• Review actions from previous meeting
• Issue 78: Upgrading node version to the latest LTS
  • Review of actions
• Issue 88: Preventing or Mitigating Open Source Supply Chain Attacks
  • LD to report back
• Issue 89: Mojaloop Code Signing using Helm Provenance and Integrity
  • Aime to present
• AOB

Minutes

• Issue 78 (follow-up from previous action item)
  • Under way
  • All core libraries migrated
  • Estimate 2-3 days per component. ~13 components currently outstanding…
  • Most of the time is in upgrading the CI-CD scripts
  • Do we have an ETA? Not yet, we will link to issues in GitHub.
  • Some additional follow-up items:
  • Some libraries have changed load strategies from CommonJS to EMS. Need to find alternatives, but this is relatively simple to do.
  • Some repositories quite difficult to upgrade and need considerable refactoring. Perhaps move to jest instead of tapes, or the new Kafka library which is part of vNext.
  • Some areas have high-security issues raise with no current fix or available patch. These are dependencies of dependencies.
  • MdB will create these as issues on the OSS backlog list.
• Issue 80 (follow-up from previous action item))
  • Plan is to listen to the Kafka event stream and pick up messages from that.
  • PdB: This is perfect
  • BS: what about other FRMS systems?
  • MR: identifiers are not the kind of personal information you need. We have a new item for KYC information, but it’s variable by scheme.
  • SK: we’re not including sending information back into Mojaloop. How would we do that? MR: via rules, Mojaloop calls Actio to see if a transfer is interdicted. Problem is, we’d have to do that for every (transfer? quote?) when only a very small number would be interdicted…
  • MdB: are you planning to process Kafka messages in batches or singly? Should be batches…

Actions:

• MdB will continue with node upgrade tasks
• MdB will raise backlog issues as appropriate to address problems with node upgrade
• JF will call for a vote on issue 80 and mark it as closed if no dissent.