MPQS Meeting Minutes 2021-03-03 9:30 UTC


  • Godfrey Kutumela (GK)
  • Pedro Baretto (PB)
  • Victor Akidiva (VA)
  • Samuel Kummary (SK)
  • Miguel De Barros (MB)
  • Lewis Daly (LD)
  • Aime Bukassa (AB) - Absent
  • Tom Daly (TD) - Absent
  • Michael Richards (MR) - Not an attendee.


  1. Weekly progress review - MPQS Zenhub Board
  2. AOB


  • GK highlighted progress of Stories as below:
  1. #1792-Perform WhiteSource License and Security scans: The scans were completed.
  2. #2028 - Add a signature verification function: AB is progressing with microservice testing. Once successful AB will add encryption / decryption functionality.
  3. #2029 - Define business/functional requirements for logging: Ongoing. Pedro and GK are working on it.
  4. #1879 - Minimize the number of repos: Task is blocked as team awaits output from PB. Pedro to complete this coming week.
  5. #1949 - Mowali Compliance - GK updated they were responding to queries by MB. GK will schedule a meeting with Mowali team to review their requirements…
  6. #2055 - Deploy Mojaloop to MPQS lab: Lab fully setup and security testing ongoing as per stories. VA updated that there was a request to deploy IAC to the lab which needed updates from Sam and Warren. VA is to create stories related to testing including IAC and have them in blocked where applicable.
  7. #2051 - Review NIST special publication: GK updated that he completed reviewing NIST 171 and identified some areas which are applicable to Mojaloop operations. He will proceed with reviewing NIST 172 next week. GK Updated the task is almost complete.
  8. #2074 - Secure Kubernetes Network Deployment: GK updated that TD is testing K8 network security policies locally on Miniloop. GK to have weekly updates with TD.
  9. #2064 - Explore solutions for dependency confusion attack. LD updated task in progress and team is reviewing Microsoft recommendations. There are discussions on slack over product vs library level licensing which are ongoing. PB enquired what happens when licences change and Mojaloop picks subsequent versions based on package update process. LD said licence scans would pick such. There was a review of SDK using “@internal” dependency but this was determined not to be an issue.
  10. GK gave an overview of blocked stories to the team.

Meeting ended at 13.15