DevOps Mutualization : Automated Change Deployment Working Group

[mcleo-d]

Date

Thursday 10th June 2021 - 12pm EST / 5pm UK

Untracked attendees

Name	Firm	Comment

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene, roll call, welcome new people
• Display FINOS Antitrust Policy summary slide
• Review objectives of working group
• Discuss operation model and how to collaborate
• Review existing material that can be used as a starting point (for example this)
• AOB, Q&A & Adjourn (5mins)

Meeting Minutes

Roll call

• James McLeod - FINOS/LF
• Amol Shokla - Morgan Stanely
• Jon Stronell - Morgan Stanley
• Edward Dushak - JP Morgan
• Richard Wagener - CodeThink
• Tristan Maat - CodeThink
• Priti Yier - Wells Fargo
• Gus Paul - Morgan Stanley
• Anders Wallgren - CloudBees

Meeting

• intro/agenda
• reviewed antitrust policy
• Objectives of working group; we've had 4-5 banks discuss their approaches to DevSecOps, risk management, automated change deployment, controls, etc
• Working to develop shared understanding in the industry, can take back to regulators, individual firms
• Most member banks have presented their approaches, goal is to document approaches, want to try to figure approach that works for the group
• pen the floor; any questions/suggestions for how to work together?
• Frequently have to answer "what are regulatory expectations and how is MS doing against that?"
• Inventory of global regulations, built a database of requirements, map those to controls as represented in the technology, procedures & policies
• That becomes a "reg response kit" to use when regulator comes in for a review, for example
• Need to reverse-engineer what regulators want to implement them in real-life, distills down to a small set of risks regulators care about
• Can then show risk-by-risk what the approach is to mitigate each of them
• That "reg response kit" can be ready to share with other firms, expect to see large amounts of overlap with other firms
• Tooling may differ, but underlying issues won't
• Other firms can contribute to that kit
• What's the best way to have other orgs contribute to such an artefact? Shared document edited collaboratively?
• Break it down into a number of components, assumed requirements, assumed tools/controls
• Could be a good breakout for the regulatory innovation group - split regulator/technical to make it more consumable by different audiences
• Who will consume this document? Regulators?
• Yes, would want to take this to regulators, eventually. Initial audience might be internal regulatory groups; use it to build shared understanding
• What is the definition of "done" here?
• A shared document from the SIG about what a group of banks are doing to meet requirements
• In terms of how, break it down into sections and get different people to own the different parts
• As straw man, MS can start with our approach, put an outline to start, on github
• Members of the WG can contribute, perhaps using discussions, transition to SIG repository eventually
• All attendees except for perhaps WF have signed CCLA, will follow up with WF
• I'm w/FINOS so have access to all kinds of collaboration tools, but that may not be universal. How can we collaborate beyond just threaded discussions?
• Complicated...there are some internal options
• Does FINOS have anything?
• github seems to be a common central point of collaboration
• Private repo an option?
• For FINOS, yes, not sure about everyone else. Can't be in the main FINOS org, but could be in FINOS Labs, uses a different licence (DCO) - DevOps Mutualization : Automated Change Deployment Working Group #28 (comment)
• Easier to stage, spin up, destroy, etc.
• Is that an option for member banks? Diligence has been done on FINOS, but FINOS Labs is outside that process, may fall under a different governance - DevOps Mutualization : Automated Change Deployment Working Group #28 (comment)
• We've done that before, with private repository
• Need to stay within the comfort zone of our members
• Working with a proper (at least initially) private repo could make things easier
• For most banks this may be the easier way to collaborate between banks
• Members would be from the SIG WG
• We would have history in the private repo, is it OK to publish that later?
• Someone?
• We could purge the history before publication/capture the state at that time?
• Perhaps start out with discussions (files can be attached there), transition to repo when needed
• Will investigate approach to using private repository
• Within MS, private -> public repo would be easier to explain, as compared to getting access to Google Docs, Office365, etc
• Should we have a monthly tracking meeting or just be async?
• Good to have some milestones/deadlines to drive progress
• If the SIG is the hub of what we do, which has a monthly call, a rep from each WG can do an update in that call? Use the SIG call as a checkpoint?
• Should we start with async and evolve?
• Tristan might have feedback
• Monthly call makes sense, helps bring people together
• We can have a call week prior to SIG to sync up
• There is a SIG call next week, any volunteers?
• I can summarize where we are, invite others to join & collaborate
• Any other advice from Cloud Cert WG?
• We quickly migrated to an agile approach, using PRs, etc.
• CCWG uses a backlog, meets on the same type of cadence as here, might be early for this WG, might be good to start with sync approach until it has some momentum
• Do we have enough actions from today to proceed? Anything else to discuss?
• Could start with an outline view of the intended document, can start discussion on private repo, work on TOC
• Do we have a slack channel?
• we can, but difficult for MS
• Any other business?
• Adjourned

WebEx info

Webex: https://finos.webex.com/finos/j.php?MTID=md645f2e089c5088b875e491d1a05df50

Dial-in

• US +1-415-655-0003 US Toll
• UK +44-20319-88141 UK Toll
• Access code: 127 519 7653

Github Repo: https://github.com/finos/devops-mutualization/

Mailing List: Email devops-mutualization+subscribe@finos.org to subscribe to our mailing list

[TLATER]

p/ o/

[awallgren]

Hello everyone!

[mcleo-d]

Hello

[RichardWagener365]

Hi

[p-iyer]

Hi

[edushak]

Hi

[awallgren]

Meetings notes added, feel free to correct/clean up

[mcleo-d]

Meetings notes added, feel free to correct/clean up

Thanks so much @awallgren! 🚀

[github-actions]

Couldn't find the following GitHub usernames on file: @p-iyer . /CC @aitana16 @maoo @mcleo-d

[mcleo-d]

Hi Team,

This is to confirm the DevOps Mutualization : Automated Change Deployment Working Group private repo has been created on FINOS Labs and can be accessed by invitation below ...

https://github.com/finos-labs/devops-mutualization-automated-change-deployment

James 🚀

[mcleo-d]

The next DevOps Mutualization : Automated Change Deployment Working Group session has been scheduled for Thursday 29th July 2021 - 12pm EST / 5pm UK with call details found in the issue below.

DevOps Mutualization : Automated Change Deployment Working Group - Thursday 29th July 2021