# Veraison go-cose Community Meeting Notes ###### tags: `go-cose` - Bi-weekly on Fridays 8:00-9:00 pacific time See below for the next scheduled meeting and proposed agenda Links - [GitHub](https://github.com/veraison/go-cose) - [Zoom Dial-in link](https://us02web.zoom.us/j/81054434992?pwd=YjNBU21seU5VcGdtVXY3VHVjS251Zz09) - [Calendar/ics](https://zoom.us/meeting/tZUtcu2srT8jE9YFubXn-lC9upuwUiiev52G/ics) - [go-cose-community email distribution group](https://groups.io/g/go-cose-community) - [YouTube Recordings](https://www.youtube.com/@go-cose-community3000) **Note:** Template for copying at the bottom of the note. - Agenda items must identify the (owner) of the item ## March 8, 2024 ### Attendees: - Steve Lasker - Orie Steele - Henk Birkoltz - Yogesh Deshpande - Roy Williams ### Agenda Items: - Triage issues and PRs - Discuss release of 1.2, documenting the process before the next release - Steve can focus on the release process post 119 - Orie: Discuss typescript support for cose, possibly added to the veraison project - Proposal to add a typescript-cose repo - For licensing, decision to use MIT license for the new repo - _add your topics_ ## January 26, 2024 ### Attendees: - Steve Lasker - Orie Steele - Henk Birkoltz - Thomas Fossati - Yogesh Deshpande - Roy Williams ### Agenda Items: - Support for CWT Claims - Add to veraison/go-cose - Add a new sub-project project for go-cwt - Orie: similar to: https://github.com/panva/jose - Orie: proposal to add a few header properties for CWT_Claims, for SCITT Support ### Notes: - _meeting minutes_ ## October 6, 2023 ### Attendees: - Steve Lasker - Orie Steele - Quim Muntal - Henk Birkoltz - Hannes Tschofenig ### Agenda Items: - [PR: Validate content type header parameter #176 - merged](https://github.com/veraison/go-cose/pull/176/files) - [Issues](https://github.com/veraison/go-cose/issues) - Triaged issues - Created v1.2 milestone - Closed v1.1 milestone - Cut release 1.2 - Defer CWT_Claims addition to 1.3 - Release Policies - Folders for release polices - Minor releases are reviewed by maintainers - Major release followies the same policies as minor - We may do a third party audit, and would require it to be published before the release - We reserve the right to not do the audit, if the maintainers believe the costs of the audit aren't justified based on the capabilities added ## September 8, 2023 ### Attendees: - Steve Lasker - Orie Steele - Yogesh Deshpande - _add yourself_ ### Agenda Items: - Review issues/PRs - Waiting for some updates to the existing issues, but no known blockers giving time for folks to prioritize go-cose and other work. - _add your topics_ ### Notes: - _meeting minutes_ ## August 25, 2023 ### Attendees: - Steve Lasker - Roy Williams - Orie Steele - Quim Muntal - Henk Birkoltz ### Agenda Items: - [Upgrade fxamacker/cbor to v2.5.0 #166](https://github.com/veraison/go-cose/pull/166) - Due to the underlying changes in fxamacker/cbor, we believe we need more test and dependent use validation. - Are we asking folks to validate against a PR branch? Or, on main, which is not defined as a release? - Will add more test cases to cover - Quim to research any additional tests requried for confidence to merge - Release Process - [https://github.com/veraison/go-cose/pull/167](https://github.com/veraison/go-cose/pull/167) - Merged - [Detached signature verification fails with "missing payload" error #150](https://github.com/veraison/go-cose/issues/150) - Some discussion about `external` which refers to AAD - Changing will be required across the whole library. Potential doc update to explain the parameter pattern. - Orie: Is there a higher level abstraction? - Quim: Yes, there's a sign1detached - Roy: We may want to add another method for detached - Steve: can we move forward, adding incremental enhancements later - Orie: yes, can guide users to the lower level APIs, if needed - Decision to move forward with the PR - Discusion around what level of 3rd party testing we should do for each release. (Minor and Major) - Roy has the action item for research ### Notes: - What is our merge and release process? - Merge to main, stabilize from there to RC branches? - Stabilize outside of main, allowing main to move forward past a current stabilizing release? - Need to document the release process - Discussion: 1. For each PR, feel confident the test coverage is complete to merge into main. If not, add more tests before merging 2. Main becomes a secondary stability point 3. As RCs get released, dependent projects are requested to validate the RC before cutting the release (amount of time TBD) 4. Release get cut. ## February 10, 2023 ### Attendees: - _add yourself_ ### Agenda Items: - _add your topics_ ### Notes: - _meeting minutes_ ## Jan 26, 2023 ### Attendees: - Yogesh Deshpande - Steve Lasker - Roy Williams - Lachie Evenson ### Agenda Items: - Review open issues - No active PRs at this point - _add your topics_ ### Notes: - Closed out open issues, related to 1.0 release - Created a [v1.1.0 milestone](https://github.com/veraison/go-cose/milestone/7) for assignment of new issues - Todo: [Add community info #127](https://github.com/veraison/go-cose/pull/127) - Added [go-cose-community email distribution group](https://groups.io/g/go-cose-community) - _meeting minutes_ # Meeting Notes Template (template for copying) ## Meeting Date ### Attendees: - _add yourself_ ### Agenda Items: - _add your topics_ ### Notes: - _meeting minutes_