OpenJDK Governing Board Minutes: 2024/05/15

The OpenJDK Governing Board met via conference call on Thursday, 15 May 2024 at 15:00 UTC with no initial agenda.

Five Board members were present: Georges Saab, Annette Keenleyside, Andrew Haley, Phil Race, and Mark Reinhold.

The intent of these minutes is to capture the conversational flow of the Board's discussion and also to record decisions. If you are interested only in the latter then search for the word "AGREED" throughout the text.

0. Agenda?

Georges welcomed everyone, declared the meeting quorate and requested agenda items. Three topics were suggested:

  1. Project Brisbane
  2. XZ hack
  3. OCA process

1. Project Brisbane

Annette requested status of the recently created Project Brisbane. In response, Georges said that Board meetings were not the venue to provide information about specific Projects and requested that the topic be raised at the next regular IBM business meeting.

2. XZ hack and OCA process

Due to the nature of this topic, the Board first discussed whether details should be reflected in the minutes. After a brief deliberation, the Board reluctantly determined that complete, detailed minutes should not provided.

AGREED: The minutes for this topic should only provide a high-level summary.

Phil started a discussion about the XZ Attack, which was publicly reported on 29 March 2024. There was a short discussion about how the attack was orchestrated and what parallels may exist in the OpenJDK Community. Board members' questions about aspects of the OpenJDK administration policies and procedures were answered primarily by Mark with varying levels of detail. Mark observed that this agenda item was closely related to the "OCA process" item and described the process for accepting newly-signed OCAs. This led to questions about user accounts, resource allocation, and disposition of inactive Projects. The Board's conversation included an overview of coding practices focusing on pull request development, testing, and code review quality. Building and binary distribution were also briefly discussed.

After Georges declared the discussion "interesting and stimulating", the Board encouraged the identification of technical solutions to combat XZ-style attacks. They also requested that this topic be revisited in about six months to discuss any developments, particularly around the OCA process and the potential to prune inactive accounts.

At this point, the Board adjourned.