Nov 14th, Core team meeting minutes

[dgkf]

Attendees

• @DamianRodziewicz
• @Gotfrid
• @csgillespie
• @dgkf
• @llrs-roche
• @Zhenglei-BCS

Notes

• Communication update:
  • The R Consortium Slack is decidedly the preferred platform for workstream chat and is ready for us to migrate.
  • To gain access, first create a Linux Foundation (LFX) account and you should automatically receive access.
  • Join the #wg-r-validation-hub and #wg-r-validation-hub-repos channels to start (more to come for other R Validation Hub teams).
• Looking forward (in short, planning with January in mind)
  • Anticipating {litmus} open sourcing in January, possibility of getting a R Validation Hub sneak peek to inform developer planning beforehand.
  • Appsilon expecting to have clearer picture for contribution in January, at which point we will focus first on taking what we've learned and drafting a more complete architecture/design doc.
  • R Validation Hub {riskmetric} looking to January to do a more developer-centric planning around which Dev Day features we want to prioritize.
• Reporting Package updates
  • @llrs-roche shared a very insightful report capturing many of the R CMD check results.
  • Looking forward at how we incorporate {riskmetric} output, will base reports around an idealized, atomic set of metric results that we hope to serve in a repos PACKAGES file. These might not be immediately available in {riskmetric}, but will serve as inspiration for how we might steer future development.

References

• Current architecture proposal, with links to Magnus' work designing pipelines
• Itemize r-hub/containers enhancement requests #93

[llrs-roche]

I didn't find the exact message shared by RConsortium but here are my notes and what I remember:

The R consortium was asking about who is interested on participating on conversations with the Linux Foundation about the Cyber Resilience Act - Factsheet. They are working on what are the requirements for open source repositories for languages like R, rust, python, perl, LaTeX, .... Requirements in principle are documenting the process they follow and share them in a document. R repositories such as CRAN, Bioconductor, r-universe are software stewards, which should met the requirements by October 2027 to be able to distribute software on the EU.

---

I took some minutes of the part of the meeting I was present. I can add them here

[dgkf-roche]

Thanks @llrs-roche, adding a few other links.

• the full text of the Cyber Resilience Act
• The summarized "Manufacturer's obligations" from the fact sheet (since they're embedded in a PDF)
  • Cybersecurity is taken into account in planning, design, development, production, delivery and maintenance phase;
  • All cybersecurity risks are documented;
  • Manufacturers will have to report actively exploited vulnerabilities and incidents;
  • Once sold, manufacturers must ensure that for the duration of the support period, vulnerabilities are handled effectively;
  • Clear and understandable instructions for the use of products with digital elements;
  • Security updates to be made available to users for the time the product is expected to be in use.

Just at a high level, I think we can model our approach after our inspiration projects, r-hub and CRAN. We can monitor the discussions in the R Consortium or even try to volunteer a participant to make sure we're being considered here.

[llrs-roche]

The issue raised by the R Consortium was about the software stewards not manufactures (but yes this will also affect all the industry). See also this piece about its effect. It is easier to understand than the full legal text and there is a specific section for software stewards: "The open-source software steward".