OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

oslc-core message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: OSLC CORE TC Minutes October 29, 2015

Please note that next meeting starts a half hour later than usual.

Due to the unusual start to the meeting I forgot to request any corrections/additions/deletions to the Oct 15 minutes. If you have any issues with the minutes please raise them in the next 24hrs, else I will declare the minutes as accepted.


Finally, I will be unable to attend that meeting since I am needed at a customer meeting.




  • Martin Sarabura (PTC)


  • Martin Sarabura (PTC)


  • David Honey (IBM)
  • Harish (SoftwareAG)
  • Jean-Luc Johnson (Airbus)
  • ian green (ibm)
  • Jim Amsden (IBM)
  • Martin Pain (IBM)
  • Martin Sarabura (PTC)
  • Nick Crossley (IBM)



·         Reference the code in Nick's ReSpec repository rather than the one currently owned by Steve Speicher


  • Nick: Follow up with LDP editor to see if he agrees with this statement: Implementations are free to make the oslc:creation resource of creation factories LDPCs or not. They may also make creation factories themselves LDPCs or not.
  • Martin P to write up a paragraph about the click-jacking risk and possible counter-measures
  • Ian to augment issue #1 with a scenario illustrating how context could help the user experience without requiring a mediator service to handle the cross-domain user experience

Chat transcript from room: oslc

[07:08] Martin Sarabura (PTC): Martin to be scribe

[07:09] Martin Sarabura (PTC): Action items from previous meeting

[07:10] Martin Sarabura (PTC): Nick: Statement from LDP editor regarding creation factories and LDPCs

[07:11] Martin Sarabura (PTC): Issue is nature of preference header

[07:12] Martin Sarabura (PTC): This issue is still open - leave on list as action item, hopefully report via email

[07:12] Martin Sarabura (PTC): Martin: List published in advance of meeting

[07:13] Martin Sarabura (PTC): Issues today:

[07:14] Martin Sarabura (PTC): Probably should wait for Jim to join before discussing because as editor he will have input

[07:15] Martin Sarabura (PTC): Question: Shift this meeting later by half hour for the next 3 meetings?

[07:16] David Honey (IBM): Works for me as well.

[07:16] Martin Sarabura (PTC): Ian will not be able to attend next meeting anyway, otherwise time shift ok

[07:20] Martin Sarabura (PTC): Issue 42: Nick bring us up to speed re conversations

[07:21] Martin Sarabura (PTC): Steve Speicher currently owns respec code, could change the script inclusion line to reference Nick's clone

[07:21] Martin Sarabura (PTC): PROMCODE also wanted some changes

[07:21] Martin Sarabura (PTC): Steve was travelling and unable to accommodate

[07:22] Martin Sarabura (PTC): Two possible homes: Steve's or Nicks; discussing with OASIS whether they will host a hub. Will not allocate resources to maintain it

[07:23] Martin Sarabura (PTC): OASIS proposed that we host it in a neutral location and then all other TCs could use it

[07:23] Martin Sarabura (PTC): Still not yet agreed by OASIS staff

[07:24] Martin Sarabura (PTC): What should the repo be and format in which we publish?

[07:24] Martin Sarabura (PTC): Edit the specs in respec - that's our "authoritative source" and we publish in authoritative, html and pdf

[07:25] Martin Sarabura (PTC): Click on "respec" button in upper right to support downloading in various formats including html. pdf can be generated from that

[07:26] Martin Sarabura (PTC): Steve could add Nick as committer to his repository.

[07:27] Martin Sarabura (PTC): Steve may have some time to work on oslc-related stuff and is somewhat involved in promcode tc

[07:29] Martin Sarabura (PTC): Using Steve's repository adds work, and he won't be primary author anyway.

[07:29] Martin Sarabura (PTC): Martin: That's the nature of open-source development, continue to credit him

[07:30] Martin Sarabura (PTC): Proposal:

[07:30] Martin Sarabura (PTC): Shift over to Nick's repo

[07:32] Martin Sarabura (PTC): Jim: What is the risk if Nick became unavailable?

[07:33] Martin Sarabura (PTC): Nick: Didn't take too long to build new repo. Readme in the project that describes how to build. Confirms that the instructions are correct

[07:34] Martin Sarabura (PTC): Therefore risk is small; some risk of proliferation of repos

[07:35] Martin Sarabura (PTC): Steve is willing to accept pull requests back.

[07:35] Martin Sarabura (PTC): Need to squash them first

[07:35] Martin Sarabura (PTC): Seconded by Martin S

[07:36] Jim Amsden (IBM): +1

[07:36] David Honey (IBM): +1

[07:36] ian green (ibm): img: +1

[07:36] Martin Sarabura (PTC): +1

[07:36] Martin Pain (IBM)2: +1

[07:36] Harish (SoftwareAG): +1

[07:36] Nick Crossley (IBM): +1

[07:36] Martin Sarabura (PTC): Accepted

[07:37] Martin Sarabura (PTC): Nick will let Steve know and why, request that he pull the changes back to keep them in sync

[07:38] Martin Sarabura (PTC): Next one? Issue 40 - potential click jacking issue for delegated dialogs

[07:38] Martin Sarabura (PTC): https://issues.oasis-open.org/browse/OSLCCORE-40

[07:40] Martin Sarabura (PTC): Jim: Ignore any messages you are not expecting

[07:40] Martin Sarabura (PTC): Just augment the wording to say this

[07:41] Martin Sarabura (PTC): Martin P: UI provider is the one under attack

[07:42] Martin Sarabura (PTC): Martin P: User must be tricked into opening a malicious page which loads an iFrame onto a public site

[07:43] Martin Sarabura (PTC): Covers that iFrame with some other UI which encourage the user to click on it.

[07:43] Martin Sarabura (PTC): Worst case provide credentials to malicious server

[07:43] Martin Sarabura (PTC): Variation: iFrame inside iFrame

[07:44] Martin Sarabura (PTC): That requires the administrator to configure the malicious server as trusted

[07:44] Martin Sarabura (PTC): Ian: Malicious server configured as OSLC provider?

[07:45] Martin Sarabura (PTC): Ian: Subject to user authentication via cookie but not client auth via oauth

[07:46] Martin Sarabura (PTC): Jim: We don't control what servers put into the iFrame, can't get rid of delegated dialogs

[07:47] Martin Sarabura (PTC): Martin P: Whitelists would be detrimental to goal of OSLC integration\

[07:48] Martin Sarabura (PTC): Shift social engineering vector to administrator rather than regular user

[07:48] Martin Sarabura (PTC): Jim: Can't force particular authentication method.

[07:49] Martin Sarabura (PTC): Can suggest recommending OAuth over basic, warn users

[07:49] Martin Sarabura (PTC): Martin P: If we can provide example of how using OAuth could help that would be helpful

[07:50] Martin Sarabura (PTC): Jim: Martin P write up a paragraph?

[07:50] Martin Sarabura (PTC): Martin P action item

[07:51] Martin Sarabura (PTC): Mike Saylor could be used as a SME to guide us

[07:54] Martin Sarabura (PTC): https://issues.oasis-open.org/browse/OSLCCORE-16

[07:54] Martin Sarabura (PTC): Discovery should include text about vocabulary discovery

[07:54] Martin Sarabura (PTC): section 5 just before uml diagram

[07:55] Jim Amsden (IBM): http://tools.oasis-open.org/version-control/browse/wsvn/oslc-core/trunk/specs/discovery.html

[07:57] Martin Sarabura (PTC): The "must" should be capitalized

[07:58] Martin Sarabura (PTC): Nick: Probably a SHOULD instead of MUST anyway

[07:58] Martin Sarabura (PTC): Jim: Agreed

[07:59] Martin Sarabura (PTC): Two MUSTs and a SHOULD in the normative paragraph

[07:59] Martin Sarabura (PTC): First MUST -> SHOULD, other SHOULD in caps

[08:00] Martin Sarabura (PTC): Jim: Propose we close the issue and see what other feedback we get from review

[08:03] Martin Sarabura (PTC): As a policy, if anybody has problems with closing an issue we will reopen it

[08:04] Martin Sarabura (PTC): Next: https://issues.oasis-open.org/browse/OSLCCORE-1

[08:05] Martin Sarabura (PTC): Ian to add scenario to https://wiki.oasis-open.org/oslc-core/DeletgatedUIUseCases

[08:06] Martin Sarabura (PTC): Servers can expose any available methods to improve resource selection experience

[08:07] Martin Sarabura (PTC): Ian: Pattern of use where user is required to pick a configuration, but there are constraints to the configuration they can choose, host application knows the nature of the constraint.

[08:07] Martin Sarabura (PTC): User would like to not be presented with invalid options

[08:08] Martin Sarabura (PTC): How does host of delegated ui pass that information to the delegated ui

[08:08] Martin Sarabura (PTC): Martin: Use POST to pre-fill dialog

[08:09] Martin Sarabura (PTC): Just like creation dialog

[08:09] Martin Sarabura (PTC): Ian: Behavior in that case is not defined anywhere

[08:10] Martin Sarabura (PTC): Jim: Helpful to have a written-up use case

[08:10] Martin Sarabura (PTC): Jim: Pre-fill based on shape of dialog

[08:11] Martin Sarabura (PTC): Ian: Need coherent thread in case of wizard, for example

[08:13] Martin Sarabura (PTC): Ian: This is a real use case, should be documented at some level. Not standardized

[08:13] Martin Sarabura (PTC): Nick: Precedent in resize

[08:14] Martin Sarabura (PTC): Nick: Nothing inconsistent in defining a possible method

[08:14] Martin Sarabura (PTC): Ian: Customers keen to see development on this point

[08:15] Martin Sarabura (PTC): Concerned that usability will drop for lack of context

[08:17] Martin Sarabura (PTC): Jim: Integration supposed to be loosely coupled. Need a place to create mediators

[08:18] Martin Sarabura (PTC): Ian: Like resource shapes - talking about richer constraints than just the basic standard

[08:18] Martin Sarabura (PTC): Jim: When you integrate tools, currently we allow links across them created via select/create dialogs

[08:19] Martin Sarabura (PTC): Issues are that user in both tools can't provide integrated context. No way to save context across tools

[08:20] Martin Sarabura (PTC): Better to create mediator application whose responsibility it is to integrate the domains, put the interface into that application, and don't try to push that down into the individual tools

[08:20] Martin Sarabura (PTC): Avoid coupling the tools

[08:21] Martin Sarabura (PTC): Ian: What we have currently is too weak and yet they seem natural constraints

[08:22] Martin Sarabura (PTC): Ian to write down scenario and how we might recommend their resolution

[08:22] Martin Sarabura (PTC): Do it on the issue (1)

[08:22] Martin Sarabura (PTC): Action item: Ian to augment issue 1 to describe scenario

[08:23] Martin Sarabura (PTC): Next: Issue 39

[08:23] Martin Sarabura (PTC): https://issues.oasis-open.org/browse/OSLCCORE-39

[08:23] Martin Sarabura (PTC): Names and descriptions of impact analysis direction properties are misleading

[08:24] Martin Sarabura (PTC): Define upstream and downstream relative to order of development - downstream comes after upstream

[08:24] Martin Sarabura (PTC): So requirements are often upstream and tests are written to validae the requirements - they are downstream

[08:25] Martin Sarabura (PTC): Tool needs to know which artifacts are upstream and which are down

[08:25] Martin Sarabura (PTC): Links should point upstream from downstream. Link stored in the subject of the triple

[08:26] Martin Sarabura (PTC): Upstream is developed first and baselined while downstream development continues

[08:26] Martin Sarabura (PTC): Can't easily create a link from up to downstream

[08:27] Martin Sarabura (PTC): Want to indicate which way the impact goes on the link

[08:27] Martin Sarabura (PTC): Impact could be symmetric, or no impact, or upstream or downstream

[08:28] Martin Sarabura (PTC): Vocabulary is wrong - impact is always downstream

[08:28] Martin Sarabura (PTC): Link pointing upstream and impact goes the opposite direction

[08:29] Martin Sarabura (PTC): Want to capture the correct vocabulary as part of the core

[08:30] Martin Sarabura (PTC): Trying to express idea that impact goes in opposite direction of link

[08:31] Martin Sarabura (PTC): Jim: OK to shift meeting by a half hour for next three instances

[08:32] Martin Sarabura (PTC): Jim: With issues winding down we should start shifting focus towards getting to public review

[08:33] Martin Sarabura (PTC): Please review all specs and submit reviews

[08:33] Martin Sarabura (PTC): Done via emails to core distribution list - real issues should be posted to Jira

[08:33] Martin Sarabura (PTC): Meeting adjourned

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]