ROOT Team Meeting
Zoom link in announcement email; please contact rootdev@cern.ch if you did not receive it!
News:
Not going to discuss issues anymore, to give more time for topics; link in meeting invitation
ROOT LDs: Jonas and Vincenzo
RISC-V machine from INFN (64 cores, 128 GB)
LLVM upgrade merged this morning (among others, RISC-V support out-of-the-box)
Shift handover:
Monica: summary on Mattermost
Next shifter is Olivier
Meetings:
TMVA / RooFit: no meetings
PPP: Hans Dembinski, comparing RooFit with iMinuit Numba; meeting this week on Apache Kafka
Planning / Godparents: in contact with ATLAS regarding security issue (recommending users to create rootrc)
LIM: nothing
I/O: presentation from Marco Meyer on data formats for gravitational waves (also HDF5); large-scale testing with IT starting
WebGUI security:
idea: move security related functionality into separate file(s), security review
Jakob: avoid honeypot, call it extended review
Vincenzo: need label? would code ownership be enough? discussion: probably
Jonas / Sergei: client not as security relevant, unless somebody able to manipulate messages
Florine: code review more regularly? discussion: maybe every two years, or before relases if there are bigger architecture changes
Jakob: recommend experiments to setup proxies
Jakob: IT might ask about supply chain, ie security issues in dependencies; Axel: part of the release procedure to check builtins
Jakob: have an "open socket" to be informed about CVEs; Bertrand and Jakob will follow up
JonasH: legitimate reason for opening public ports? Axel: not that we are aware of
Discussion: how to generate tokens? should not use ROOT PRNG, likely need platform-specific implementations
JonasH: what about rootlogon? long discussion, maybe rename interface to enable web graphics?
Axel: done for patch releases: default to non-web graphics, ignore loopback configuration
Danilo: plan for next patch releases: "impossible" to have insecure ROOT
Axel: should we disable in master as well? JonasR: yes, consider LCG nightlies as "used release"