Attendees: Michael Bouschen, Tilmann Zäschke, Tobias Bouschen, Craig Russell
Next meeting: Tuesday June 16 1100 PDT 2000 CEST Agenda: 1 Possibility of running the JDO project through Glasswing security scan New PR #126 "Add draft project security threat-model document" https://github.com/apache/db-jdo/pull/126 Proposed answers https://github.com/apache/db-jdo/blob/pr/PR-126-answers/draft-THREAT-MODEL.md The proposal adds three files to the root directory: THREAT_MODEL.md, SECURITY.md, and AGENTS.md. These files are proposed to be managed by the JDO team. Security needs feedback on these files. AI review the PR and approve if you like it. Third approval should merge the PR. NOTE: the new files have an "SPDX license header" which does not conform exactly to ASF requirements: <!-- SPDX-License-Identifier: Apache-2.0 --> https://issues.apache.org/jira/browse/RAT-251 2. Tilmann's result of running Claude Opus against the jdo-dev repo: https://issues.apache.org/jira/browse/JDO-861 Claude prompt something like "look for security issues, style, ..." 3. Trusted Release project The VOTE was sent to the wrong email list. Waiting for trusted release team to fix this one. 4. JIRA JDO-812 "Move to JDK 11 as the lowest supported version" https://issues.apache.org/jira/browse/JDO-812 5. JDO-847 "Create SBOM files" https://issues.apache.org/jira/browse/JDO-847 6. sonarcloud issues https://sonarcloud.io/project/issues?rules=java%3AS3740&issueStatuses=OPEN&id=db-jdo&open=AYTeBPag_-S9Jt7nsSTP JIRA JDO-819 "Code quality analysis" https://issues.apache.org/jira/browse/JDO-819 JIRA JDO-823 "Fix sonarcloud issues of type Code Smells" https://issues.apache.org/jira/browse/JDO-823 Sonarcloud link: https://sonarcloud.io/summary/overall?id=db-jdo Cognitive Complexity of methods should not be too high: https://sonarcloud.io/project/issues?resolved=false&rules=java%3AS3776&severities=CRITICAL&types=CODE_SMELL&id=db-jdo Raw types should not be used: https://sonarcloud.io/project/issues?resolved=false&rules=java%3AS3740&severities=MAJOR&id=db-jdo Many of the issues flagged here cannot be resolved in code. For example, PersistenceManager.newQuery methods do not have a way to tell the compiler what the return type is. Each flagged method needs investigation and either the method or the entire interface needs to be annotated with instructions to SonarCube to ignore. 7. Other issues Action Items from weeks past: [Jun 02 2026] AI Craig give feedback to ATR team to use jdo-dev for voting. [Jun 02 2026] AI everyone review the email and validate the release and vote using the tool. [Jun 02 2026] AI Craig ask Jarek how to respond to Q17 and use of (maintainer) in answers? [Mar 17 2026] AI Everyone look at the Sonarcloud items. [Jan 13 2026] AI Craig report trusted release issues to atr team. [Aug 05 2025] AI everyone write to trusted release with errors in https://release-test.apache.org/projects/db-jdo + AI everyone take a look and tell the trusted release team what you find. [Jul 01 2025] AI everyone take a look at the process for alpha testing. May require a file in the dist directory to get started. [Nov 12 2024] AI Michael see if it makes sense to add Map.contains(Entry e) to the JDO API. This would be useful to have queries where e.g. the user is interested in finding all Employees where the phone number is of key "home" and value "+16508617767". [Nov 05 2024] AI Michael create a JIRA for containsEntry, include the current test case and we can continue from here. [Jul 13 2023] AI All Open a new JIRA for Android since having JNDI in the API disallows use with Android [Jun 08 2023] AI All make a JIRA: JDO support for Java Records https://openjdk.org/jeps/395 [Dec 09 2021] AI Craig: Try to contact all current/former participants in JDO development and see if and how they want to be recognized on the JDO and DB web sites.https://db.apache.org/whoweare.html [Oct 07 2021] AI Craig send a private message to all JSR-243 Expert Group members asking if they wish to continue. [Mar 25 2021] AI Craig: investigate "merging" papajdo and apache.clr accounts [Oct 17 2014] AI Matthew any updates for "Modify specification to address NoSQL datastores "https://issues.apache.org/jira/browse/JDO-651 Craig L Russell [email protected]
