Dear Members of the Technical Steering Committee,

As Hyperledger Iroha maintainers we would like to request committee's permission to move forward with the first major release (1.0) and present the following achievements as a proof of the project's code maturity.

The latest release of Hyperledger Iroha available is Hyperledger Iroha v1.0 Release Candidate 4 Hotfix 1 version, available at: https://github.com/hyperledger/iroha/releases/tag/1.0.0_rc4_hf1. In this release we delivered a complete set of features that can be used to build DLT-powered enterprise-grade applications with the following features:

• Rich API with command-driven architecture
 for asset and identity management.

• Native support of Linux, MacOS and Windows environments.

• Crash fault-tolerant (CFT) consensus with experimental Byzantine fault-tolerant (BFT) algorithm and decentralized ordering service.

• Role-based access control.

• Client libraries, including example apps for iOS, JS (vue.js), Android (Java 8).

• Universal peer role and easily scripted deployment with Docker, Kubernetes, and Ansible Playbooks.

• Multi-signature transactions.

• Ordered and atomic batches of transactions.

We see Iroha as a universal solution for tokenization of assets or data, and we want it to be a simple and straightforward blockchain platform for enterprise, and blockchain enthusiasts.

The project is in active state and maintains the required level of quality over its lifespan:

• All of our code is licensed under the Apache-2.0 license.

• Sufficient test coverage: https://out1-jtzj0nrcq.now.sh.

• We have a significant amount of documentation available online in several languages: https://iroha.readthedocs.io/en/latest/.

• We have completed the CII certification, which can be viewed here: https://bestpractices.coreinfrastructure.org/en/projects/960.

Here is the list of current issues with the project and suggested solutions:

• Project maintainers' and contributors' diversity. At the moment, the Iroha node codebase is maintained mostly by Soramitsu; contributors are comprised of Soramitsu employees with some non-Soramitsu individual contributions. Internationalization of the documentation is more diverse — language versions of English docs are maintained by many native speakers. We have a diversity plan and it is already in effect: https://wiki.hyperledger.org/display/iroha/Diversity+Plan.

• DCO — at the moment we are still introducing changes to the source code (mostly bug fixes), therefore it makes it hard to do the complete code freeze and modify the commit history so that it conforms to the standards. We would like to ask TSC's permission to ignore the issues until the code is frozen and only after fixing DCO we release first major release. We have a plan to execute once version 1.0 is released here: https://wiki.hyperledger.org/x/gRJi

We have a strong end user support base; this can be seen from the significant activity that we see on our Rocket.Chat channels (755 users), telegram chat (291 member) and Stack Overflow (41 questions). Our docker image was pulled 54'000 times as of 2019-03-11 https://hub.docker.com/v2/repositories/hyperledger/iroha/.

We welcome the TSCs review of this request, and we are happy to follow-up and answer questions via email or by joining the weekly TSC call as required.

Best regards,

HL Iroha Maintainers team


Contact person: Nikolai Iushkevich, nikolai@...

Hello Hart,

As for today, all the vulnerabilities discovered during the security audit of Iroha were fixed in previous releases. I am not sure if the report has been published, need to check this with David (HL security maven) and Sara (our community manager). 

We also used fuzzing of all endpoints and soak stands and observed whether Iroha can reach expected grade of fault tolerance. While this is still in progress and we are preparing the reports, as well as setting up configuration of more physically distributed and wide node network for soak/longevity tests — the team is confident that we can start the process of requesting TSC to approve the first major release now, as there are signs of stable performance and resource utilization at the moment. 

We also used sanitizers to find any unsafe behavior: all critical issues discovered are under control and are going to be fixed or were already fixed before the release (I can give a bit more details on that in the thread later). 

We will also request trial access to some of the static analysis tools available for C++. At this moment we use SonarQube which gave us a lot of false positives and we would like to try something else, e.g. Coverity scan.

Vulnerability and bug reporting processes are described in contributing guidelines (contributing.md file & readthedocs section).

Best regards,

Nikolay Yushkevich

12 марта 2019 г., в 23:49, Montgomery, Hart <hmontgomery@...> написал(а):

Hi Nikolai,

 

Would it be possible for you (or others) to comment a little further on the security audits that Iroha has undergone and the current security status?  I’m not suggesting that you all are doing anything wrong—I just think that this is an important issue in general to bring up in a 1.0 discussion.

 

While I’m not sure everyone agrees with me, I think security is something important to consider for a 1.0, and I think enough people will agree with this that it is worth commenting on in an email.

 

Thanks a lot for your time, and have a great day.

 

Thanks,

Hart

 

From: tsc@... [mailto:tsc@...] On Behalf Of Nikolay Yushkevich
Sent: Monday, March 11, 2019 12:07 PM
To: Hyperledger List <tsc@...>
Cc: Ales Zivkovic <zivkovic@...>; Makoto 1337 <takemiya@...>; ryu okada <okada@...>; Sara Garifullina <garifullina@...>; Fyodor Muratov <fyodor@...>; Andrei Lebedev <andrei@...>; boldrev@...; igor@...; Munichev Konstantin <konstantin@...>
Subject: [Hyperledger TSC] Request to move forward with the first major release of Hyperledger Iroha

 

Dear Members of the Technical Steering Committee,

As Hyperledger Iroha maintainers we would like to request committee's permission to move forward with the first major release (1.0) and present the following achievements as a proof of the project's code maturity.

The latest release of Hyperledger Iroha available is Hyperledger Iroha v1.0 Release Candidate 4 Hotfix 1 version, available at: https://github.com/hyperledger/iroha/releases/tag/1.0.0_rc4_hf1. In this release we delivered a complete set of features that can be used to build DLT-powered enterprise-grade applications with the following features:

 

            • Rich API with command-driven architecture
 for asset and identity management.

            • Native support of Linux, MacOS and Windows environments.

            • Crash fault-tolerant (CFT) consensus with experimental Byzantine fault-tolerant (BFT) algorithm and decentralized ordering service.

            • Role-based access control.

            • Client libraries, including example apps for iOS, JS (vue.js), Android (Java 8).

            • Universal peer role and easily scripted deployment with Docker, Kubernetes, and Ansible Playbooks.

            • Multi-signature transactions.

            • Ordered and atomic batches of transactions.

We see Iroha as a universal solution for tokenization of assets or data, and we want it to be a simple and straightforward blockchain platform for enterprise, and blockchain enthusiasts.

The project is in active state and maintains the required level of quality over its lifespan:

            • All of our code is licensed under the Apache-2.0 license.

            • Sufficient test coverage: https://out1-jtzj0nrcq.now.sh.

            • We have a significant amount of documentation available online in several languages: https://iroha.readthedocs.io/en/latest/.

            • We have completed the CII certification, which can be viewed here: https://bestpractices.coreinfrastructure.org/en/projects/960.

 

Here is the list of current issues with the project and suggested solutions:

            • Project maintainers' and contributors' diversity. At the moment, the Iroha node codebase is maintained mostly by Soramitsu; contributors are comprised of Soramitsu employees with some non-Soramitsu individual contributions. Internationalization of the documentation is more diverse — language versions of English docs are maintained by many native speakers. We have a diversity plan and it is already in effect: https://wiki.hyperledger.org/display/iroha/Diversity+Plan.

            • DCO — at the moment we are still introducing changes to the source code (mostly bug fixes), therefore it makes it hard to do the complete code freeze and modify the commit history so that it conforms to the standards. We would like to ask TSC's permission to ignore the issues until the code is frozen and only after fixing DCO we release first major release. We have a plan to execute once version 1.0 is released here: https://wiki.hyperledger.org/x/gRJi

 

We have a strong end user support base; this can be seen from the significant activity that we see on our Rocket.Chat channels (755 users), telegram chat (291 member) and Stack Overflow (41 questions). Our docker image was pulled 54'000 times as of 2019-03-11 https://hub.docker.com/v2/repositories/hyperledger/iroha/.

We welcome the TSCs review of this request, and we are happy to follow-up and answer questions via email or by joining the weekly TSC call as required.

Best regards,

HL Iroha Maintainers team


Contact person: Nikolai Iushkevich, nikolai@...

I think we should have some robust discussion on this topic. It all looks good to me with the exception of the diversity metric. In general we want to see that any project announcing a production release has not just technical robustness viz. CII etc. but also community robustness. In my mind, this issue is a bit mitigated for Iroha given its diversity plan and its longevity under Hyperledger governance. I'm not sure that it is fully mitigated however, and I would like to hear some thoughts from others.

Regards,

Dan Middleton

On Mon, Mar 11, 2019 at 1:07 PM Nikolay Yushkevich <nikolai@...> wrote:

Dear Members of the Technical Steering Committee,

As Hyperledger Iroha maintainers we would like to request committee's permission to move forward with the first major release (1.0) and present the following achievements as a proof of the project's code maturity.

The latest release of Hyperledger Iroha available is Hyperledger Iroha v1.0 Release Candidate 4 Hotfix 1 version, available at: https://github.com/hyperledger/iroha/releases/tag/1.0.0_rc4_hf1. In this release we delivered a complete set of features that can be used to build DLT-powered enterprise-grade applications with the following features:

• Rich API with command-driven architecture
 for asset and identity management.

• Native support of Linux, MacOS and Windows environments.

• Crash fault-tolerant (CFT) consensus with experimental Byzantine fault-tolerant (BFT) algorithm and decentralized ordering service.

• Role-based access control.

• Client libraries, including example apps for iOS, JS (vue.js), Android (Java 8).

• Universal peer role and easily scripted deployment with Docker, Kubernetes, and Ansible Playbooks.

• Multi-signature transactions.

• Ordered and atomic batches of transactions.

We see Iroha as a universal solution for tokenization of assets or data, and we want it to be a simple and straightforward blockchain platform for enterprise, and blockchain enthusiasts.

The project is in active state and maintains the required level of quality over its lifespan:

• All of our code is licensed under the Apache-2.0 license.

• Sufficient test coverage: https://out1-jtzj0nrcq.now.sh.

• We have a significant amount of documentation available online in several languages: https://iroha.readthedocs.io/en/latest/.

• We have completed the CII certification, which can be viewed here: https://bestpractices.coreinfrastructure.org/en/projects/960.

Here is the list of current issues with the project and suggested solutions:

• Project maintainers' and contributors' diversity. At the moment, the Iroha node codebase is maintained mostly by Soramitsu; contributors are comprised of Soramitsu employees with some non-Soramitsu individual contributions. Internationalization of the documentation is more diverse — language versions of English docs are maintained by many native speakers. We have a diversity plan and it is already in effect: https://wiki.hyperledger.org/display/iroha/Diversity+Plan.

• DCO — at the moment we are still introducing changes to the source code (mostly bug fixes), therefore it makes it hard to do the complete code freeze and modify the commit history so that it conforms to the standards. We would like to ask TSC's permission to ignore the issues until the code is frozen and only after fixing DCO we release first major release. We have a plan to execute once version 1.0 is released here: https://wiki.hyperledger.org/x/gRJi

We have a strong end user support base; this can be seen from the significant activity that we see on our Rocket.Chat channels (755 users), telegram chat (291 member) and Stack Overflow (41 questions). Our docker image was pulled 54'000 times as of 2019-03-11 https://hub.docker.com/v2/repositories/hyperledger/iroha/.

We welcome the TSCs review of this request, and we are happy to follow-up and answer questions via email or by joining the weekly TSC call as required.

Best regards,

HL Iroha Maintainers team


Contact person: Nikolai Iushkevich, nikolai@...

Dear Members of the Technical Steering Committee,

As Hyperledger Iroha maintainers we would like to request committee's permission to move forward with the first major release (1.0) and present the following achievements as a proof of the project's code maturity.

The latest release of Hyperledger Iroha available is Hyperledger Iroha v1.0 Release Candidate 4 Hotfix 1 version, available at: https://github.com/hyperledger/iroha/releases/tag/1.0.0_rc4_hf1. In this release we delivered a complete set of features that can be used to build DLT-powered enterprise-grade applications with the following features:

• Rich API with command-driven architecture
 for asset and identity management.

• Native support of Linux, MacOS and Windows environments.

• Crash fault-tolerant (CFT) consensus with experimental Byzantine fault-tolerant (BFT) algorithm and decentralized ordering service.

• Role-based access control.

• Client libraries, including example apps for iOS, JS (vue.js), Android (Java 8).

• Universal peer role and easily scripted deployment with Docker, Kubernetes, and Ansible Playbooks.

• Multi-signature transactions.

• Ordered and atomic batches of transactions.

We see Iroha as a universal solution for tokenization of assets or data, and we want it to be a simple and straightforward blockchain platform for enterprise, and blockchain enthusiasts.

The project is in active state and maintains the required level of quality over its lifespan:

• All of our code is licensed under the Apache-2.0 license.

• Sufficient test coverage: https://out1-jtzj0nrcq.now.sh.

• We have a significant amount of documentation available online in several languages: https://iroha.readthedocs.io/en/latest/.

• We have completed the CII certification, which can be viewed here: https://bestpractices.coreinfrastructure.org/en/projects/960.

Here is the list of current issues with the project and suggested solutions:

• Project maintainers' and contributors' diversity. At the moment, the Iroha node codebase is maintained mostly by Soramitsu; contributors are comprised of Soramitsu employees with some non-Soramitsu individual contributions. Internationalization of the documentation is more diverse — language versions of English docs are maintained by many native speakers. We have a diversity plan and it is already in effect: https://wiki.hyperledger.org/display/iroha/Diversity+Plan.

• DCO — at the moment we are still introducing changes to the source code (mostly bug fixes), therefore it makes it hard to do the complete code freeze and modify the commit history so that it conforms to the standards. We would like to ask TSC's permission to ignore the issues until the code is frozen and only after fixing DCO we release first major release. We have a plan to execute once version 1.0 is released here: https://wiki.hyperledger.org/x/gRJi

We have a strong end user support base; this can be seen from the significant activity that we see on our Rocket.Chat channels (755 users), telegram chat (291 member) and Stack Overflow (41 questions). Our docker image was pulled 54'000 times as of 2019-03-11 https://hub.docker.com/v2/repositories/hyperledger/iroha/.

We welcome the TSCs review of this request, and we are happy to follow-up and answer questions via email or by joining the weekly TSC call as required.

Best regards,

HL Iroha Maintainers team


Contact person: Nikolai Iushkevich, nikolai@...

Dear Hyperledger Community Members,

Thanks you to those who are interested in mentoring and have already submitted the internship project proposals.

We have decided to give the community some additional time - the new deadline to submit a project proposal has been extended to March 8. You can submit the project proposal directly on the wiki using the pre-set template.

For students who are interested in applying, the applications will open up in mid-March and the detailed application instructions will be coming soon.

We would appreciate it if you share the information with others in your network. 

Kind regards,

Min

--
Min Yu

Operations Manager

The Linux Foundation

+1(530) 902-6464 (m)

myu@...

On Mon, Feb 18, 2019 at 8:54 AM Min Yu <myu@...> wrote:

Dear Hyperledger Community Members,

Hyperledger is expanding the internship program to fund 15 internship projects this year. The internship program is aimed at creating a structured hands-on learning opportunity for new developers who may otherwise lack the opportunity to gain exposure to Hyperledger open source development and entry into the technical community. Additional program information, including the program timeline, is available on the wiki.

This is a great contribution opportunity for community members like you to get involved. Whether you're looking for fresh ideas or perspectives, or mentoring opportunities, or additional contributors for your project, the internship program provides a pathway for you to work with aspiring student developers. 

Please submit a project proposal and volunteer yourself as a mentor; the deadline for submission is this Friday, February 22nd.     

Thank you,

Min

--
Min Yu

Operations Manager

The Linux Foundation

+1(530) 902-6464 (m)

myu@...

Dear Hyperledger Community Members,

Hyperledger is expanding the internship program to fund 15 internship projects this year. The internship program is aimed at creating a structured hands-on learning opportunity for new developers who may otherwise lack the opportunity to gain exposure to Hyperledger open source development and entry into the technical community. Additional program information, including the program timeline, is available on the wiki.

This is a great contribution opportunity for community members like you to get involved. Whether you're looking for fresh ideas or perspectives, or mentoring opportunities, or additional contributors for your project, the internship program provides a pathway for you to work with aspiring student developers. 

Please submit a project proposal and volunteer yourself as a mentor; the deadline for submission is this Friday, February 22nd.     

Thank you,

Min

--
Min Yu

Operations Manager

The Linux Foundation

+1(530) 902-6464 (m)

myu@...

+1 to both.

Thanks 

Binh

On Tue, Feb 19, 2019 at 5:19 PM Dave Huseby <dhuseby@...> wrote:

Hello TSC,

The time has come for the TSC to approve the release of the Composer audit report.  The Composer audit done by Nettitude found a total of five issues, 2 medium risk, 2 low risk, and 1 data leakage notice.

The first of the medium risk errors was simple to fix. Credentials for logging into blockchain instances were stored in world-readable files instead of only user-readable files.

The second of the medium risk errors was the playground server accepting connections from any source IP address. This was solved by changing the code to bind to the loopback interface.

The other issues were about accepting non-TLS connections and leaking unnecessary information in log error messages.

Now that all of the issues of medium or higher have been fixed, it is time to publish the report and announce it. As always, if you are a member of the TSC and would like to read the reports before approving them, please email me directly and I will arrange for you to receive a copy.

Cheers!
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...