Meeting October 24th 2025

Participants

• Philipp Ahmann (Host)
• Gabriele Paoloni (alternative host)
• Wendi Urribarri
• Simone Weiss
• Daniel Weingaertner
• Nicole Pappler (2nd half)

Regrets

Previous participants

• Hugo Cornelis
• Tu Thanh Nguyen
• Karen Bennet
• Girish
• Ivan Perez
• Michael Armbruster
• Daniel Pisanu
• Olivier Charrier
• Vinicius Tadeu Zein
• Leonardo Rossetti
• Naoto Yamaguchi
• Yuya Okamoto
• Hiroaki Shigehara
• Sebastian Hetze
• Philippe Quere
• Roberto Paccapeli
• Eric Laurin
• Fadi Labib
• Daniel Haack
• Mikel Azkarate
• Deena
• Naga (Timesys/Lynx)

Topics & Notes

Action items from last meeting(s)

• AI-Simone and AI-Michael will create a spread sheet for Xen
  • Simone and Michael will sync.
  • Simone starts working on it. Considers to take a 2nd sheet for Yocto.
  • Plan is to present the status during the ELISA Workshop in November for community discussions.
  • Make a 30% review and compare Xen with Yocto during next meeting
• AI-Wendi will create a spread sheet for LLVM
• AI-Daniel W. and AI-Ivan will create a spread sheet for Linux
• AI-Nicole will create a spread sheet for Zephyr (later probably due to BW issues)
• **AI-Philipp: Review the sheets "Practices" and "Common themes" and provide feedback to Wendi.
  • Added comments.
  • Will go through another round.
• AI-Philipp: Check with Paul where "definition of Quality" in OSEP-WG is leading to.

30% review and compare Xen with Yocto

• Simone shares a local copy which will be added to the
• Yocto not yet on same state compared to Xen.
• Follows the style Wendi prepared for LLVM.
• Maturity level is left out intentionally.
• insights.linuxfoundation.org is helpful to identify certain aspects.
  • See e.g.: https://insights.linuxfoundation.org/project/yocto/security
• Documentation seem to be transparent, but sometimes you have some loose ends, e.g. for evolution of security vulnerability.
  • Unclear status of vulnerabilities
    • https://xenproject.org/about/security-policy/
    • https://xenbits.xen.org/xsa/
    • xsa are in discussion on mailing list, if everything is covered.
      • e.g. publish things where they are not sure about exploits is a topic on the mailing list.
• Work will be presented in Mid of November during ELISA workshop
• Maturity level is something for further discussion
  • Need to agree on common rating for consistency
  • Wendi did some very rough initial rating as a discussion base (Limited, Good, Strong)
    • In discussion with LLVM community if things make sense.
    • Feedback from community is very positive. Some openness also to look into proposals.
• Is SBOM a best practice as many people in the community do not know about it yet.
• Maturity levels of Limited, Good, Strong could be combined with numbers and explanation.
  • Limited:
    • evidence is there that it is executed
    • it should be described in some form of project documentation (mailing list is documentation)
  • Good:
    • confident that is is done more than once
    • information is not outdated or never updated
    • evidence is there that the community follows the practice
  • Strong:
    • aspect/area is enforced by tool
    • available data on practice is visualized and regularly monitored
    • independence in checking
• Maturity can mean something different based on the criteria evaluated.
• Suitability of the practices in place and how it is used in the project.
• Other may already have definitions for this CMMI, ASPICE, OpenSSF, Eclipse, Trustable
• How sure can you be that guidelines are followed? Unless you have not automated/enforced the check, you cannot be convinced.
• In mature Open Source project you can assume about 100% of projects will have a review model for commits (no rule without exceptions: The maintainer)
• Maturity is mainly on the maturity of our best practice hypothesis. The KPI will rate on the project as a second stage.
• Put Maturity level in the spreadsheet.

Continue any work on OSS project agnostic template workbook

• Template for filling: https://docs.google.com/spreadsheets/d/1jR0oGQpwJTdThJAOtWP70GrdWSz7K-ol84j5BWX2h8g
• Hypothesis to check: Does the selection of a "strong copy left" or "permissive license" can impact the quality of the open source project?
• Brainstorming session: What do we do once we fully filled a sheet. How to give an overall picture as maturity scale? Derived KPIs?

AoB

• Safety Critical Open Source submitted to FOSDEM
• Wendi will speak about LLVM and Lighthouse-SIG at Eclipse SDV Community Meetup in Yokohama Dec 11th
  • Wendi will talk also at OSS JP the day before: https://sched.co/29FpL

---

Helpful links

• Repository: https://github.com/elisa-tech/lighthouse-oss/
• Location of meeting minutes: https://github.com/elisa-tech/lighthouse-oss/wiki
• GDrive: https://drive.google.com/drive/folders/1MRq7-5fnGnB4Ve3pJn0coD4XeOMT_rbl
• Mailing list: https://lists.elisa.tech/g/lighthouse
• Discord: https://chat.elisa.tech

---

Collaborative editing: https://mensuel.framapad.org/p/lighthouse-oss-af5r?lang=en