23rd Feb 2026 - GitProxy Meeting Minutes

[kriswest]

Date

20260223 - 4pm GMT / 11am EST

Meeting info

• Meeting link

• Register for future meetings

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide and Review Meeting Notices (see above)
• Approve past meeting minutes and review actions
  • 9th February 2026 - GitProxy Meeting Minutes #1367
• 2.0 release status
• Should attestation bypass bug be reported as vulnerability?
• checkUserPushPermission is checking the wrong user's permission to push #1400 and feat(ssh): Add SSH agent forwarding #1332
• AOB, Q&A & Adjourn (5mins)

Minutes

• Approval of Past Meeting Minutes and Review Actions

  • Previous minutes approved; actions reviewed with updates and clarifications. Several items closed or rolled over as appropriate.

• 2.0 Release Status

  • The team discussed progress on the 2.0 release checklist. Several key PRs and documentation updates are nearly complete.
  • RC5 will be created once outstanding items are merged; goal is to promote to 2.0 following testing.

• Should Attestation Bypass Bug Be Reported as Vulnerability?

  • Attestation bypass discussed; consensus is it's not a vulnerability unless non-approved reviewers can abuse it.
  • It is regarded as a flaw to fix, but not a reportable vulnerability.

• checkUserPushPermission Bug and feat(ssh): Add SSH Agent Forwarding

  • The group discussed the issue of correctly identifying the user pushing to GitHub, a limitation of the Git protocol.
  • Various approaches considered, including using GitHub Apps and storing credentials per provider.
  • The need for a post-2.0 refactor to address this was acknowledged. SSH agent forwarding implementation reviewed; may share the same limitation.

• AOB, Q&A & Adjourn

  • No significant AOB. Volunteers requested for reviewing and closing smaller issues and PRs.
  • Tomasz Swierszcz (Citi) introduced himself as a new participant and lead for Citi internal Git Proxy initiatives.

Action Items

• @kriswest: Liaise with FINOS about enabling CODEOWNERS enforcement and review rights; confirm maintainers cannot force merge without review.
• @jescalada: Email help@finos.org regarding container registry and Docker image publication best practices, and update team if any standards exist.
• @andypols: Continue UI JS/TS (MUI upgrade/Tailwind transition) investigations; keep team informed. Consider dual UI approach as temporary measure.
• @grovesy: Finalise and share proposal for notification system design using hooks; create sub-issues as required.
• @tabathad: Finalise homepage fixes PR Update website homepage content #1277 and close LinkedIn testimonials item; update maintainers section with Andy's preferred title ("developer at QRT") and Jamie as "emeritus maintainer". Ensure deployment of homepage changes.
• @kriswest: Write and post closure message for long-stale tracking pixel PR/issue (chore(analytics): add Scarf to npm install, docs, and ui #725).
• @RichardUri: Finalise and update logging improvements PR (refactor: Improve logging in processors/action chain #1338), considering new email address; notify @kriswest for review.
• @kriswest: Complete review of Apache-2.0 licence headers PR (fix: Add Apache-2.0 license headers to source files (2) #1253) and coordinate with @06kellyjac/@sam-holmes2 on any remaining issues (review ESLint vs custom script approach; confirm header wording).
• @06kellyjac: After merging the Renovate ignore PR, close any obsolete Renovate PRs/issues not relevant to git proxy main.
• @tabathad: Move usage instructions to "Quick Start" section in documentation and update deployment guide as per meeting discussion.
• All maintainers: Review/merge remaining PRs and issues to complete v2 release checklist; support G-Research testing contributions.
• @fabiovincenzi: Review SSH agent forwarding implementation for user identification limitations; report findings at next meeting.
• @Andreybest: Continue to assist with reviews and pick up smaller or medium issues as labelled; maintain "good first issue" tags for easy contributor onboarding.
• @kriswest: Keep "checkUserPushPermission" refactor on the agenda for post-2.0 release; initiate discussion on viable technical solutions.

[coopernetes]

Had to drop early folks, my apologies! FINOS OSFF is coming to Toronto in April and I will be running a Git Proxy workshop. Sharing for awareness, registration should be open imminently. I plan to make it an introduction to Git Proxy as well as having some time for folks to hack on the project (not a full blown hackathon but there will be time to collaborate with any interested developers). I'll update this comment with relevant links.