# 2025-10-15 - coreboot Leadership Meetings
## Open Action Items
* 2024-11-27
* [Open] Send out poll with regards to LLM usage (requested by SFC)
* 2024-10-30
* [Open] Add clarification to docs: “Do not use gerrit change-id or CB:
format in reference to already-merged patches.”
* 2024-10-16
* [Open] Matt: Set up a meeting to discuss board status alternatives and
send out invites.
* Decouple data collection with uploading
* Require gerrit credentials or other auth to push
* Json format?
* https://github.com/chrultrabook/linux-tools/blob/main/debugging.sh
* 2024-09-18
* [Open] Jon: Schedule a dedicated meeting to discuss the Coverity defects
and action plan.
* Werner: Send out an invite for the meeting.
Sent out a poll to find a time slot:
https://rallly.co/invite/1c8J3azXAcje
* 2024-05-01
* [Open] Nick Van Der Harst volunteered for Dutch. "gogo gogo" would like
to translate to Russian (?).
* 2024-01-10
* Nico: (https://review.coreboot.org/q/topic:enforce_region_api)
* [Open] Daniel: Look at how we want to localize (non-console) strings
for coreboot. Long-term project.
## Announcements & Events
## Late GMT coreboot Leadership Meeting Minutes
## Attendees
David Hendricks, Mina Asante, Matt DeVillier, Alicja Michalska, Ingo Reitz,
Julius Werner, Maximilian Brune.
## Minutes
### [Martin] Discuss the early meeting agenda.
### [Elys]: Would you please update to Debian stable?
* Ref: (https://review.coreboot.org/c/coreboot/+/89336) (abandoned)
* Check with Felix on status.
### [Alicja]: Some policy questions/changes:
- Should we require port maintainers to provide defconfigs for boards? This
should make it easier for end-users to build coreboot images.
* [Matt] Kconfig defaults should *build*. One problem with providing
defconfigs is the expectation that the board will *boot*, which is a much
bigger ask.
* [David] It could be useful, but defconfig needs to document what hashes
(coreboot, blobs, etc.) the defconfig was tested with.
* Does defconfig need to include a payload as well?
- What’s our official stance on pictures in documentation? No images, limited
dimensions/size?
* Keep it less than 100KB (256KB?)
- Do we have/need another repo for images?
* Avoid copyrighted/vendor photos (linking to those is fine)
* Images should have a purpose; that is, showing where the SPI flash chip
or headers are. Don't just include a generic photo of a board that doesn't
provide additional info.
- How should we treat SoMs (System on Modules)? (Mainboard, variant?)
* If differences only need to be resolved by (http://overridetree.cb), then
a variant makes most sense.
## Early GMT coreboot Leadership Meeting Minutes
## Attendees
Shuo Liu, Mina Asante.
## Minutes
### [Shuo Liu] Is coverity scan performed in coreboot codebase, and if yes,
what would the coverage and scan frequency be?
* Besides coverity scan, what other security development scans or practices
are enforced in the infrastructure?
* [David] Scans are done twice a week
(https://qa.coreboot.org/job/coreboot-coverity/).
For more details: (https://doc.coreboot.org/infrastructure/coverity.html)
and (https://scan.coverity.com/projects/coreboot). Many of the issues are in
non-core components such as build utilities, vendor code, etc.
* Aside from coverity:
* Toolchain:
* We use relatively strict compiler warnings/errors to flag unsafe code.
* coreboot can be built using both GCC and Clang, which might help
surface some issues.
* Users may choose their own compiler/toolchain versions, including
"hardened" toolchains. This is common for large companies that maintain their
own toolchains with additional security auditing/QA.
* Utilities such as BITS and CHIPSEC can be used. This talk is kind of old
but may still be relevant:
(https://www.osfc.io/2018/talks/bits-and-chipsec-as-coreboot-payloads/)
9elements also publishes their "Converged Security Suite," which has tests for
security-related settings (CBnT, etc.):
(https://github.com/9elements/converged-security-suite)
* Additionally, Google is developing a self-test framework that can be used
to check security-related settings. This is mostly useful for registers that
can only be accessed in SMM or otherwise become hidden after bootup such that
userspace utilities cannot be used:
(https://mail.coreboot.org/archives/list/[email protected]/thread/ZLHWZGWU2PMP5CIHQ7DBM3XSYTAXQPZA/)
# Next Leadership Meetings Date
* October 29, 2025.
* [coreboot Calendar](https://coreboot.org/calendar.html).
# Notice
Decisions shown here are not necessarily final and are based
on the current information available. If there are questions or comments
about decisions made, or additional information to present, please put
it on the leadership meeting agenda and show up if possible to discuss
it.
Of course items may also be discussed on the mailing list, but as it's
difficult to interpret tone over email, controversial topics frequently
do not have good progress in those discussions. For particularly
difficult issues, it may be best to try to schedule another meeting.
We now host two leadership meetings, one in early GMT and one in late GMT, to
better accommodate
participants from the Asian time zones.
Kindly note that both sessions use the same meeting notes and Google Meet link.
# coreboot Leadership Meeting Notes
https://docs.google.com/document/d/1NRXqXcLBp5pFkHiJbrLdv3Spqh1Hu086HYkKrgKjeDQ
_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
