Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 18th of October 2022.
| Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| TSC elections | completed - Pawel elected. Thank you Team for your trust and support! | |||
Next week SECCOM | Pawel on PTO, Amy will lead the SECCOM meeting. | |||
Unmaintained meetng update | Andreas was on the call and mention that we need to consider certain situations. David worked with LFN - MariaDB used to be a custom image and now moving to generic one. How do we maintain? Reason: we still feel we need to support previous releases. EoL and EoS definitions: 1 release only. Amy sent an e-mail to David - moving directly to Global Requirement. Whatever is built in the pipeline in London, is needed for London release. Tags from repo could be used. We focus on removing code and not images. | ongoing | Pawel to propose retirement requirement as Global Requirement to the TSC. Question could be asked to LFN on how other projects handle linux kernel - good example. Muddasar to check with Jessica for tagging capability or equivalent for repos. | |
| SBOM update | PTLs or LF IT to be responsible for configuration change (JJB template). If no PTL, the change shall be on LF IT. | Where SBOMs are not produced, troubleshooting needs to be done by LF IT and SECCOM. Jiras per projects to be issued by Muddasar. IF PTL exists, it would be assigned to him/her, otherwise to LF IT (Jess?). | ||
| Logging requirement | Team synch for Bob, Carter and Vijay. We split Java and Python: SECURITY LOGS FIELDS – Java related candidate for London and PoC for -SECURITY LOGS FIELDS – Python related candidate for London. | Agreement for PoC to be achieved with Vijay. | ||
Logging and security update – Byung | Application should not handle non functional requirement, should be delegated to platfom level. Deamon set is used and it should be avoided (as having root privilege user) – to be discussed with Bob. For logging - short of resources. | How to distribute FluentBit to each node without root access. | ||
| Architecture Subcommittee | MSB and AAF would not be used in London. Some components heavily depend on MSB and AAF- so corner case. Architecture review - security conformance section was polished. | Byung to work with Andreas on updates tomorrow. Signature method for containers to be recommended by SECCOM. | ||
| AAF compliance for new UUI component | It would be waste of time and resources for a compliance with AAF, instead Service Mesh integration should be considered. AAF is deprecated unmaintained. Last step is OOM chart remove. | This topic to be followed next step. | ||
| Daylight saving time | To be further elaborated. In US in the week of November 4th, last weekend of October for Europe/Poland. | |||
SECCOM MEETING CALL WILL BE HELD ON 25th OF October'22. | Requirements for London release. |
Recordings:
SECCOM presentation: