...
| Jira No | Summary | Description | Status | Solution | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SECCOM elections – call for candidates! | E-mail with call for candidates was sent to SECCOM distribution list. Candidates submitted:
Elections later this Together with Amy we submit our candidatures but other candidates are welcome. Elections next week. | ongoing | E-mail with call for candidates to be sent to SECCOM distribution list. | SECCOM Inputs for Guilin release notes | Following last PTLs call, we should provide SECCOM inputs. Krzysztof already updated all the Jira tasks related to him: logs management, passwords removal, not running as root. Copy & paste of waivers list is expected. No update from CII badging by Tony. Packages upgrades by Amy. For Java and Python upgrades - Jira tickets were updated and will be provided in the release notes. | ongoing | Update to be provided with patch to security release notes by Krzysztof. | Global requirements vs. best practices in Honolulu | Next steps: we should present to TSC our candidates from best practices and rephrase them. Sample: requirement: project should upgrade their vulnerable packages → best practice: any ONAP component should not use packages with known vulnerabilities, so all new components that will be added to ONAP in Honolulu release will need to meet them. And then we need to propose to TSC how we want to evolve: those projects should upgrade those packages. Not obeying new rules = not shipping of the new container. Global requirement per release has to be approved at M1. Best practice can be approved any time and is valid forever. All new code developed next day need to follow this best practice. At least 1 week before M1 best practice may become a global requirement. | ongoing | List of the requirements we would like to become a global requirement from best practice to be delivered to TSC on 10th of December. TSC first approves best practices. | Kenny with request to initiate elections this week. | |
| ONAP discussion on Global Requirements vs. Best Practices in Honolulu release | Amy's presentation provided at the last PTL's call: Proposal for global requirements for Honolulu release. Formal approval from PTLs would require process elaboration. SECCOM requirements are known by the community for a long time. Global requirement has to be fixed within particular release. As long as project does not meet the global requirment that wa snot met in the past, will not be allowed to provide a new container. Security framework is crucial for the ONAP success in operator environment. Quality of the code is also crucial. Process of code delivery requires review and change. Insufficient code coverage should not allow for +1 for a code acceptance. Maintenance project should be called end of support mode. | ongoing | |||||||||||
| SCA: Whitesource vs. Nexus-IQ | The best would be to run both tools for one release to compare results. Projects fix direct dependencies. | ongoing | To gain resources, deprecated repos should be exluded. Sonarcloud capabilities to be further investigated | Container as root vs. as privilige | Huge difference between privilige container and container running as root. Container running as root = processes that start within this container start as root but with drop capabilities (with most of the capabilities dropped). When container starts as priviliged = it is sharing certain resources with the host system namespace with is a way bigger security issue than starting containers as root. | ongoing | To be discussed at the next SECCOM. | ||||||
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 15th OF DECEMBER'20. |
Recording:
| View file | ||||
|---|---|---|---|---|
|
SECCOM presentation:
| View file | ||||
|---|---|---|---|---|
|