...
| Jira No | Summary | Description | Status | Solution | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TSC elections | completed - Pawel was elected. elected. Thank you Team for your trust and support! | |||||||||||||||
Next week SECCOM | Pawel on PTO, Amy will lead the SECCOM meeting. | |||||||||||||||
Unmaintained meetng update | Andreas was on the call and mention that we need to consider certain situations. David worked with LFN - MariaDB used to be a custom image and now moving to generic one. How do we maintain? Reason: we still feel we need to support previous releases. EoL and EoS definitions: 1 release only. Amy sent an e-mail to David - moving directly to Global Requirement. Whatever is built in the pipeline in London, is needed for London release. Tags from repo could be used. We focus on removing code and not images. | ongoing | Pawel to propose retirement requirement as Global Requirement to the TSC. Question could be asked to LFN on how other projects handle linux kernel - good example. Muddasar to check with Jessica for tagging capability or equivalent for repos. | |||||||||||||
| SBOM update | PTLs or LF IT to be responsible for configuration change (JJB template). If no PTL, the change shall be on LF IT. | Where SBOMs are not produced, troubleshooting needs to be done by LF IT and SECCOM. Jiras per projects to be issued by Muddasar. IF PTL exists, it would be assigned to him/her, otherwise to LF IT (Jess?). | ||||||||||||||
| Logging requirement | Team synch for Bob, Carter and Vijay. We split Java and Python: SECURITY LOGS FIELDS – Java related candidate for London and PoC for -SECURITY LOGS FIELDS – Python related candidate for London. | Agreement for PoC to be achieved with Vijay. | ||||||||||||||
Logging and security update – Byung | Application should not handle non functional requirement, should be delegated to platfom level. Deamon set is used and it should be avoided (as having root privilege user) – to be discussed with Bob. For logging - short of resources. | How to distribute FluentBit to each node without root access. | ||||||||||||||
| Architecture Subcommittee | multitenancy – major discussion area:
SDC started some tests for multitenanacy. In case of SQL injection big problem potentially. | MSB and AAF would not be used in London. Some components heavily depend on MSB and AAF- so corner case. Architecture review - security conformance section was polished. | Byung to work with Andreas on updates tomorrow. Signature method for containers to be recommended by SECCOM. | |||||||||||||
| AAF compliance for new UUI component | It would be waste of time and resources for a compliance with AAF, instead Service Mesh integration should be considered. AAF is deprecated unmaintained. Last step is OOM chart remove. | This topic to be followed next step | TSC meeting (October 6th) | TSC approves the Kohn M4 milestone as being met with the following exceptions to be completed by the RC milestone: INT-2145, INT-2146, & OPTFRA-1093. | PTL meeting (October 10th) | Packages upgrade – DMaaP whitelisting results for some AT&T packages where no upgrade is expected. | New repo is needed | Not only PTL might request for a repo. Sub- repo from unmaintained project (owner: David MCbride) could be used as well as OJSI. | DTF SECCOM topics | Expectations for multiproject topics:
| Security asessment questionaire | Ongoing Tony with Vijay for DCAE, some adjustments needed. | Gerrit reviews | Presentation delivered by Tony to PTLs meeting - ongoing eschanges with several PTLs inb the contect of London efforts. | ||
| Daylight saving time | To be further elaborated. In US in the week of November 4th, last weekend of October for Europe/Poland. | |||||||||||||||
SECCOM MEETING CALL WILL BE HELD ON 25th OF October'22. | Requirements for London release. |
Recordings:
| View file | ||||
|---|---|---|---|---|
|
SECCOM presentation:
| View file | ||||
|---|---|---|---|---|
|