Page History

Muddasar provided an update on SPDX version 3 and SBOM update.

SLIDES 

Effort to move SPDX 3.0 to ISO standard still to be done.

Tony prepared his part of the deck for a common presentation .

Tony to send a copy to broader team and check and shared with Lee Angella.

Muddasar was presenting Accelerating 5G Innovation at the ONE conference in Vancouver. Recording shall be available in few weeks. Muddasar provided a quick summary.

Maggie will be speaking to 5G superblueprint on network slicing and network configuration on Wednesday (11.00 AM EST). 

Tony will join next TSC and share SECCOM recommendation for 2FA.

OJSI list of people to be reviewed. Amy will contact Jess.

Let's have a common SECCOM voice towards ONAP community.

Slide with packages upgrades to be added as well as security template in architecture review template. 

LFX Security Dashboard

https://security.lfx.linuxfoundation.org/ 

Amy had a meeting with Jess. 

-LFX is a security framework - open for different pipelines, no dictated tools, and absolutely no integration with LF purchased/licensed products: Nexus-iq or Sonarcloud.

-ongoing VEX and SBOM under exchanges

Marek was able to initiate latest run of scans.

Results are progressing, cassandra and zk-tunnel-svc to be further elaborated.

Marek does not know which project is using zk-tunnel-svc - it is not in Jenkins

ONAP-discuss question was raised but still no feedback so far.

PTL meeting (May 15th)

PTL Agenda Topic:  Confluence and JIRA alternatives – no issue anymore

M4 status update RC for London June 1st.

Montreal M1 planning (June 22nd)

22nd)

TSC meeting (May 18th)

-Review

TSC meeting (May 11th)

Voting on modified ONAP mission statement and chapter modifications

Preparation of the deck for Governance Board (presentation today!last week)

-2FA issue raised – follow-up with presented as summary of meeting Andreas and LF- IT today at 5 PM CEST.

last week – still some actions pending… but

-Feedback from Andy received ;-)

• 2FA can be available generally on Linux Foundation IDs and should be turned this on at the individual account level - ticket to be raised individually to LF IT.
• It can enforceed across the entire Gerrit instance if the TSC were to ratify a request that we do this and an appropriate ticket was raised on it.
• In either case, when 2FA is enabled on the account the first attempt to login via the UI after having it enabled would walk through a 2FA onboarding workflow.
• If this done by TSC mandate, then the 2FA would only affect accounts as they access Gerrit via the webUI. If an account holder wants it across _all_ of their LFID web accesses, then they would still need to talk to the support desk individually for that.
• In no case would enabling 2FA affect SSH transport to Gerrit, nor would it affect HTTPS transport to Gerrit (via the Gerrit supplied HTTPS password which is effectively a user TOKEN) as both of those transports are operating in a manner that would have required an authenticated web session for configuration before being available. This is comparable to both GitHub and GitLab 2FA solutions around git itself.

Existing Global requirements

-Epic REQ-437: COMPLETION OF PYTHON LANGUAGE UPDATE (v2.7 → v3.8)

• Montreal Task: TBC
• OOM-2900 - Update or Remove Python 2

-Epic REQ-438: COMPLETION OF JAVA LANGUAGE UPDATE (v8 → v11)

• Montreal : TBC
• OOM-2554 - Common pods have java 8

-Epic REQ-439: CONTINUATION OF PACKAGES UPGRADES IN DIRECT DEPENDENCIES

• Montreal Task: TBC

-Epic REQ-443: CONTINUATION OF CII BADGING SCORE IMPROVEMENTS FOR SILVER LEVEL

• Montreal Task: TBC

-Logging for Java

• Montreal Task: TBC

• New Best Practice requirements

Bob to share Jira as a reference.

JIRA ticket for the security logging for Java containers.

SECCOM MEETING CALL WILL BE HELD ON 30th May 2023. SBOM Types & Minimum Requirements for VEX Documents - we move it to the next week, Muddasar will prepare some info on SPDX 3.0 and different types of SBOMs.

• Security review in ARCCOM