Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th 24th of October 2023.

Jira No
SummaryDescriptionStatusSolution

LFN AI/ML use cases

Muddasar Ahmed presented the draft deck about LFN AI/ML use cases.



Nephio security working group

Byung-Woo Jun informed SECCOM that the Nephio security WG is holding a joint meeting with the LF security SIG today at 11AM ET. Nephio plans to adopt 80% of OSSF passing badge.




Support for CPS to get gold badge

OJSI distribution list participants were updated with Amy's and Jess's support.

2FA ongoing by Jess and Eric for CPS and OJSI distribution list

Per Jessica Wagantall:

LFIT will bring the request for 2FA for all users across all ONAP Jiras to the TSC (26th Oct) for approval. 
c

LFIT will implement 2FA for users across all ONAP Jiras.


Modeling component move to unmaintained

Modeling team did not follow the unmaintained project process. Build failing for components reliant on the "etsi" components.


Kenny Paul following up to fix the build break.


AAF Certificate Expiration

Jira Legacy
serverSystem Jira
columnIdsissuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyAAF-1217

Review work around proposed by Andreas Geißler - deferred until Andreas Geißler returns from holiday

Workaround

Some project containers still experiencing problems: clients using the cert-initializer (e.g. SO, SDC, CDS) still fail.

Need to document certificate management in user docs.

Louis Gamers' AAF cert wiki page: (1) Create AAF CA certificates - Developer Wiki - Confluence (onap.org)

  • Components such as dcaegen2 have their own cert init container with the aaf certificate embedded in the container image. This might be the reason why SO, SDC, and CDS broke if they have their own cert init containers.
  • Unclear why onap-aaf-sms-preload and onap-dmaap-bc-dmaap-provisioning jobs broke in Louis's environment.

Discussion with China Telecom done - they could check potentially next week and they worked independently on this issue, Aaarna Networks commited to check Andreas's patch.


Paweł Pawlak to send an e-mail notification to China Telecom about the script prepared by Andreas and associated Wiki documenting it.


Container Signing

Review next steps:

-select signing software (SECCOM + LFIT)

-perform POC with friendly projects (ONAP)

-integrate into build process (LFIT)

Looking for a volunteering project to work with us. Request raised at the 18th September PTL's call but no volunteer so far.


Muddasar Ahmed to analyze which ONAP project has the most frequent changes in its containers.

Muddasar reached out to LF-IT, Jess and her team are analyzing what enhancement has to be made with CI jobs to allow for Container signing.  Further updates will be provided when scope and efforts have been assessed.

https://jira.linuxfoundation.org/plugins/servlet/desk/portal/2/IT-26130


No PTL for AAI, DCAE, OOF

-Andreas Geissler and Thomas Kulik made committers

-They will do the work necessary for the projects to participate in the release

-TSC approved streamlining process (7 September)

-SECCOM will create package upgrade recommendations

-TSC will recruit resources to perform upgrades for AAI, DCAE, OOF

  • need options to move forward

Kenny's reply is that we could benefit from Mentorship program. We have to define job description and skills needed.


-Byung will discuss with Andreas and Thomas to coordinate release tasks such as backlog prioritization

-Muddasar: someone needs to take backlog management role

-Muddasar: no mandated best practice to manage technical debt; call for a statement about code quality – all code will be secure

-Muddasar & Amy: bring mandate for code quality to LFN TAC 2023/8/16

  • Pawel to raise a request to TSC with getting resources for upgrades for AAI, DCAE, OOF - done
.CentOS strategy

Discuss multiple paths for CentOS upgrades

Feedback from Amy: 7.9 is the final release of centOS
  • .
CentOS users should upgrade to Rocky Linux 8 or 9.

TSC meeting (October

5th

19th)

TSC self-nominations completed. 

No update




PTL meeting (October

9th

23rd)

Marek shared the progress with Matt. We wait for his return from PTO.

Kevin was added into the exchanges with Jess for 2FA for OJSI. Need to validate that it is already enabled.

New CVEs related to curl CVE-2023-38545, CVE-2023-38546: - potentially low impact on ONAP.

Packages upgrades - please expect Jira tickets per projects with recommended packages on the restricted Wiki.

No update




LFN-TAC (

September 27th)

Any SECCOM recommendations for the TAC.

Amy shared SECCOM recommendations. TAC would like to have Security Forum to be updated - WiP.

Discussion about goal statement on code quality and security. At the LFN level we shall have inspiring vision and strategy around this topic.

Muddasar Ahmed to share confluence page.

LFN Security Forum

https://wiki.lfnetworking.org/display/LN/LFN+Security+Forum

Security Best Practices (ONAP SecCom driven effort)

https://wiki.lfnetworking.org/display/LN/Security+Best+Practices

Roadshow could be prepared to present to other LFN projects security achievements. DTF could be good place...

TAC needs to prioritize.

October 11th)

No update




NEXT SECCOM MEETING CALL WILL BE HELD ON 31st of October 2023. 







Recordings: 

audio1104650360.m4a

video1104650360.mp4

LFN AI/ML use cases - Muddasar Ahmed (MITR)

...