Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
  • Zoom bridge: https://zoom.us/j/283628617?pwd=aWM3WjliUkFtcGFPUEdEMStIRll1UT09  passcode: 248130 
  • PTL Recordings
  • Antitrust Policy Notice

We will start our meetings by mentioning the project's Antitrust Policy, which you can find linked from the LF and project websites. The policy is important where multiple companies, including potential industry competitors, are participating in meetings. Please review and if you have any questions, please contact your company legal counsel. Members of the LF may contact Andrew Updegrove at the firm Gesmer Updegrove LLP, which provides legal counsel to the LF.

Agenda

START RECORDING

Duration

Agenda Item

Requested byNotes / Links
1 hour
Cross-project discussions

LF IT Support

Testing Environment

Testing Improvement

CSIT Review

ToolChain Improvement

DocumentationOther Improvement suggestion

Code scans now conducted by a third party, Source Auditor (Jeff Shapiro)

Subcommittee Updates for PTLs

Log4j upgrade vulnerability recommendation.

View file
name2021-12-16 ONAP Security Subcommittee recommendation log4j issue v3.pptx
height150

CentOS version used by ONAP community.

Sharing Best Practices
  •  David McBride file ticket with LFIT to determine whether Nexus IQ scans are only looking for the string 'log4j".  Could we be missing instances of log4j where this string is not included in the file header?

Filed ticket IT-23420

What about VID (unmaintained)? Any dependencies? Currently failing build.

IF TIME ALLOWS ....
15 mins
Release status

Istanbul Maintenance Release (highest priority)

  • The TSC agreed on Dec 16 that mediation of the log4j CVE is the highest priority for ONAP
  • This will include an Istanbul Maintenance release as soon as possible
  • Due to the urgency of the log4j issue, PTLs should avoid including any additional changes that might delay completion of the maintenance release
  • The release name, 'Istanbul Maintenance Release 1' has been created in Jira. Please assign this release name to the "Fix Version" field for issues for the maintenance release.

Jakarta release

  • No changes to the Jakarta schedule due to the log4j issue for now.  We will monitor progress and re-evaluate as we get closer to
M1
5 mins
    • Arch review task expanded to include discussion of inter-project dependencies


Upcoming Events
10 mins
Remaining Action Items



Zoom Chat Log 

Action Items 

  •  Type your task here, using "@" to assign to a user and "//" to select a due date

06:22:03 From Muddasar to Everyone:
https://www.businesswire.com/news/home/20211216005779/en/JFrog-Releases-OSS-Tools-to-Identify-Log4j-Utilization-in-Both-Binaries-Source-Code
06:22:21 From Muddasar to Everyone:
https://github.com/jfrog/log4j-tools
06:45:57 From Bob Heinemann  to Everyone:
happy holidays