2025-02-18 Security Subcommittee Meeting Notes

2025-02-18 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 18th of February 2025.

Jira No






Jira No








Discussion with Fiete.

@Paweł Pawlak to open a ticket at LF IT to assure Node.js and Angular scans with Nexus-IQ: https://jira.linuxfoundation.org/plugins/servlet/desk/portal/2/IT-27757
@Byung-Woo Jun to raise the point with PTLs on





Java 21 in ONAP

Under Oslo we recommended Java 11.0.21, accepted Java 17.0.10 Target 17.0.12 and possible use of 21.

We need to figure out what java versions we are running now in ONAP. If Dan is not making interface changes, moving to Java 21 is not a problem. Andreas is checking with Marek if he could run the scans that would expose information about each project java version used.

AP Pawel - to check if we can get this info from Nexus-IQ directly.

Andreas provided the list of the Java versions per project.





Python 3.13 in ONAP

Potential target for ONAP - to be further investigated.





Maven version

To be further investigated.





Support for TLS 1.3

Seccom recommends ONAP projects to use TLS 1.3 and configure it in a way not allowing downgrade to 1.2 which is known as not secure with broken cyphers. ISTIO and our Service Mesh already supports TLS 1.3.

Andreas plan to use TLS 1.3 most likely in Paris version.





Next level for SCA and Nexu-IQ reports for Go Lang.

Following the discussion at the PTLs meeting. OPA PDP subproject under Policy project.

GoLang we need support from LT IT. Ticket IT-27561 Request Guidance on adding golang based project to Nexus IQ
Requesting guidance on adding goLang based project to Nexus IQ - Project Services Support - Service Project

Go Lang used in the project is 1.23, which is the latest version.

Link to restricted Wiki: Security Vulnerabilities - Confluence.

Deena will ask in a dedicated ticket access to Nexus-IQ + access to restricted Wiki.


Kevin shared update that: viewing direct vs transitive dependencies in the CLM reports is not currently supported for Golang projects.

According to the documentation this is a feature only available for "npm, Maven, Cargo, and applications with a CycloneDX SBOM that includes dependency information" https://help.sonatype.com/en/dependency-tree.html

We shall consider creation of cycloneDX as an additional SBOM format to be automatically created along with SPDX. Conversion between formats tested by Nadeem: https://github.com/CycloneDX/cyclonedx-cli

Even with CycloneDX format Kevin was unable to get distinction between direct and transitive dependencies. Kevin opened a feature request at Sonatype: https://support.sonatype.com/hc/en-us/requests/101113?page=1





TAC/Software Quality and Security

2025 Quality & Security Goals - LF Networking - Confluence


  • 5G super blueprint - incubation

  • Paraglider - sandbox

  • @Amy Zwarico voted to security seat

  • looking for candidate for the AI/ML seat: one potential candidate from RedHat, will work with LF AI & Data and LF Gen AI Commons

  • Initial recommendations defined & will be communicated to the LFN projects

  • LF dashboard may provide a good view of quality & security posture of project

Latest discussions:

  • Discussion to agree on putting responsibility to projects - responsibility on PTLs vs. security champion, subcommittee

  • What do we need to do to be ready to take actions to be ready for post quantum cryptography.

Muddasar will reach out TSCs and share quality goals with security teams so each security focussed people would drive it. Each project should maintain its crypto inventory.





Kubecon report

@Byung-Woo Jun

WASM is very popular: WASM Cloud, etc. Small size, secure by design (each project has its memory), supports multiple languages, can support IoT.

Istio announced Ambient mesh support, still using Envoy at layer 7, don’t need proxy at layer 4, plan to add gateway function (migrate ingress to gateway)

multicluster support, AI, Security

secure supply chain (e.g., In-Toto and others)

to present at next SECCOM


Service supply chain as additional HW and SW as potential threat for telcos - see recent reports.





UUI for Gold Badging

Under consideration with Keguang.

Other projects under consideration: AA&I and NG Portal.





Technical debt

@Fiete Ostkamp : Chef dependency in SDC related to Ruby conflict (2.0 is pretty old)  SDC-4691: catalog-be docker build is failing due to ruby dependency conflictOpen- pipeline is broken due to this.

SECCOM recommends to: in short term fix Chef (v13 from 2013?) dependency so that Ruby can be upgraded to 3.0, in long term: need to convert all of the Chef recipes into chart forms.

Need to discuss at the TSC the need of having end2end testing.

5 Nov Update: DT will fix and upload into ONAP for the Oslo release. @Andreas Geißler will provide date at 7 Nov TSC.

18 Nov PTL meeting: @Fiete Ostkamp still waiting for upgrade. Delay in the Oslo RC to be discussed at 21 TSC meeting.

SDC upgrade (Ruby related) completed in Oslo release.

in progress




Support for Paris release

  • updating Java, Python, OS, database and utility versions (done) + creating Jira tickets for packages upgrades (WIP) - reports under generation.





GitHub Actions integration pipeline

LF IT migrating CI pipeline to GitHub actions - may take to the end of fall or later, once ONAP is completed for GitHub Actions , we will do security review. Last update from Matt is that LF IT is continuously shipping one project at a time. 

4/2: in progress

At the TSC Jess mentioned Q4'24? or rather beginning of 2025. Matt and Kevin are working on it - ETA - by beginning of summer time.

open - WIP




LFN AI/ML use cases

Need to write LF informative position white paper for AI/ML - team to write constituted. Meeting is planned with convenient time for all contributors. Goal is to produce it by DTF.

Structure bulleted paper available on Confluence - https://wiki.lfnetworking.org/pages/viewpage.action?pageId=120652848

China Mobile focus: generative AI. (New Delhi UUI)

China Telecom focus: intent transformation & LLM tuning parameters to create domain specific solutions. (New Delhi UUI)

Both projects are in progress.

Oslo lightweight model 

China Telecom and China Mobile presented at the last TSC their plans for AI/ML use cases with ONAP.

In September both companies presented their plans for Oslo in this domain at the TSC meetings.

11/19 update:

  • SECCOM: to provide security input using O-RAN AI/ML technical report and the LF AI & Data initiative when AI/ML is introduced into ONAP

  • Note: data collected about a Chinese network cannot be shared outside China

  • Maggie to share DTF presentation

TAC will open AI/ML seat.

MaaS under consideration to plugin multiple LLM models.

open - select structure of the document

Copy of 2024-10-01 Security Subcommittee Meeting Notes (under prep)



Nephio security working group

Workload identity and access management in progress. Internal discussions in E/// for next steps for user identity and access management.

Nephio R3, there is an action point, secret management, "sharing secrets across clusters as Skupper generates a secret in one cluster/namespace and that secret has to be shared with another cluster/namespace. To create the tunnel for communication. Now the question is how to share the secrets" It is a narrowed scope of sharing secretes between particular services, which is different from what Nephio SIG Security proposed.

@Byung-Woo Jun , The Nephio SIG Security team (Shiv from Accuknox) plans to provide a demo of workload identity with SPIFFE this or next week. I will share the detail after their demo.

LF IT support is needed for SBOM SPDX format generation. Jess has experience with java based projects, and Nephio is Go based.

@Byung-Woo Jun , Nephio O-RAN Workload Identity proposal by Nephio SIG Security will be presented to Nephio WG 2 ORAN on May 29th (postponed to June 5the), https://docs.google.com/presentation/d/1kofOHWswM2_OJPfefTcSzVvsBAg0QE3Z7GQITlaPO2w/edit#slide=id.p

Nephio Workload Identity execution plan:

  • Start with PoC / demo to the relevant groups

  • Requirements / user stories to SIG-1

  • Detailed demo / run-through to SIG-Automation

Nephio update 2024-5-28:

  • Signed image handling thru Nephio CI

  • Nephio SGI security team is working on the above execution plan

  • Nephio O-RAN workload identity proposal to Nephio WG 2 ORAN this week

  • ORAN integration discussion (Q&A) further this week

Update xpected on 18th of June - Nephio signed image is a work in progress

Branch selected for Workload Identity - WIP.

Links shared by Muddasar:



Small demo presented with Vault used for secrets.


The second demo topic on July 23rd, 2024:

  • Spire Server Agent created as part of the Nephio Install

  • Node attestation for nodes in other clusters

  • Node attestation for regional/edge clusters initiated by workload identity reconciler

  • Library getting SVID, authenticating to vault, reading and writing to Vault

  • Secrets CSI controller

Another demo on July 30th, 2024:

  • SPIRE agent installed on all nodes via Damonset - how is registration of new nodes handled at scale?

  • SA token is applied to SPIRE agent

  • Spire-bundle is contained in a configmap for the spire agents to talk to the spire server

  • How to prevent spoofing the SPIFFE ID/SVID? The current mitigation is JWT is 5 mins

New hydration concept = customization of CRD.


11/19: Nephio formed the Nephio AI/ML work group - selecting model, security

IaC still under investigation.

Workload identity planned for R4.

Nephio GenAI Working Group has written a paper on Nephio GenAI.


Workload Identity for Nephio R4 (Q1/Q2’25)

GenAI documentation preparation ongoing.





New ISTIO 1.22

Ambient mesh under consideration if stable and memory safe.

Trigger with ISTIO implementation to be detailed.

A plan for eBPF via Cilium, see Andreas' wiki page ONAP "Networking" Options (>=Kohn) For now, it is a consideration only.

DT on hold in general on hold with Ambient mode, for ONAP Andreas will continue.





TSC meeting (February 13th)

ONAP usage collection of inputs: https://docs.google.com/document/d/1_MTqJDP8QyJwYUyxzDsCoxbUlJsb3Ec_S3xE4Q97HP4/edit?tab=t.0

Session topics collection of presentation topics - ONAP PTL days virtual event planned.






PTL meeting (February 17th)

Focus on security - Fiete raised Java version issue.

DT contributes ArgoCD based deployment and Flux.






CNTI approved as  project. Paraglide might prepare presentation. - Next meeting on July 10th.

KPIs in project promotion and with health check discussion with every project. Chair and vice Chair election. Security seat and Superblueprint seat.

Proposal: use Tony's 5 year assessment as a baseline.

Planning meeting done last week.

WIP for Superblueprint.

New Use case under consideration (software packaging?)

No quorum for the last 2 meetings. CI/CD process for RAN and core deployment. Aether project.  Hexa-eBPF UPF based solution. https://aetherproject.org

Hexa:  https://coranlabs.com/?_sm_pdc=1&_sm_rid=ZTsnTH13HrWPtNsPZTH1f6FFQqTF1nTH16MZDqg

Best practices for security goals in projects under collection.


@Muddasar Ahmed to check for document availability on software quality goals.




Quality goals and security goals - no actions taken, so putted back into agenda for this week. 

Criteria for project incubation and graduation to be worked on.

No quorum at the last meeting - planning for the next meeting.

Feedback from Olaf received for quality and security goals. Discussion to be followed this week. 


Security Review Page-  TAC page to collaborate:  https://lf-networking.atlassian.net/wiki/spaces/LN/pages/18415618/Security+Review+Matrix. ( May require new login set up, as this site has migrated to web based confluence)

Willingness to move forward but limited contributions.

Paperwork submission this week for 5G Superblueprint and Paraglider (projects in the waiting room to join LF https://paragliderproject.io).

Working calls on Mondays to focus on KPIs, tools related to quality.


@Muddasar Ahmed to follow with Jill.



@Muddasar Ahmed

TAC update: 2 issues: security, 5g super blueprint

  • for 5G super blueprint, special seat for AI work is suggested

New AI representative elected.





PostQuantum cryptography

Currently used keys and impact of PostQuantum cryptography. Key management from UPF example. NIST already approved some algorithms - asymmetric is a concern due to overhead and additional resources that need to be used. 

We need to create cryptography inventory for ONAP.

We need to have a tool to analyse the code and provide information about certain type of cryptography used. Pawel - to open a ticket for that at LF IT.







Upcoming security events: https://events.linuxfoundation.org/open-source-summit-europe/










Related content

2025-02-04 Security Subcommittee Meeting Notes
2025-02-04 Security Subcommittee Meeting Notes
More like this
2025-01-28 Security Subcommittee Meeting Notes
2025-01-28 Security Subcommittee Meeting Notes
More like this
2025-01-21 Security Subcommittee Meeting Notes
2025-01-21 Security Subcommittee Meeting Notes
More like this
2025-01-07 Security Subcommittee Meeting Notes
2025-01-07 Security Subcommittee Meeting Notes
More like this
2024-12-10 Security Subcommittee Meeting Notes
2024-12-10 Security Subcommittee Meeting Notes
More like this
2024-11-19 Security Subcommittee Meeting Notes
2024-11-19 Security Subcommittee Meeting Notes
More like this