Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 12th of December 2023.

Jira No
SummaryDescriptionStatusSolution

 Latest news from LFN

Unfortunately we were informed about releasing David and Pano ;-(.




DT&F

Feedback:

Andreas and Byung presented roadmap and streamlining aspects as well as Ingress communication + SBOM.

ChinaMobile and their AI usage for autonomous network with IBN.




LFN AI/ML use cases

Muddasar Ahmed presented the draft deck about LFN AI/ML use cases.

Maggie shared link:

https://www.nist.gov/itl/ai-risk-management-framework 

We need to have Ops feedback (NOC manager) on AI, what pain point could  be solved by AI.

Deck shared with Marian from Orange, feedback expected in first week of December. Under WG 11 in ORAN Alliance (doing standards for ORAN) - threat analysis will be done in the domain of AI security - OWASP TOP 10 - planned by March'24.

Runtime influence under interest.

Maggie shared the link: https://www.cisa.gov/news-events/alerts/2023/11/26/cisa-and-uk-ncsc-unveil-joint-guidelines-secure-ai-system-development 

Feedback from Marian received to be discussed at the next SECCOM.



Nephio security working group

Byung-Woo Jun informed SECCOM that the Nephio security WG is holding a joint meeting with the LF security SIG today at 11AM ET. Nephio plans to adopt 80% of OSSF passing badge.

Topic further discussed:

It was noted that the passing badge should be straight-forward to achieve.

The web page tlhansen.us/badging was discussed. Click on “Single Project…” then fill in a search string or badging ID (e.g. "nephio" or "7665").

For Nephio, Tony recommends to sort by “Type+Section”

Nephio SIG Security meeting:

By: Lucy Hyde When: Tuesday, October 31st, 2023 8:00am to 9:00am (UTC-07:00) Pacific Time - Los Angeles Repeats: Weekly on Tuesday Location: https://zoom.us/j/96025994457

We could support Nephio by sharing our best practices and processes in place. Lucy OOO for the next few weeks?

Byung introduced Tony's tool and was positively perceived by Nephio team. Nephio has GUI and talked about UI: AuthN and AuthZ to be shared by Byung.

Nephio Sig meeting last week: https://nephio.slack.com/files/U0503L9UA8N/F065V0AAZRQ/sig-security_action_items.pdf?origin_team=T03LMAUL4HH&origin_channel=D065DKWJJ9X 

No update - info collection ongoing.




Support for CPS to get gold badge

OJSI distribution list participants were updated with Amy's and Jess's support.

2FA ongoing by Jess and Eric for CPS and OJSI distribution list. 

Issue claimed to be finally solved. Amy and Pawel confirmed second authentication with QR code scaning for jira.

Great Success for ONAP and CPS. Thank you Tony for your support and guidance!!! 

Per Jessica Wagantall:

LFIT will bring the request for 2FA for all users across all ONAP Jiras to the TSC (26th Oct) for approval. 

LFIT will implement 2FA for users across all ONAP Jiras.


AAF Certificate Expiration

AAF-1217 - Getting issue details... STATUS

Review work around proposed by Andreas Geißler - deferred until Andreas Geißler returns from holiday

Workaround

Some project containers still experiencing problems: clients using the cert-initializer (e.g. SO, SDC, CDS) still fail.

Need to document certificate management in user docs.

Louis Gamers' AAF cert wiki page: (1) Create AAF CA certificates - Developer Wiki - Confluence (onap.org)

  • Components such as dcaegen2 have their own cert init container with the aaf certificate embedded in the container image. This might be the reason why SO, SDC, and CDS broke if they have their own cert init containers.
  • Unclear why onap-aaf-sms-preload and onap-dmaap-bc-dmaap-provisioning jobs broke in Louis's environment.

Discussion with China Telecom done - they could check potentially next week and they worked independently on this issue, Aaarna Networks commited to check Andreas's patch.

Waiting for an update from Andreas. No progress.


Paweł Pawlak to send an e-mail notification to China Telecom about the script prepared by Andreas and associated Wiki documenting it.


Container Signing

Review next steps:

-select signing software (SECCOM + LFIT)

-perform POC with friendly projects (ONAP)

-integrate into build process (LFIT)

Looking for a volunteering project to work with us. raised at the 18th September PTL's call but no volunteer so far.

LF IT would have to prioritized topic. Prioritization is possible with LFN, Muddasar to update ticket. Item discussed with Matt at the lasy PTLs call. Still in evaluation stage, Sigstore under evaluation.

Last PTL's meeting LF IT is going to switch from Sig-Util to Sigstore. Timeline not clear - for image/container signing should be relatively fast. For code signing to be elaborated. 

We would like to have activities around manual signing. We want Sigstore implementation ready to go.


Muddasar Ahmed to analyze which ONAP project has the most frequent changes in its containers.

Muddasar reached out to LF-IT, Jess and her team are analyzing what enhancement has to be made with CI jobs to allow for Container signing.  Further updates will be provided when scope and efforts have been assessed.

https://jira.linuxfoundation.org/plugins/servlet/desk/portal/2/IT-26130



Topic to be proposed by Pawel to elaborated at the upcoming TSC meeting.


No PTL for AAI, DCAE, OOF

-Andreas Geissler and Thomas Kulik made committers

-They will do the work necessary for the projects to participate in the release

-TSC approved streamlining process (7 September)

-SECCOM will create package upgrade recommendations

-TSC will recruit resources to perform upgrades for AAI, DCAE, OOF

  • need options to move forward

Kenny's reply is that we could benefit from Mentorship program. We have to define job description and skills needed.

No update


-Byung will discuss with Andreas and Thomas to coordinate release tasks such as backlog prioritization

-Muddasar: someone needs to take backlog management role

-Muddasar: no mandated best practice to manage technical debt; call for a statement about code quality – all code will be secure

-Muddasar & Amy: bring mandate for code quality to LFN TAC 2023/8/16

  • Pawel to raise a request to TSC with getting resources for upgrades for AAI, DCAE, OOF - done.

SSO use case

Topic related to CI/CD, do we have 2FA for code submitter and committer.

done

TSC meeting (November 30th)





PTL meeting (December  4th)

Unmaintained procedure was reviewed for CPS Temporal.




LFN-TAC (DTF F2F)

FY24 priority, security was covered - consensus on ONAP best practices.

http://tlhansen.us/badging

Platform Maturity Requirements (aka Carrier Grade)

New project induction and project graduation criteria documentation accepted. Security - discussion should be a separate WG meeting - security scrum of scrums. LFN Security Forum.

Updated meeting agenda for tomorrow's TAC meeting (https://wiki.lfnetworking.org/display/LN/2023-12-06+TAC+Minutes) and presentation planned by Amy and Muddasar:

  • security scrum of scrums proposal
  • Tony's dashboard for all LFN projects
  • SAST and SCA tools and onboarding provided by LFN
  • LFN having responsibility in releasing certifications (incubation, mature etc.)




Technical debt budgeting discussion needed with TSC/TAC - 10% of efforts for app security could be invested. 

What are best practices to transfer project to Archive or Unmaintained state.




NEXT SECCOM MEETING CALL WILL BE HELD ON  January 9th 2024.






Recordings: 








  • No labels