Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 6th of August 2024.
Jira No | Summary | Description | Status | Solution |
---|---|---|---|---|
ONAP license scanning by Jeff Shapiro | NOTE: No high priority findings this scan, everything looks good from a license perspective. ONAP Project Scan and Findings - June 2024: https://lfscanning.org/reports/onap/onap-2024-06-0592bdfc-78a5-4fa8-a9fd-a7de581457ec.html | |||
Security Event | Secure Open Source Software (SOSS) Fusion Conference 2024 Atlanta, Georgia from October 22-23 Registration: | |||
Policy road to gold badge | Support for Ramesh and Policy team to get gold badge. List of people to be Policy page editors in the badging - done | started | ||
Issue with merging gerrit code | Ticket opened by Tony: IT-26848 - Tony is checking on it, still has issues? | |||
Vulnerability reports for Oslo release | Are already available.
| done done ongoing | ||
CISA: Most critical open source projects not using memory safe code |
| 2 actions:
| ||
SBOM-a-rama registration |
| |||
Packages upgrades for a New Delhi |
| fixed | ||
Logging modifications proposal | Mateusz Pilat from Tata presented changes in log format for its unification. Change Request will be prepared by Mateusz. Discussion will be followed at the OOM meeting on Wednesday. RBAC changes could be provided: Improvement for NewDelhi Release Root access for container need was explained.
Further update will be discussed during Oslo. Tata Communications still plans to do some improvement for Oslo, but no detailed plan yet. | |||
GitHub Actions integration pipeline | LF IT migrating CI pipeline to GitHub actions - may take to the end of fall or later, once ONAP is completed for GitHub Actions , we will do security review. Last update from Matt is that LF IT is continuously shipping one project at a time. 4/2: in progress At the TSC Jess mentioned Q4'24? or rather beginning of 2025. | open - WIP | ||
LFN AI/ML use cases |
Need to write LF informative position white paper for AI/ML - team to write constituted. Meeting is planned with convenient time for all contributors. Goal is to produce it by DTF. Structure bulleted paper available on Confluence - https://wiki.lfnetworking.org/pages/viewpage.action?pageId=120652848 China Mobile focus: generative AI. (New Delhi UUI) China Telecom focus: intent transformation & LLM tuning parameters to create domain specific solutions. (New Delhi UUI) Both projects are in progress. Oslo lightweight model China Telecom and China Mobile presented at the last TSC their plans for AI/ML use cases with ONAP.
By beginning of August both companies plan to present their plans for Oslo in this domain. | open - sceleton structure of the document | ||
Nephio security working group |
Workload identity and access management in progress. Internal discussions in E/// for next steps for user identity and access management.
Nephio R3, there is an action point, secret management, "sharing secrets across clusters as Skupper generates a secret in one cluster/namespace and that secret has to be shared with another cluster/namespace. To create the tunnel for communication. Now the question is how to share the secrets" It is a narrowed scope of sharing secretes between particular services, which is different from what Nephio SIG Security proposed. Byung-Woo Jun , The Nephio SIG Security team (Shiv from Accuknox) plans to provide a demo of workload identity with SPIFFE this or next week. I will share the detail after their demo. LF IT support is needed for SBOM SPDX format generation. Jess has experience with java based projects, and Nephio is Go based. Byung-Woo Jun , Nephio O-RAN Workload Identity proposal by Nephio SIG Security will be presented to Nephio WG 2 ORAN on May 29th (postponed to June 5the), https://docs.google.com/presentation/d/1kofOHWswM2_OJPfefTcSzVvsBAg0QE3Z7GQITlaPO2w/edit#slide=id.p Nephio Workload Identity execution plan:
Nephio update 2024-5-28:
Update xpected on 18th of June - Nephio signed image is a work in progress Branch selected for Workload Identity - WIP.
Links shared by Muddasar: https://datatracker.ietf.org/doc/bofreq-richer-wimse/ https://www.ietf.org/archive/id/draft-gilman-wimse-use-cases-00.html Small demo presented with Vault used for secrets. https://istio.io/latest/docs/ops/integrations/spire/ The second demo topic on July 23rd, 2024:
Another demo on July 30th, 2024:
| ongoing | ||
ONAP Security Implementation Status | Byung-Woo Jun TATA Communications supports RBAC, observability, logging, backup, etc. by leveraging the ONAP currently security mechanism (Ingress, Service Mesh) for their own platform. It is possible they contribute the enhancements they made to the ONAP New Delhi release (TBD). Share of code most probably in Oslo release. Andreas is working on enhancements for OOM Team. Tata communication shared which components in Montreal use STDOUT or not, ONAP Logging alignment for Montreal release.xlsx Postponed to Oslo. | |||
New ISTIO 1.22 | Ambient mesh under consideration if stable and memory safe. | |||
TSC meeting (August 1st) | Project Status in Oslo Release Multicloud is currently not active, no PTL, no resources. Discussion with Andreas planned. | |||
PTL meeting (August 5th) | Discussion with Dan (ODL Calcium version under consideration) - action on his side to answer Andreas' e-mail. Feedback from Marek, pending info from Andreas, Argo CD as option for ONAP deployment - within Oslo time frame. | |||
LFN-TAC (DTF F2F) |
CNTI approved as project. Paraglide might prepare presentation. - Next meeting on July 10th. KPIs in project promotion and with health check discussion with every project. Chair and vice Chair election. Security seat and Superblueprint seat. Proposal: use Tony's 5 year assessment as a baseline. Planning meeting done last week. | Muddasar Ahmed to check for document availability on software quality goals. | ||
Quality goals and security goals - no actions taken, so putted back into agenda for this week. Criteria for project incubation and graduation to be worked on. No quorum at the last meeting - planning for the next meeting. | Muddasar Ahmed to follow with Jill. | |||
Lack of CLM scans for NG Portal | Andreas was informed about lack of Jenkins jobs for Nexus-IQ scans. Fiete will work on this as project PTL. Update from Fiete Ostkamp :
Jira opened by Fiete, ongoing support by LF-IT. Fiete is back from holidays. Update from Fiete: onap-portal-ng-preferences: onap-portal-ng-history: onap-portal-ng-bff: | |||
NEXT SECCOM MEETING CALL WILL BE HELD ON AUGUST 20th 2024 | Upcoming security events: https://events.linuxfoundation.org/open-source-summit-europe/ |
Recordings:
GMT20240806-120005_Recording_1904x1132.mp4