2020-07-07 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of July 2020.
Jira No | Summary | Description | Status | Solution |
|---|---|---|---|---|
| Service Mesh PoC status update | -Now work on migrating yaml files to proper helm templates (2.0 supported by ONAP, no resources so far for 3.0 – evident benefit: no limit for chart size), infra part to be added to OOM scripts, then first ONAP component to be migrated to service mesh. | ongoing |
|
| Support for projects with python upgrades - Michal | Michal is supporting SDC and DCAE projects. For the DCAE support is tracked under DCAEGEN2-2292: REQ-373 ONAP must complete update of the Python language (from 2.7 -> 3.8)Closed: -An unofficial library usage is not a preferred solution as it later requires a maintenance. We recommend to wait until July, when open source Cloudify version is available - if only you would be enough time to perform all required activities within August time frame – to be confirmed with Michal. -For the PyPy Python Interpreter in 3.6 SECCOM is fine with that in Guilin release - in H release upgrade to version 3.8 could be planned (we don't expect significant effort with that – to be confirmed with Michal. | ongoing | To provide SECCOM feedback under Jira item - done. |
DCAE components upgrade | DCAE uses 1.3 branch of drop wizard. Maven recommendation of latest version is 2.0.11. Influence on jetty upgrade. SECCOM Recommendation: as Jetty vulnerability is priority 2 for SECCOM, it is acceptable that they can not do the upgrade. Our preference is to upgrade drop wizard to 2.0 version train. For Honolulu release DCAE must upgrade jetty. |
|
| |
| ONAP Images | Krzysztof has sent an e-mail to ONAP TSC and ONAP distribution list to ask TSC to vote on a list of approved licenses for our docker images. GPLv3 = in the context of redistribution of modifications: apart from providing the source code, mechanizm and instruction on how to replace the package with a modified by end user version, must be provided. In general companies are not very happy to provide such instructions. Making available = redistributing. | waiting for a feedback | Problem stated clearly enough. |
| Base image | Questions are keep coming to SECCOM, but we can recommend versions but not base images. Ownership of base images is more on the Integration side. | ongoing | Morgan to be contacted to confirm his ownership to maintain base images. |
| Flow matrix | Catherine asked to close this req-376 - Wiki created to collect data from PTLs. Catherine to be contacted and topic to be proposed at the next PTLs meeting | ongoing | E-mail to be sent to Catherine to explain that this requirement does not put any additional effort on PTLs - just provide information. |
| Harbor follow-up. | No slot reserved so far for the TSC meeting to present. | pending | To consult Eric. |
| OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 11th OF JULY'20. | Topics proposed:
|
|
|
