/
2023-09-19 Security Subcommittee Meeting Notes (MEETING CANCELED)

2023-09-19 Security Subcommittee Meeting Notes (MEETING CANCELED)

Owned by Amy Zwarico
Last updated: Sept 22, 2023
2 min read

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 19th of September 2023.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Oparent

Update from 2023-08-21 PTL meeting

-CPS (@Toine Siebelink): will test building CPS without oparent/pom.xml (results 2023-10-01)

-Integration (@Marek Szwałkiewicz): will perform a test build with the profiles commented out

2023-08-15 SECCOM notes

-Only 2 PTLs responded to Amy’s e-mail

-No objections on Oparent retirement, we have no volunteer to maintain it up to date

-pom.xml contains more than cross project common package dependencies

2023-09-05 SECCOM notes

-Pawel to contact @Marek Szwałkiewicz 

-@Toine Siebelink will provide feedback in early October

-decision on path forward - potentially remove package info - deferred to October

 

Recommendation:

-retain oparent/pom.xml

-Make Andreas Geissler a committer and ask the integration or OOM team to update the file per release

-Proposal:

  • Option 1 (short term): ask the integration or OOM team to update the file per release

  • Option 2 (long term): split into multiple pieces that could be independently maintained: dependencies, build directives, profiles

-Byung will discuss with Andreas and OOM team and report at 8/22 SECCOM (pushed to 8/29 SECCOM meeting)

-Amy will contact @Liam Fallon  and Pam for history

 

AAF Certificate Expiration

AAF-1217: AAF cert service failed to start (expired certificate)In Progress

Review work around proposed by @Andreas Geißler - deferred until @Andreas Geißler returns from holiday

 

 

 

Container Signing

Review next steps:

-select signing software (SECCOM + LFIT)

-perform POC with friendly projects (ONAP)

-integrate into build process (LFIT)

 

 

 

No PTL for AAI, DCAE, OOF

-Andreas Geissler and Thomas Kulik made committers

-They will do the work necessary for the projects to participate in the release

-TSC approved streamlining process (7 September)

-SECCOM will create package upgrade recommendations

-TSC will recruit resources to perform upgrades for AAI, DCAE, OOF

 

-Byung will discuss with Andreas and Thomas to coordinate release tasks such as backlog prioritization

-Muddasar: someone needs to take backlog management role

-Muddasar: no mandated best practice to manage technical debt; call for a statement about code quality – all code will be secure

-Muddasar & Amy: bring mandate for code quality to LFN TAC 2023/8/16

 

ONAP Streamlining

-TSC approved streamlining (7 September)

-Prioritization of vulnerability fixes (see above)

-Prioritization of security enhancements

-Proposal: ONAP projects work with latest version of common components such as Istio, KeyCloak, Kafka

ONAP Streamlining - The Process (Link)

Deck shared with TSC: ONAP - Streamlining the process Report-2023-8-3-v2.pptx (live.com)

 

 

 

TSC meeting (September 7th)

 

 

 

 

LFN-TAC (September 13th)

Any SECCOM recommendations for the TAC

 

 

 

NEXT SECCOM MEETING CALL WILL BE HELD ON ? of September 2023. 

 

 

 

 

 

 

Recordings: 

 

 

 

SECCOM presentation: