For some reason, OpenDaylight TSC got dropped off this thread - added it back. Looking forward to talking with you guys Alexis and folks.
On Fri, Feb 8, 2019 at 11:38 AM TIMONEY, DAN <dt5...@att.com> wrote: > All, > > > > One clarification I wanted to make, re: Robert’s question about the list > we’d provided. > > > > The Nexus IQ server also reports on third party libraries that are > embedded within other jars. For example, ODL Oxygen doesn’t ship netty > 4.0.30, but the jar for narayana-osgi-jta contains that version of netty. > I can tell that because when I look at “Occurrences” of that library in the > Nexus IQ Server report, I see this: > > > > *netty-all-4.0.30.Final.jar* *located at* > > opendaylight/oxygen/target/docker-stage/karaf-0.8.3.tar.gz/karaf-0.8.3/system/org/jboss/narayana/osgi/narayana-osgi-jta/5.5.2.Final/narayana-osgi-jta-5.5.2.Final.jar > > > > > > I really wish we could just share the report, but unfortunately Sonatype > told us in no uncertain terms that sort of thing is a violation of their > software license terms. > > > > I just wanted to reassure you all that I really did do my best to be > careful about separating out the vulnerabilities we’re inheriting from ODL > from any that we’re introducing ourselves. > > > > Dan > > -- > > Dan Timoney > > SDN-CP Development > > ONAP Project Technical Lead : CCSDK and SDNC > > > > *Please go to *D2 ECOMP Release Planning Wiki > <https://wiki.web.att.com/display/DERP/D2+ECOMP+Release+Planning+Home> for > D2 ECOMP Project In-take, 2016 Release Planning, Change Management, and > find key Release Planning Contact Information. > > > > > > *From: *Abhijit Kumbhare <abhijitk...@gmail.com> > *Date: *Friday, February 8, 2019 at 11:06 AM > *To: *"onap-tsc@lists.onap.org" <onap-tsc@lists.onap.org> > *Cc: *Robert Varga <n...@hq.sk>, "TIMONEY, DAN" <dt5...@att.com> > *Subject: *Re: [OpenDaylight TSC] [onap-tsc] CII Badging - Vulnerabilities > > > > Sure Alexis - I will add this to the agenda next week. Earlier this week > Anil Belur was asking for the same to be on the agenda - but there was no > time this week to have this. > > > > On Fri, Feb 8, 2019 at 7:06 AM Alexis de Talhouet <adetalhoue...@gmail.com> > wrote: > > > > > > On Feb 8, 2019, at 10:00 AM, Brian <bf1...@att.com> wrote: > > > > Since ONAP is Apache 2.0 and ODL is EPL we dont think we can build a > distribution on the ONAP side that removes “ODL projects like TSDR, SXP > > and similar”. It would be awesome if ONAP could build its own distro but > I dont think we know how to do that without tainting. > > > > I tend to think we can. This is one of the things I want to discuss during > ODL TSC when it is the good time. > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4610): https://lists.onap.org/g/onap-tsc/message/4610 Mute This Topic: https://lists.onap.org/mt/28708638/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
