Hi Jason, On 05.06.2020 16:27, Jason Hunt wrote: > Krzysztof, > Great point. There are two options to address it: > 1. The TSC votes to amend the Technical Community Document to include > security in the criteria for the mature state > 2. We modify the template for the maturity reviews to allow for > security information to be included under the "mature artifacts" > criteria. The TSC would then include that in its decision whether a > project has met the "mature artifacts" portion of the criteria.
I'll deffer this to Pawel & Amy to decide which way to go. > I would prefer the latter and am happy to make the update. Please let > me know if there is suggested input you would like to see from projects > so that we can update the template accordingly. I'd definitely would like to make sure that before any project is called mature it: 1) Does not hardcode any credentials in the container & OOM helm charts 2) Its docker containers are free of any hardcoded certificates 3) It doesn't use static TLS certificates but obtains them at runtime 4) It has no open OJSI tickets 5) It has no known vulnerabilities in its direct dependencies 6) It uses base image that is free of license violation and vulnerabilities (aka recommended by seccom) 7) Does not run as a root 8) Does not access any DB as root from the application container (unless there is a valid reason for that which has been presented & approved by SECCOM) 9) Does not access any DB that is owned by other service 10) Uses only well-known, open source libraries for handling crypto 11) Does not contain its own user store 12) Can be access & used via ingress controller 13) Has no runtime Internet dependencies 14) Use secure communication to access anything that is outside of kubernetes cluster 15) Has no unprotected APIs/UIs exposed 16) Has only a single process per container 17) Has properly configured liveness & readiness checks 18) Container rootfs is mounted read-only @Pawel @Amy Do you have anything more to add? > By the way, for the "core" state of projects (which comes after > "mature"), the criteria in the Technical Community Document include: > "Stability, Security, Scalability and Performance levels have reached a > high bar." Right. But it would be great to ensure some "basic" security from project which is called mature right? > > Regards, > Jason Hunt > Distinguished Engineer, IBM > > Phone: +1-314-749-7422 > Email: djh...@us.ibm.com > Twitter: @DJHunt > > ----- Original message ----- > From: "Krzysztof Opasiak via lists.onap.org" > <k.opasiak=samsung....@lists.onap.org> > Sent by: onap-tsc@lists.onap.org > To: onap-tsc@lists.onap.org, onap-rele...@lists.onap.org, Jason Hunt > <djh...@us.ibm.com> > Cc: "pawel.pawl...@orange.com" <pawel.pawl...@orange.com>, "ZWARICO, > AMY" <az9...@att.com> > Subject: [EXTERNAL] Re: [onap-tsc] ONAP Project Lifecycle: > recommended actions > Date: Fri, Jun 5, 2020 9:05 AM > Hi Jason, > > On 05.06.2020 00:13, Jason Hunt wrote: > > TSC and PTLs, > > Per the discussion in today's TSC meeting, we wanted to make everyone > > aware of the ONAP project lifecycle and encourage projects to > consider > > their status and any changes. > > The current lifecycle is depicted in this diagram: > > > > The suggestion is that we use this lifecycle to place the ONAP > project > > portfolio into three buckets: > > > > -*Mature projects:*for projects with active release participation & > > solid artifacts; they should submit for a "maturity review" > > > > - *Inactive (Archived) projects*: for projects where there is no > longer > > any contributions, they should follow the termination review > > > > -*Other (Incubation) projects*: for those projects that are still > active > > but not ready for move to "mature" phase > > > > For *mature projects*, the TSC encourages qualifying projects to > submit > > for a maturity review. They do this by filling out the template > in the > > wiki > (https://wiki.onap.org/display/DW/Project+Maturity+Review+Template > > <https://protect2.fireeye.com/url?k=dd42d9cf-808e156a-dd435280-0cc47a30d446-d4617dd9a8a6f261&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FProject%2BMaturity%2BReview%2BTemplate> > > > > > <https://protect2.fireeye.com/url?k=54d370d1-091d739c-54d2fb9e-000babff24ad-19c6b140cc54f247&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FProject%2BMaturity%2BReview%2BTemplate > >) > > and send an email to the TSC list. In order to accelerate > reviews (and > > free up time on the TSC calls), we may want to form a working > group to > > do a preliminary maturity review for the projects. The group > > would submit their recommendations to the TSC who would then vote > > +1/0/-1 for promotion to the mature phase. > > Shouldn't we have any security review before we move project to the > mature state? There is no single question regarding security in this > template... > > > > > For the*inactive projects*, there is no guidance on who should > initiate > > a termination review. Because there may not be a PTL, perhaps > the TSC > > could initiate a termination review for a project. Again, we may > want a > > working group to conduct the steps of the termination review. This > > group should consist of people who are familiar with the project > or at > > least interface with/depend upon the project. This working group > will > > need to walk through the steps of the termination review as outlined > > here: (scroll down) > > > > > https://wiki.onap.org/display/DW/ONAP+Project+and+Component+Lifecycle > <https://protect2.fireeye.com/url?k=033e4694-5ef28a31-033fcddb-0cc47a30d446-225209ace7e1b240&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FONAP%2BProject%2Band%2BComponent%2BLifecycle> > > > > > <https://protect2.fireeye.com/url?k=ba539477-e79d973a-ba521f38-000babff24ad-e719a6ce77842878&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FONAP%2BProject%2Band%2BComponent%2BLifecycle > > > > > > All other projects need no action. > > > > Background slide deck on project lifecycle reviews: > > > > https://wiki.lfnetworking.org/pages/viewpage.action?pageId=25364127&preview=/25364127/28738708/ONAP%20Proj%20Lifecycle%20and%20Review%2015Jan2020%20v1.pdf > > <https://protect2.fireeye.com/url?k=537e62b2-0eb2ae17-537fe9fd-0cc47a30d446-e67a382a6685bae2&q=1&u=https%3A%2F%2Fwiki.lfnetworking.org%2Fpages%2Fviewpage.action%3FpageId%3D25364127%26preview%3D%2F25364127%2F28738708%2FONAP%2520Proj%2520Lifecycle%2520and%2520Review%252015Jan2020%2520v1.pdf> > > > > > <https://protect2.fireeye.com/url?k=4b2f2f99-16e12cd4-4b2ea4d6-000babff24ad-5d861846fa71adf4&q=1&u=https%3A%2F%2Fnam11.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwiki.lfnetworking.org%252Fpages%252Fviewpage.action%253FpageId%253D25364127%2526preview%253D%252F25364127%252F28738708%252FONAP%252520Proj%252520Lifecycle%252520and%252520Review%25252015Jan2020%252520v1.pdf%26data%3D02%257C01%257Cchaker.al.hakim%2540futurewei.com%257C8a2529fdf0fb43e0b9e108d7f80c6f32%257C0fee8ff2a3b240189c753a1d5591fedc%257C1%257C1%257C637250604601001932%26sdata%3DemcJR3xAixRLzzkLjydj2G57uTiv1pwcYEOr%252BdsNGVQ%253D%26reserved%3D0 > > > > > > Please reply with any questions on the process. > > > > Regards, > > Jason Hunt > > Distinguished Engineer, IBM > > > > Phone: +1-314-749-7422 > > Email: djh...@us.ibm.com > > Twitter: @DJHunt > > > > > > -- > Krzysztof Opasiak > Samsung R&D Institute Poland > Samsung Electronics > > > > -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6488): https://lists.onap.org/g/onap-tsc/message/6488 Mute This Topic: https://lists.onap.org/mt/74681700/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-