... and correct Pawel Pawlak email;)
On 05.06.2020 16:53, Krzysztof Opasiak wrote: > Hi Jason, > > On 05.06.2020 16:27, Jason Hunt wrote: >> Krzysztof, >> Great point. There are two options to address it: >> 1. The TSC votes to amend the Technical Community Document to include >> security in the criteria for the mature state >> 2. We modify the template for the maturity reviews to allow for >> security information to be included under the "mature artifacts" >> criteria. The TSC would then include that in its decision whether a >> project has met the "mature artifacts" portion of the criteria. > > I'll deffer this to Pawel & Amy to decide which way to go. > >> I would prefer the latter and am happy to make the update. Please let >> me know if there is suggested input you would like to see from projects >> so that we can update the template accordingly. > > I'd definitely would like to make sure that before any project is called > mature it: > > 1) Does not hardcode any credentials in the container & OOM helm charts > 2) Its docker containers are free of any hardcoded certificates > 3) It doesn't use static TLS certificates but obtains them at runtime > 4) It has no open OJSI tickets > 5) It has no known vulnerabilities in its direct dependencies > 6) It uses base image that is free of license violation and > vulnerabilities (aka recommended by seccom) > 7) Does not run as a root > 8) Does not access any DB as root from the application container (unless > there is a valid reason for that which has been presented & approved by > SECCOM) > 9) Does not access any DB that is owned by other service > 10) Uses only well-known, open source libraries for handling crypto > 11) Does not contain its own user store > 12) Can be access & used via ingress controller > 13) Has no runtime Internet dependencies > 14) Use secure communication to access anything that is outside of > kubernetes cluster > 15) Has no unprotected APIs/UIs exposed > 16) Has only a single process per container > 17) Has properly configured liveness & readiness checks > 18) Container rootfs is mounted read-only > > @Pawel > @Amy > Do you have anything more to add? > >> By the way, for the "core" state of projects (which comes after >> "mature"), the criteria in the Technical Community Document include: >> "Stability, Security, Scalability and Performance levels have reached a >> high bar." > > Right. But it would be great to ensure some "basic" security from > project which is called mature right? > >> >> Regards, >> Jason Hunt >> Distinguished Engineer, IBM >> >> Phone: +1-314-749-7422 >> Email: djh...@us.ibm.com >> Twitter: @DJHunt >> >> ----- Original message ----- >> From: "Krzysztof Opasiak via lists.onap.org" >> <k.opasiak=samsung....@lists.onap.org> >> Sent by: onap-tsc@lists.onap.org >> To: onap-tsc@lists.onap.org, onap-rele...@lists.onap.org, Jason Hunt >> <djh...@us.ibm.com> >> Cc: "pawel.pawl...@orange.com" <pawel.pawl...@orange.com>, "ZWARICO, >> AMY" <az9...@att.com> >> Subject: [EXTERNAL] Re: [onap-tsc] ONAP Project Lifecycle: >> recommended actions >> Date: Fri, Jun 5, 2020 9:05 AM >> Hi Jason, >> >> On 05.06.2020 00:13, Jason Hunt wrote: >> > TSC and PTLs, >> > Per the discussion in today's TSC meeting, we wanted to make everyone >> > aware of the ONAP project lifecycle and encourage projects to >> consider >> > their status and any changes. >> > The current lifecycle is depicted in this diagram: >> > >> > The suggestion is that we use this lifecycle to place the ONAP >> project >> > portfolio into three buckets: >> > >> > -*Mature projects:*for projects with active release participation & >> > solid artifacts; they should submit for a "maturity review" >> > >> > - *Inactive (Archived) projects*: for projects where there is no >> longer >> > any contributions, they should follow the termination review >> > >> > -*Other (Incubation) projects*: for those projects that are still >> active >> > but not ready for move to "mature" phase >> > >> > For *mature projects*, the TSC encourages qualifying projects to >> submit >> > for a maturity review. They do this by filling out the template >> in the >> > wiki >> (https://wiki.onap.org/display/DW/Project+Maturity+Review+Template >> >> <https://protect2.fireeye.com/url?k=dd42d9cf-808e156a-dd435280-0cc47a30d446-d4617dd9a8a6f261&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FProject%2BMaturity%2BReview%2BTemplate> >> >> > >> >> <https://protect2.fireeye.com/url?k=54d370d1-091d739c-54d2fb9e-000babff24ad-19c6b140cc54f247&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FProject%2BMaturity%2BReview%2BTemplate >> >) >> > and send an email to the TSC list. In order to accelerate >> reviews (and >> > free up time on the TSC calls), we may want to form a working >> group to >> > do a preliminary maturity review for the projects. The group >> > would submit their recommendations to the TSC who would then vote >> > +1/0/-1 for promotion to the mature phase. >> >> Shouldn't we have any security review before we move project to the >> mature state? There is no single question regarding security in this >> template... >> >> > >> > For the*inactive projects*, there is no guidance on who should >> initiate >> > a termination review. Because there may not be a PTL, perhaps >> the TSC >> > could initiate a termination review for a project. Again, we may >> want a >> > working group to conduct the steps of the termination review. This >> > group should consist of people who are familiar with the project >> or at >> > least interface with/depend upon the project. This working group >> will >> > need to walk through the steps of the termination review as outlined >> > here: (scroll down) >> > >> > >> https://wiki.onap.org/display/DW/ONAP+Project+and+Component+Lifecycle >> <https://protect2.fireeye.com/url?k=033e4694-5ef28a31-033fcddb-0cc47a30d446-225209ace7e1b240&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FONAP%2BProject%2Band%2BComponent%2BLifecycle> >> >> > >> >> <https://protect2.fireeye.com/url?k=ba539477-e79d973a-ba521f38-000babff24ad-e719a6ce77842878&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FONAP%2BProject%2Band%2BComponent%2BLifecycle >> > >> > >> > All other projects need no action. >> > >> > Background slide deck on project lifecycle reviews: >> > >> >> https://wiki.lfnetworking.org/pages/viewpage.action?pageId=25364127&preview=/25364127/28738708/ONAP%20Proj%20Lifecycle%20and%20Review%2015Jan2020%20v1.pdf >> >> <https://protect2.fireeye.com/url?k=537e62b2-0eb2ae17-537fe9fd-0cc47a30d446-e67a382a6685bae2&q=1&u=https%3A%2F%2Fwiki.lfnetworking.org%2Fpages%2Fviewpage.action%3FpageId%3D25364127%26preview%3D%2F25364127%2F28738708%2FONAP%2520Proj%2520Lifecycle%2520and%2520Review%252015Jan2020%2520v1.pdf> >> >> > >> >> <https://protect2.fireeye.com/url?k=4b2f2f99-16e12cd4-4b2ea4d6-000babff24ad-5d861846fa71adf4&q=1&u=https%3A%2F%2Fnam11.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwiki.lfnetworking.org%252Fpages%252Fviewpage.action%253FpageId%253D25364127%2526preview%253D%252F25364127%252F28738708%252FONAP%252520Proj%252520Lifecycle%252520and%252520Review%25252015Jan2020%252520v1.pdf%26data%3D02%257C01%257Cchaker.al.hakim%2540futurewei.com%257C8a2529fdf0fb43e0b9e108d7f80c6f32%257C0fee8ff2a3b240189c753a1d5591fedc%257C1%257C1%257C637250604601001932%26sdata%3DemcJR3xAixRLzzkLjydj2G57uTiv1pwcYEOr%252BdsNGVQ%253D%26reserved%3D0 >> > >> > >> > Please reply with any questions on the process. >> > >> > Regards, >> > Jason Hunt >> > Distinguished Engineer, IBM >> > >> > Phone: +1-314-749-7422 >> > Email: djh...@us.ibm.com >> > Twitter: @DJHunt >> > >> > >> >> -- >> Krzysztof Opasiak >> Samsung R&D Institute Poland >> Samsung Electronics >> >> >> >> > -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6489): https://lists.onap.org/g/onap-tsc/message/6489 Mute This Topic: https://lists.onap.org/mt/74681700/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
