>From my POV, setting it as a TSC policy is the simplest approach. Order of operations for this stuff is:
* LFN Charter <- Legal document over LFN * ONAP Charter -< Legal document over ONAP * ONAP Community Document <- Rules for community management * TSC Policies <- Operational best practices to be followed The first 3 all require legal review. -kenny From: onap-tsc@lists.onap.org <onap-tsc@lists.onap.org> On Behalf Of Jason Hunt Sent: Friday, June 5, 2020 12:46 PM To: onap-tsc@lists.onap.org Cc: az9...@att.com; k.opas...@samsung.com; onap-rele...@lists.onap.org; onap-tsc@lists.onap.org; p.paw...@f5.com Subject: Re: [onap-tsc] ONAP Project Lifecycle: recommended actions I don't think we'd want to codify that list of criteria into the technical community document, so what we might want to do is amend the document to require a Security Subcommittee review prior to a project moving to the mature or core phases. This would need to be voted on by the TSC. Should we cover it in the next TSC meeting? Regards, Jason Hunt Distinguished Engineer, IBM Phone: +1-314-749-7422 Email: djh...@us.ibm.com <mailto:djh...@us.ibm.com> Twitter: @DJHunt ----- Original message ----- From: "Sylvain Desbureaux via lists.onap.org" <sylvain.desbureaux=orange....@lists.onap.org <mailto:sylvain.desbureaux=orange....@lists.onap.org> > Sent by: onap-tsc@lists.onap.org <mailto:onap-tsc@lists.onap.org> To: Krzysztof Opasiak <k.opas...@samsung.com <mailto:k.opas...@samsung.com> >, "onap-tsc@lists.onap.org <mailto:onap-tsc@lists.onap.org> " <onap-tsc@lists.onap.org <mailto:onap-tsc@lists.onap.org> > Cc: "az9...@att.com <mailto:az9...@att.com> " <az9...@att.com <mailto:az9...@att.com> >, "onap-rele...@lists.onap.org <mailto:onap-rele...@lists.onap.org> " <onap-rele...@lists.onap.org <mailto:onap-rele...@lists.onap.org> >, "p.paw...@f5.com <mailto:p.paw...@f5.com> " <p.paw...@f5.com <mailto:p.paw...@f5.com> > Subject: [EXTERNAL] Re: [onap-tsc] ONAP Project Lifecycle: recommended actions Date: Fri, Jun 5, 2020 10:08 AM +1 and one day we may need to be able to add new criterias for the ops (I'm thinking opentracing compatibility, prometheus endpoints, ...) ________________________________________ De : Krzysztof Opasiak [k.opas...@samsung.com] Envoyé : vendredi 5 juin 2020 16:53 À : onap-tsc@lists.onap.org <mailto:onap-tsc@lists.onap.org> Cc : az9...@att.com <mailto:az9...@att.com> ; onap-rele...@lists.onap.org <mailto:onap-rele...@lists.onap.org> ; p.paw...@f5.com <mailto:p.paw...@f5.com> ; DESBUREAUX Sylvain TGI/OLN Objet : Re: [onap-tsc] ONAP Project Lifecycle: recommended actions ... and correct Pawel Pawlak email;) On 05.06.2020 16:53, Krzysztof Opasiak wrote: > Hi Jason, > > On 05.06.2020 16:27, Jason Hunt wrote: >> Krzysztof, >> Great point. There are two options to address it: >> 1. The TSC votes to amend the Technical Community Document to include >> security in the criteria for the mature state >> 2. We modify the template for the maturity reviews to allow for >> security information to be included under the "mature artifacts" >> criteria. The TSC would then include that in its decision whether a >> project has met the "mature artifacts" portion of the criteria. > > I'll deffer this to Pawel & Amy to decide which way to go. > >> I would prefer the latter and am happy to make the update. Please let >> me know if there is suggested input you would like to see from projects >> so that we can update the template accordingly. > > I'd definitely would like to make sure that before any project is called > mature it: > > 1) Does not hardcode any credentials in the container & OOM helm charts > 2) Its docker containers are free of any hardcoded certificates > 3) It doesn't use static TLS certificates but obtains them at runtime > 4) It has no open OJSI tickets > 5) It has no known vulnerabilities in its direct dependencies > 6) It uses base image that is free of license violation and > vulnerabilities (aka recommended by seccom) > 7) Does not run as a root > 8) Does not access any DB as root from the application container (unless > there is a valid reason for that which has been presented & approved by > SECCOM) > 9) Does not access any DB that is owned by other service > 10) Uses only well-known, open source libraries for handling crypto > 11) Does not contain its own user store > 12) Can be access & used via ingress controller > 13) Has no runtime Internet dependencies > 14) Use secure communication to access anything that is outside of > kubernetes cluster > 15) Has no unprotected APIs/UIs exposed > 16) Has only a single process per container > 17) Has properly configured liveness & readiness checks > 18) Container rootfs is mounted read-only > > @Pawel > @Amy > Do you have anything more to add? > >> By the way, for the "core" state of projects (which comes after >> "mature"), the criteria in the Technical Community Document include: >> "Stability, Security, Scalability and Performance levels have reached a >> high bar." > > Right. But it would be great to ensure some "basic" security from > project which is called mature right? > >> >> Regards, >> Jason Hunt >> Distinguished Engineer, IBM >> >> Phone: +1-314-749-7422 >> Email: djh...@us.ibm.com <mailto:djh...@us.ibm.com> >> Twitter: @DJHunt >> >> ----- Original message ----- >> From: "Krzysztof Opasiak via lists.onap.org" >> <k.opasiak=samsung....@lists.onap.org >> <mailto:k.opasiak=samsung....@lists.onap.org> > >> Sent by: onap-tsc@lists.onap.org <mailto:onap-tsc@lists.onap.org> >> To: onap-tsc@lists.onap.org <mailto:onap-tsc@lists.onap.org> , >> onap-rele...@lists.onap.org <mailto:onap-rele...@lists.onap.org> , Jason Hunt >> <djh...@us.ibm.com <mailto:djh...@us.ibm.com> > >> Cc: "pawel.pawl...@orange.com <mailto:pawel.pawl...@orange.com> " >> <pawel.pawl...@orange.com <mailto:pawel.pawl...@orange.com> >, "ZWARICO, >> AMY" <az9...@att.com <mailto:az9...@att.com> > >> Subject: [EXTERNAL] Re: [onap-tsc] ONAP Project Lifecycle: >> recommended actions >> Date: Fri, Jun 5, 2020 9:05 AM >> Hi Jason, >> >> On 05.06.2020 00:13, Jason Hunt wrote: >> > TSC and PTLs, >> > Per the discussion in today's TSC meeting, we wanted to make everyone >> > aware of the ONAP project lifecycle and encourage projects to >> consider >> > their status and any changes. >> > The current lifecycle is depicted in this diagram: >> > >> > The suggestion is that we use this lifecycle to place the ONAP >> project >> > portfolio into three buckets: >> > >> > -*Mature projects:*for projects with active release participation & >> > solid artifacts; they should submit for a "maturity review" >> > >> > - *Inactive (Archived) projects*: for projects where there is no >> longer >> > any contributions, they should follow the termination review >> > >> > -*Other (Incubation) projects*: for those projects that are still >> active >> > but not ready for move to "mature" phase >> > >> > For *mature projects*, the TSC encourages qualifying projects to >> submit >> > for a maturity review. They do this by filling out the template >> in the >> > wiki >> (https://wiki.onap.org/display/DW/Project+Maturity+Review+Template >> >> <https://protect2.fireeye.com/url?k=dd42d9cf-808e156a-dd435280-0cc47a30d446-d4617dd9a8a6f261 >> >> <https://protect2.fireeye.com/url?k=dd42d9cf-808e156a-dd435280-0cc47a30d446-d4617dd9a8a6f261&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FProject%2BMaturity%2BReview%2BTemplate> >> >> &q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FProject%2BMaturity%2BReview%2BTemplate >> > >> >> > >> >> <https://protect2.fireeye.com/url?k=54d370d1-091d739c-54d2fb9e-000babff24ad-19c6b140cc54f247 >> >> <https://protect2.fireeye.com/url?k=54d370d1-091d739c-54d2fb9e-000babff24ad-19c6b140cc54f247&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FProject%2BMaturity%2BReview%2BTemplate> >> >> &q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FProject%2BMaturity%2BReview%2BTemplate >> >) >> > and send an email to the TSC list. In order to accelerate >> reviews (and >> > free up time on the TSC calls), we may want to form a working >> group to >> > do a preliminary maturity review for the projects. The group >> > would submit their recommendations to the TSC who would then vote >> > +1/0/-1 for promotion to the mature phase. >> >> Shouldn't we have any security review before we move project to the >> mature state? There is no single question regarding security in this >> template... >> >> > >> > For the*inactive projects*, there is no guidance on who should >> initiate >> > a termination review. Because there may not be a PTL, perhaps >> the TSC >> > could initiate a termination review for a project. Again, we may >> want a >> > working group to conduct the steps of the termination review. This >> > group should consist of people who are familiar with the project >> or at >> > least interface with/depend upon the project. This working group >> will >> > need to walk through the steps of the termination review as outlined >> > here: (scroll down) >> > >> > >> https://wiki.onap.org/display/DW/ONAP+Project+and+Component+Lifecycle >> <https://protect2.fireeye.com/url?k=033e4694-5ef28a31-033fcddb-0cc47a30d446-225209ace7e1b240 >> >> <https://protect2.fireeye.com/url?k=033e4694-5ef28a31-033fcddb-0cc47a30d446-225209ace7e1b240&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FONAP%2BProject%2Band%2BComponent%2BLifecycle> >> >> &q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FONAP%2BProject%2Band%2BComponent%2BLifecycle >> > >> >> > >> >> <https://protect2.fireeye.com/url?k=ba539477-e79d973a-ba521f38-000babff24ad-e719a6ce77842878 >> >> <https://protect2.fireeye.com/url?k=ba539477-e79d973a-ba521f38-000babff24ad-e719a6ce77842878&q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FONAP%2BProject%2Band%2BComponent%2BLifecycle> >> >> &q=1&u=https%3A%2F%2Fwiki.onap.org%2Fdisplay%2FDW%2FONAP%2BProject%2Band%2BComponent%2BLifecycle >> > >> > >> > All other projects need no action. >> > >> > Background slide deck on project lifecycle reviews: >> > >> https://wiki.lfnetworking.org/pages/viewpage.action?pageId=25364127 >> <https://wiki.lfnetworking.org/pages/viewpage.action?pageId=25364127&preview=/25364127/28738708/ONAP%20Proj%20Lifecycle%20and%20Review%2015Jan2020%20v1.pdf> >> >> &preview=/25364127/28738708/ONAP%20Proj%20Lifecycle%20and%20Review%2015Jan2020%20v1.pdf >> >> >> <https://protect2.fireeye.com/url?k=537e62b2-0eb2ae17-537fe9fd-0cc47a30d446-e67a382a6685bae2 >> >> <https://protect2.fireeye.com/url?k=537e62b2-0eb2ae17-537fe9fd-0cc47a30d446-e67a382a6685bae2&q=1&u=https%3A%2F%2Fwiki.lfnetworking.org%2Fpages%2Fviewpage.action%3FpageId%3D25364127%26preview%3D%2F25364127%2F28738708%2FONAP%2520Proj%2520Lifecycle%2520and%2520Review%252015Jan2020%2520v1.pdf> >> >> &q=1&u=https%3A%2F%2Fwiki.lfnetworking.org%2Fpages%2Fviewpage.action%3FpageId%3D25364127%26preview%3D%2F25364127%2F28738708%2FONAP%2520Proj%2520Lifecycle%2520and%2520Review%252015Jan2020%2520v1.pdf >> > >> >> > >> >> <https://protect2.fireeye.com/url?k=4b2f2f99-16e12cd4-4b2ea4d6-000babff24ad-5d861846fa71adf4&q=1&u=https%3A%2F%2Fnam11.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwiki.lfnetworking.org%252Fpages%252Fviewpage.action%253FpageId%253D25364127%2526preview%253D%252F25364127%252F28738708%252FONAP%252520Proj%252520Lifecycle%252520and%252520Review%25252015Jan2020%252520v1.pdf%26data%3D02%257C01%257Cchaker.al.hakim%2540futurewei.com%257C8a2529fdf0fb43e0b9e108d7f80c6f32%257C0fee8ff2a3b240189c753a1d5591fedc%257C1%257C1%257C637250604601001932%26sdata%3DemcJR3xAixRLzzkLjydj2G57uTiv1pwcYEOr%252BdsNGVQ%253D%26reserved%3D0 >> > >> > >> > Please reply with any questions on the process. >> > >> > Regards, >> > Jason Hunt >> > Distinguished Engineer, IBM >> > >> > Phone: +1-314-749-7422 >> > Email: djh...@us.ibm.com <mailto:djh...@us.ibm.com> >> > Twitter: @DJHunt >> > >> > >> >> -- >> Krzysztof Opasiak >> Samsung R&D Institute Poland >> Samsung Electronics >> >> >> >> > -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6495): https://lists.onap.org/g/onap-tsc/message/6495 Mute This Topic: https://lists.onap.org/mt/74681700/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
