Attendees & Representation (default sort: member first name)
TAC Members and Project representatives should mark their attendance below
Member Representatives
| Representing | Member |
|---|---|
| AT&T | |
| China Mobile | vacant |
| China Telecom | vacant |
| Cisco | |
| Deutsche Telekom | |
| Ericsson | |
vacant | |
| Huawei | |
| Infosys | |
| Nokia | |
Red Hat | |
Tech Mahindra | vacant |
| TELUS | |
| Verizon | vacant |
| Wallmart | |
| ZTE |
Community Representatives
| Community | Representative | Lifecycle |
|---|---|---|
| ONAP | Graduated | |
| OpenDaylight | Graduated | |
| Anuket | Graduated | |
| FD.io | Graduated | |
| Nephio | Graduated | |
| ODIM | Sandbox | |
| EMCO | Sandbox | |
| L3AF | Sandbox | |
| XGVela | Sandbox |
Elected Representatives
| Chairperson | |
|---|---|
| Vice-Chair | |
| Security | |
| 5G-SBP |
LF Staff: Casey Cain Kenny Paul Sandra Jackson (Deactivated)
Community: @Vuk Gojnic @Victor Lu Victor Morales Mohamed El Gamal Cédric Ollivier Taylor Carpenter @Oliver Olivier Smith Lucina Stricko Beth Cohen
Agenda
- We will start by mentioning the project's Antitrust Policy, which you can find linked from the LF and project websites. The policy is important where multiple companies, including potential industry competitors, are participating in meetings. Please review and if you have any questions, please contact your company legal counsel. Members of the LF may contact Andrew Updegrove at the firm Gesmer Updegrove LLP, which provides legal counsel to the LF.
- Roll Call
- Check Action Items & Topic Requests
- General Topics
- 2024 Priorities
- Security discussion
- Create an LFN security scrum of scrums
- Purpose: educate LFN projects on the LFN security guidelines
- Frequency of meeting: monthly for first 6 months; quarterly after that
- Governance: update Tony Hansen's ONAP OpenSSF dashboard to include all LFN projects; require all LFN projects to fill out OpenSSF report
- Future: back up attestation with testing
- LFN support of security
- LFN provides static application security testing (SAST) and software composition analysis (SCA) tools and onboarding support for project
- LFN pipelines create vulnerability reports to accompany each release: list vulnerabilities in project created code and known CVEs in 3rd party packages
- Future: LFN tooling creates Jira ticket per code vulnerability and package vulnerability
- LFN release certification
- Add suffix to the release indicating lifecycle phase of the project and release
- Example: name-version-incubation, name-version-sandbox
- LFN TAC approves of version suffix
- Provide bug report as part of release notes (fixed and open)
- Add suffix to the release indicating lifecycle phase of the project and release
- Create an LFN security scrum of scrums
- CNF Conformance
- Any Other Topics
Action items
Minutes
CNF Conformance → Cloud Native Telecom Initiative
- Olaf Renner the LFN has a new initiative to build parity with the Anuket and the CNF WG and other testing initiatives.
- We want this to be governed at the TAC level
- Cédric Ollivier said that he believes that the Anuket is already conforming to CNF test policies
- Frank Brockners noted that there is a few aspects to conformance.
- He spoke about self testing with the test suites
- Right now tests are done by a 3rd party and how we can bring that back to being community driven
- Olaf Renner asked how we could get the Anuket assets aligned in a fully community driven way
- Cédric Ollivier the CNF test suite is already in Anuket. The only difference is that we can not do live on live testing.
- Muddasar Ahmed are you saying the software complaiance testing is there, but we don't have runtime compliance testing?
- Cédric Ollivier We can verify the cluster, but not the test suite itself in live
- Muddasar Ahmed who approved the process?
- Cédric Ollivier The test does make sense, but there are some tests that are different from CNF WG. We don't do the live testing.
- Muddasar Ahmed if the test tool is available, they can have a gradual increase of testing on the production instance
- OliverOlivier Smith : There are a number of projects that could be adding to those requirements that are not just Anuket. The end users will need choices. Nephio is an example that would likely need test suite that could be enhanced by not tying everything to Anuket. We can't be just tied to Anuket.
- Olaf: Anuket context may have a different view what cloud native is compared to the CNF WG.
- OliverOlivier Smith : Agree that we need to align some of our requirements more with the CNF test suite. There are indeed different views of what CNF is. We should be constantly be trying to ensure a baseline conformance.
- He spoke about self testing with the test suites
- Muddasar Ahmed What is our desired outcome and governance?
- OliverOlivier Smith : There are 3 areas that we are focusing on
- Building out the test suite catalogue
- We want to be able to include other projects
- Offer different conformance testing badges
- Move all certification suites into one location
- Building out the test suite catalogue
- OliverOlivier Smith : There are 3 areas that we are focusing on
- We asked the CNF WG members in attendance to introduce themselves
- Taylor Carpenter spoke about the current efforts within the CNF WG
- He shared the Accelerating Cloud Native in Telco CSP whitepaper
- Lucina had no microphone but she shared:
- Wiki for the initiative https://wiki.lfnetworking.org/x/mIC-Bg
- Asset List: https://wiki.lfnetworking.org/x/IoG-Bg
- Challenges: https://wiki.lfnetworking.org/x/r4G-Bg
- Taylor Carpenter spoke about the current efforts within the CNF WG
- Frank Brockners spoke about the how the Board expects that the teams between the Anuket and CNF WG collaborate and find a way to reach our goals by April.
- Taylor, right now we are meeting to ensure alignment at the CNF WG
- There is a desire to have something new that takes the best pieces and merges them under a new WG
- tentatively named CNF Telco Initiative
- OliverOlivier Smith : It makes sense for us to at least come back and report to the TAC on our progress towards these initiatives.
LFN Security
- Amy Zwarico spoke about the current efforts taking place with the Security WG
- Create an LFN security scrum of scrums
- Purpose: educate LFN projects on the LFN security guidelines
- Frequency of meeting: monthly for first 6 months; quarterly after that
- Governance: update Tony Hansen's ONAP OpenSSF dashboard to include all LFN projects; require all LFN projects to fill out OpenSSF report
- She suggested that all of the LFN projects should adopt a similar security posture
- Tony may be willing to help with the dashboard, but the projects will need to complete the OpenSFF badging template.
- Future: back up attestation with testing
- LFN support of security
- Amy suggested that LFN provides static application security testing (SAST) and software composition analysis (SCA) tools and onboarding support for project
- LFN pipelines create vulnerability reports to accompany each release: list vulnerabilities in project created code and known CVEs in 3rd party packages
- Future: LFN tooling creates Jira ticket per code vulnerability and package vulnerability
- LFN release certification
- Add suffix to the release indicating lifecycle phase of the project and release
- Example: name-version-incubation, name-version-sandbox
- LFN TAC approves of version suffix
- Provide bug report as part of release notes (fixed and open)
- Add suffix to the release indicating lifecycle phase of the project and release
- Create an LFN security scrum of scrums
- There was some follow up discussion about how Orgs trust open source projects
- This initiative is important to build trust for mission critical environments
- There is an obligation to ensure that we are removing bugs to the best of our ability
- Beth spoke about the LFN security team building some guidelines for the projects to follow as a baseline.
CNF Zero Trust whitepaper https://docs.google.com/document/d/10g2390JdCBXmSmzQ_EGHFWrg2JosPsXLaqXaGQ-B9NA/edit