Attendees & Representation (default sort: member first name)

TAC Members and Project representatives should mark their attendance below 

LF Staff: @Casey Cain @Kenny Paul @Sandra Jackson (Deactivated)

Community: @Vuk Gojnic @Victor Lu @Victor Morales @Mohamed El Gamal @Cédric Ollivier @Taylor Carpenter @Olivier Smith  @Lucina Stricko @Beth Cohen 

Agenda

• We will start by mentioning the project's Antitrust Policy, which you can find linked from the LF and project websites. The policy is important where multiple companies, including potential industry competitors, are participating in meetings. Please review and if you have any questions, please contact your company legal counsel. Members of the LF may contact Andrew Updegrove at the firm Gesmer Updegrove LLP, which provides legal counsel to the LF.

  • Antitrust Policy

• Roll Call

• Check Action Items & Topic Requests

• General Topics

  • 2024 Priorities

  • Security discussion

    • Create an LFN security scrum of scrums

      • Purpose: educate LFN projects on the LFN security guidelines

      • Frequency of meeting: monthly for first 6 months; quarterly after that

      • Governance: update Tony Hansen's ONAP OpenSSF dashboard to include all LFN projects; require all LFN projects to fill out OpenSSF report

      • Future: back up attestation with testing

    • LFN support of security

      • LFN provides static application security testing (SAST) and software composition analysis (SCA) tools and onboarding support for project

      • LFN pipelines create vulnerability reports to accompany each release: list vulnerabilities in project created code and known CVEs in 3rd party packages

      • Future: LFN tooling creates Jira ticket per code vulnerability and package vulnerability

    • LFN release certification

      • Add suffix to the release indicating lifecycle phase of the project and release

        • Example: name-version-incubation, name-version-sandbox

        • LFN TAC approves of version suffix

      • Provide bug report as part of release notes (fixed and open)

  • CNF Conformance 

• Any Other Topics

Action items

Minutes

CNF Conformance → Cloud Native Telecom Initiative (CNTi) - Depricated

• @Olaf Renner the LFN has a new initiative to build parity with the Anuket and the CNF WG and other testing initiatives. 
  
  

  • We want this to be governed at the TAC level

  • @Cédric Ollivier said that he believes that the Anuket is already conforming to CNF test policies

  • @Frank Brockners noted that there is a few aspects to conformance.

    • He spoke about self testing with the test suites

      • Right now tests are done by a 3rd party and how we can bring that back to being community driven

    • @Olaf Renner asked how we could get the Anuket -CNCF assets aligned in a fully community driven way

    • @Cédric Ollivier the CNF test suite is already in Anuket.  The only difference is that we can not do live on live testing.

    • @Muddasar Ahmed are you saying the software complaiance testing is there, but we don't have runtime compliance testing?

      • @Cédric Ollivier We can verify the cluster, but not the test suite itself in live

      • @Muddasar Ahmed who approved the process?

      • @Cédric Ollivier The test does make sense, but there are some tests that are different from CNF WG.  We don't do the live testing.

      • @Muddasar Ahmed if the test tool is available, they can have a gradual increase of testing on the production instance

    • @Olivier Smith : There are a number of projects that could be adding to those requirements that are not just Anuket.  The end users will need choices.  Nephio is an example that would likely need test suite that could be enhanced by not tying everything to Anuket.  We can't be just tied to Anuket.

      • Olaf: Anuket context may have a different view what cloud native is compared to the CNF WG.  

      • @Olivier Smith : Agree that we need to align some of our requirements more with the CNF test suite.  There are indeed different views of what CNF is.  We should be constantly be trying to ensure a baseline conformance.

  • @Muddasar Ahmed What is our desired outcome and governance?
    
    

    • @Olivier Smith : There are 3 areas that we are focusing on

      • Building out the test suite catalogue

        • We want to be able to include other projects

      • Offer different conformance testing badges

      • Move all certification suites into one location

• We asked the CNF WG members in attendance to introduce themselves

  • Taylor Carpenter spoke about the current efforts within the CNF WG  

    • He shared the Accelerating Cloud Native in Telco CSP whitepaper

    • Clarifications on the CNF initiatives foremely at CNCF added as a comment below: Re: 2023-12-06 TAC Minutes

  • Lucina had no microphone but she shared:
    
    

    • Wiki for the initiative https://lf-networking.atlassian.net/wiki/x/fHfv

    • Asset List: https://lf-networking.atlassian.net/wiki/x/Enjv

    • Challenges: https://lf-networking.atlassian.net/wiki/x/oHjv

• @Frank Brockners spoke about the how the Board expects that the teams between the Anuket and CNF WG collaborate and find a way to reach our goals by April. 

  • Taylor, right now we are meeting to ensure alignment at the CNF WG

  • There is a desire to have something new that takes the best pieces and merges them under a new WG

    • tentatively named CNF Telco Initiative

  • @Olivier Smith : It makes sense for us to at least come back and report to the TAC on our progress towards these initiatives. 

    • start preparation before next TAC meeting

LFN Security

• @Amy Zwarico spoke about the current efforts taking place with the Security WG

  • Create an LFN security scrum of scrums

    • Purpose: educate LFN projects on the LFN security guidelines

    • Frequency of meeting: monthly for first 6 months; quarterly after that

    • Governance: update Tony Hansen's ONAP OpenSSF dashboard to include all LFN projects; require all LFN projects to fill out OpenSSF report

      • She suggested that all of the LFN projects should adopt a similar security posture

      • Tony may be willing to help with the dashboard, but the projects will need to complete the OpenSFF badging template.

    • Future: back up attestation with testing

  • LFN support of security

    • Amy suggested that LFN provides static application security testing (SAST) and software composition analysis (SCA) tools and onboarding support for project

    • LFN pipelines create vulnerability reports to accompany each release: list vulnerabilities in project created code and known CVEs in 3rd party packages

    • Future: LFN tooling creates Jira ticket per code vulnerability and package vulnerability

  • LFN release certification

    • Add suffix to the release indicating lifecycle phase of the project and release

      • Example: name-version-incubation, name-version-sandbox

      • LFN TAC approves of version suffix

    • Provide bug report as part of release notes (fixed and open)

• There was some follow up discussion about how Orgs trust open source projects

  • This initiative is important to build trust for mission critical environments

  • There is an obligation to ensure that we are removing bugs to the best of our ability 

• Beth spoke about the LFN security team building some guidelines for the projects to follow as a baseline.

• @Olaf Renner +1 on having dedicated monthly meetings with security experts from the projects. We currently don't have LFN security requirements documented.

• Continue discussion on release certification and TAC role in next TAC meeting

CNF Zero Trust whitepaper https://docs.google.com/document/d/10g2390JdCBXmSmzQ_EGHFWrg2JosPsXLaqXaGQ-B9NA/edit