2025-01-08 TAC Minutes
- LJ Illuzzi
- Muddasar Ahmed
- Casey Cain
Attendees & Representation (default sort: member first name)
TAC Members and Project representatives should mark their attendance below
Member Representatives
Representing | Member |
|---|---|
China Mobile | vacant |
China Telecom | vacant |
Cisco | @Frank Brockners |
Deutsche Telekom | @Marc Fiedler |
Ericsson | @Christian Olrog Atlassian |
Huawei | @Huijun Yu |
Infosys | @Girish Kumar |
Nokia | @Olaf Renner |
Red Hat | @Dave Tucker |
Tech Mahindra | vacant |
TELUS | @Sana Tariq |
Verizon | vacant |
Walmart | @Santhosh Fernandes |
Community Representatives
Community | Representative | Lifecycle |
|---|---|---|
ONAP | @N.K. Shankaranarayanan | Graduated |
OpenDaylight | @Robert Varga | Graduated |
Anuket | @Walter.kozlowski @Gergely Csatari @Lincoln Lavoie | Graduated |
FD.io | @Dave Wallace | Graduated |
Nephio | @Kandan Kathirvel alt: @Timo Perala | Graduated |
L3AF | @Santhosh Fernandes | Incubation |
5G SBP | vacant | Incubation |
CNTi | @Olivier Smith | Sandbox |
Paraglider | vacant | Sandbox |
Elected Representatives
Chairperson | @Olaf Renner |
|---|---|
Vice-Chair | @Muddasar Ahmed |
Security | @Amy Zwarico |
5G-SBP | @Muddasar Ahmed |
LF Staff:
Community:
Agenda
We will start by mentioning the project's Antitrust Policy, which you can find linked from the LF and project websites. The policy is important where multiple companies, including potential industry competitors, are participating in meetings. Please review and if you have any questions, please contact your company legal counsel. Members of the LF may contact Andrew Updegrove at the firm Gesmer Updegrove LLP, which provides legal counsel to the LF.
Check Action Items & Topic Requests (Backlog)
AI seat nominations
General Topics
Any Other Topics
Action items
Minutes
Topic 1
AI seat nomination period ended on 01/07. The TAC agrees to extend the nomination period through Jan 21, 2025
Topic 2
Lifecycle documentation updates & approval (Update Project Lifecycle states to reflect the tools and support needed to make the projects successful)
Topic 3
Proposal to try a process similar to CNCF using repo templates
Topic 4
Joint sessions with LFX for data accuracy and health review metric. Invite LFX team periodically to TAC meetings.
From 12/11 TAC meeting:
LFX insights
LFX Insight data is pulled once a day.
Data is pulled independently from each source (Gerrit, Github)
A contribution is defined as : see documentation Core Concepts | Linux Foundation Documentation
Feedback
Data from GitHub - nephio-project/porch was missing: Porch was not associated to Nephio in LFX (fixed).
Cause of incomplete data needs further investigation.
To determine eligible voters a list of top 10 (example to reach quorum) contributors over a specific timeframe would be helpful
Company association: who of company x is contributing where.
This is a common feature request. Issue is that LFX Insights are publicly available and history of potentially changing company affiliation is not allowed to be shared. Needs further investigation if this could be retrieved over Project Control Center.
Connection between LFX Insights and LFX Personal Profile (to set company affiliation) will be implemented.
Grouping of data sources for statistics
a possibility to remove archived project repos from statistics
display status of projects/repos: project life cycle stages (sandbox, incubation, graduated, archived): data available, a matter of displaying it in the dashboard
sub-project consisting of multiple repos: would be rather static association of repos to a “sub-project” (repos may be added or archived over time)
in theory possible with LFX insights
flexible selection of repos for statistics: some repos are not relevant for statistics and it would be great to uncheck them from statistics calculation
information is available in the data-lake. There is a plan to give projects access to the data-lake to compile own statistics
Meaning of “no data to display” in LFX Insight Contributors dashboard: is it that data is not available/source not connected or no contribution happened?
means that for the selected time frame no contributions happened
could be renamed to “no contributions in selected time frame” to make it more clear
Topic 5
TAC process improvement- Re-assess project health assessments, quanitiative and qualitative.
Topic 6
Continue security and quality goal sessions. Start to plan how to implement.
Proposal to contact other security interest groups for feedback
Develop a list of security contacts per project.
Topic 7
@Muddasar Ahmed Add post-quantum safe cryptography readiness planning details.
Major players like IBM, Google, and others are making significant progress in scaling quantum systems. IBM, for instance, has released systems exceeding 5,000 qubits(two Qubits gates), and roadmaps suggest further scaling in the near future*. Researchers continue to improve quantum error correction and coherence times, which are critical to building practical quantum computers. The exact timeline for scale and widespread availability of practical quantum computers uncertain, but proactive preparation is essential. It’s safer to assume the need for change will come "sooner" and act accordingly, rather than risk being unprepared.
Algorithms like RSA, ECC, and Diffie-Hellman are directly threatened by Shor’s algorithm, which quantum computers can theoretically exploit to break them. Once large-scale quantum computers become practical, these systems could be compromised almost immediately.
What it means for us?
LF/LFN may have many projects that use cryptography in the software to help protect data that may become vulnerable when quantum computers are put to test against the breaking the code.
* _____ref: https://www.ibm.com/quantum/blog/qdc-2024
Following activity is suggested for every project Team that produces code, projects and sub projects all included. Similar guidance should be applied to LF IT custom code and third party tools.
1. Understand the Scope
Identify Components:
Core application code.
External libraries and frameworks.
APIs or services the application interacts with.
Determine Cryptography Use Cases:
Authentication mechanisms (e.g., passwords, tokens).
Data encryption/decryption.
Secure communication (e.g., TLS/SSL).
Digital signatures and certificates.
2. Review the Codebase
Search for Keywords:
Use tools like grep, ack, or your IDE's search feature to look for cryptography-related keywords (e.g., "encrypt", "decrypt", "AES", "RSA", "TLS").
Examine Sensitive Areas:
Focus on modules that handle user data, file storage, and communication protocols.
Analyze Hard-Coded Secrets:
Identify hard-coded keys, initialization vectors (IVs), or passwords.
Catalog Algorithms and Modules:
Document the cryptographic algorithms in use.
Map each algorithm to its corresponding module or feature.
Include implementation details, such as library or framework versions.
3. Inspect Dependencies
Audit Third-Party Libraries:
Use dependency analysis tools (e.g., npm audit, pip-audit, Snyk, Nexus etc.) to identify libraries with cryptographic functionality.
Check Documentation:
Review the documentation for cryptographic APIs or features used by dependencies.
Verify Security Practices:
Ensure libraries and tools rely on up-to-date and secure cryptographic primitives.
4. Examine Configuration Files
Check Settings for Cryptography:
Protocol settings (e.g., HTTPS, SSH).
Encryption keys or certificates.
Cipher suites or algorithms.
Validate Security Defaults:
Ensure default settings enforce strong security. (i.e TLS 1.3 vs TLS 1.2)
Identify Versions:
Document versions of cryptographic protocols (e.g., TLS 1.2, TLS 1.3) and libraries used in configurations.
5. Compile Findings
Create an Inventory:
Algorithm Name: List all identified cryptographic algorithms.
Module/Feature: Map algorithms to the modules or features that use them.
Version/Implementation Details: Include library or protocol versions and any configuration specifics.
Topic 8
Upcoming TAC meeting on planning for ONE summit/Kubecon. ONE summit is a curated agenda.
There is a tentative F2F LFN boarding meeting during the event.
Proposal for a F2F TAC meeting during the event
Update “Convince Your Boss” template