#acumos-meeting: Acumos TSC Security Committee

Meeting started by bryan_att at 13:03:16 UTC (full logs).

Meeting summary

    1. Bryan Sullivan\ (bryan_att, 13:03:47)
    2. aimeeu (aimeeu, 13:04:45)
    3. attendees: Bob Thorman, Bryan Sullivan, Chuxin Chen, Farheen Cefalu, Ken Kristiansen, Marcel, Nat Subramanian, Prasad, Vasu Kallepalli (aimeeu, 13:13:59)
    4. attendees: Jamil (Orange) (aimeeu, 13:17:07)
    5. attendees: GuangCong Liu (aimeeu, 13:18:17)
    6. Bryan presented the Security home at https://wiki.acumos.org/display/SEC/Security+Home and walked through the scope for it and the Security Scanning topic https://wiki.acumos.org/display/SEC/Security+Scanning (bryan_att, 14:01:00)
    7. Bryan: as mentioned in the email notice we need at least one participant from each Acumos member to support these calls (bryan_att, 14:01:41)
    8. ... the scope of the committee is across the Acumos project, platform, and models as noted; the related Athena Jira "new features" cover that scope (bryan_att, 14:05:11)
    9. ... these feature items https://jira.acumos.org/browse/ACUMOS-1044, https://jira.acumos.org/browse/ACUMOS-1041, https://jira.acumos.org/browse/ACUMOS-1040 will br further developed in the next week to identify what can be developed in this release (bryan_att, 14:06:28)
    10. ... we will need members to identify stakeholders (e.g. security, operations, marketing), architects, and developers that can support this area of the Acumos project (bryan_att, 14:07:44)
    11. ... the committee will also serve as a triage point for security issues that are raised from production portals or are discovered in the platform, and need to be discussed privately until solutions are determined/deployed. (bryan_att, 14:15:12)
    12. it was suggested that the committee also work on project capabilities such as auditing the provenance of contributions, analytic assessments of project data to identify potential risks to the project, development of best practices such as no use of shared credentials, etc (bryan_att, 14:20:24)
    13. it was asked how the project ensures trust in its members or contributors; the response was that anyone theoretically can join or contribute to the project, but has to provide a DCO (developer certificate of origin) for contributions and affiliation (bryan_att, 14:22:22)
    14. It's up to the project to enforce those requirements and apply the necessary diligence (e.g. by committers/PTLs for commit reviews) to ensure that contributions are clearly attributed, reviewed, and contributed by trusted project members (bryan_att, 14:24:21)
    15. The security committee can help ensure that the project does follow through with those requirements etc, by holding periodic reviews of related project data (e.g. gerrit logs, looking for problematic pattern indicators) (bryan_att, 14:25:42)
    16. Bryan wil include Chuxin's earlier design work on the Security and Validation component as references in the Jira tickets. (bryan_att, 14:31:07)
    17. the detailed work on the Security and Validation component will occur in the Common Services project and calls led by Guy. (bryan_att, 14:37:56)


Meeting ended at 14:38:02 UTC (full logs).

Action items

  1. (none)


People present (lines said)

  1. bryan_att (17)
  2. aimeeu (5)
  3. collabot_ (3)


Generated by MeetBot 0.1.4.