13:03:16 <bryan_att> #startmeeting Acumos TSC Security Committee 13:03:16 <collabot_> Meeting started Wed Jun 13 13:03:16 2018 UTC. The chair is bryan_att. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:03:16 <collabot_> Useful Commands: #action #agreed #help #info #idea #link #topic. 13:03:16 <collabot_> The meeting name has been set to 'acumos_tsc_security_committee' 13:03:47 <bryan_att> #info Bryan Sullivan\ 13:04:45 <aimeeu> #info aimeeu 13:13:59 <aimeeu> #info attendees: Bob Thorman, Bryan Sullivan, Chuxin Chen, Farheen Cefalu, Ken Kristiansen, Marcel, Nat Subramanian, Prasad, Vasu Kallepalli 13:17:07 <aimeeu> #info attendees: Jamil (Orange) 13:18:17 <aimeeu> #info attendees: GuangCong Liu 14:01:00 <bryan_att> #info Bryan presented the Security home at https://wiki.acumos.org/display/SEC/Security+Home and walked through the scope for it and the Security Scanning topic https://wiki.acumos.org/display/SEC/Security+Scanning 14:01:41 <bryan_att> #info Bryan: as mentioned in the email notice we need at least one participant from each Acumos member to support these calls 14:02:13 <aimeeu> how does opnfv share gotomeeting account creds with PTLs etc? 14:03:41 <bryan_att> no idea 14:04:02 * bryan_att is trying to capture the minutes... 14:05:11 <bryan_att> #info ... the scope of the committee is across the Acumos project, platform, and models as noted; the related Athena Jira "new features" cover that scope 14:06:28 <bryan_att> #info ... these feature items https://jira.acumos.org/browse/ACUMOS-1044, https://jira.acumos.org/browse/ACUMOS-1041, https://jira.acumos.org/browse/ACUMOS-1040 will br further developed in the next week to identify what can be developed in this release 14:07:44 <bryan_att> #info ... we will need members to identify stakeholders (e.g. security, operations, marketing), architects, and developers that can support this area of the Acumos project 14:15:12 <bryan_att> #info ... the committee will also serve as a triage point for security issues that are raised from production portals or are discovered in the platform, and need to be discussed privately until solutions are determined/deployed. 14:20:24 <bryan_att> #info it was suggested that the committee also work on project capabilities such as auditing the provenance of contributions, analytic assessments of project data to identify potential risks to the project, development of best practices such as no use of shared credentials, etc 14:22:22 <bryan_att> #info it was asked how the project ensures trust in its members or contributors; the response was that anyone theoretically can join or contribute to the project, but has to provide a DCO (developer certificate of origin) for contributions and affiliation 14:24:21 <bryan_att> #info It's up to the project to enforce those requirements and apply the necessary diligence (e.g. by committers/PTLs for commit reviews) to ensure that contributions are clearly attributed, reviewed, and contributed by trusted project members 14:25:42 <bryan_att> #info The security committee can help ensure that the project does follow through with those requirements etc, by holding periodic reviews of related project data (e.g. gerrit logs, looking for problematic pattern indicators) 14:31:07 <bryan_att> #info Bryan wil include Chuxin's earlier design work on the Security and Validation component as references in the Jira tickets. 14:37:56 <bryan_att> #info the detailed work on the Security and Validation component will occur in the Common Services project and calls led by Guy. 14:38:02 <bryan_att> #endmeeting