#acumos-meeting: Acumos TSC Security Committee

Meeting started by bryan_att at 13:31:13 UTC (full logs).

Meeting summary

1. Bryan Sullivan (bryan_att, 13:31:53)
Agenda (bryan_att, 13:32:02)
1. Agenda is at https://wiki.acumos.org/display/SEC/Meetings (bryan_att, 13:32:25)
2. Bridge is shown on that page (bryan_att, 13:32:52)
3. Present: Yash, Bryan, Jack, Manoop, Chuxin (bryan_att, 14:04:57)
High-level goals and planning (bryan_att, 14:13:11)
1. The list of items in the agenda will be associated with Jira Epic items and further described in detail as use case analysis tasks, with considerations etc for the area of functionality related to the use case (bryan_att, 14:20:52)
2. Examples so far include https://jira.acumos.org/browse/ACUMOS-1175 and https://jira.acumos.org/browse/ACUMOS-1176 as discussed on the call (bryan_att, 14:24:43)
3. The security committee members need to consider the priority and their ability to resource implementation of the four main items below. The Jira items above relate to the last one: (bryan_att, 14:26:11)
4. 1) project (gerrit gates for license/vulnerability scan) - working with the LF infra team (bryan_att, 14:26:48)
5. 2) platform (hardening, testing, best practices) - working with the various projects (bryan_att, 14:26:58)
6. 3) model deployment (hardening, best practices) - working with the Deployment project (bryan_att, 14:27:08)
7. 4) model contribution (license/vulnerability scan) - working with the Common Services project (bryan_att, 14:27:16)
https://jira.acumos.org/browse/ACUMOS-1175 (bryan_att, 14:27:56)
1. Jack: suggested that the use cases on https://wiki.acumos.org/display/SEC/Security+Home be associated with the focus areas above (project, platform deployment, model deployment, model scanning) so that members can determine which they are most interested in supporting (bryan_att, 14:32:14)
2. Jack: we should ensure that for the record of scanning, we have entries in the log (as collected/exported into logstash) in addition to the step table entry in the database, and record of the scan in the artifact list (bryan_att, 14:34:37)
3. Jack: the record of the scan should include what was done, and what was not done because it was not possible at the time, so that companies/users can make their own contextual decisions about whether the scan result is adequate for their purposes. (bryan_att, 14:37:50)
4. Bryan: as part of the planning for some of the impacts, we will consider the impact to other platform components, and the feasibility of getting the related changes in to this release will factor into that. For example, adding source code to the package impacts the client libraries. (bryan_att, 14:40:50)
5. #info As new scan operations get executed, the metadata related to the history of scanning should be added to the various places it is recorded (bryan_att, 14:44:16)
6. Jack: suggest that we work on an overall security document for Acumos, e.g. with policies and best practices for operators and the platform, supporting overall security of the ecosystem per the needs of its members (bryan_att, 14:51:02)
7. Bryan: that doc will need specific input from the community members (bryan_att, 14:51:38)
8. Bryan: that doc is currently represented by the wiki page content, and should address such items as policies for workflows (e.g. onboarding, publication, federation), security issue reporting, security issue resolution (bryan_att, 14:54:17)
9. Jack: to kickstart that document, Chuxin should put together an outline of example security policies (bryan_att, 14:55:30)
10. Bryan: suggest that we first work on a set of questions that we can send to members, focused on what their own (company) goals are for the security of the Acumos platform and ecosystem, to help drive their input in the committee, and participation in the effort to document its goals. (bryan_att, 14:57:07)

Meeting ended at 14:57:12 UTC (full logs).

Action items

(none)

People present (lines said)

bryan_att (26)
collabot_ (3)

Generated by MeetBot 0.1.4.