13:31:13 #startmeeting Acumos TSC Security Committee 13:31:13 Meeting started Wed Jun 20 13:31:13 2018 UTC. The chair is bryan_att. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:31:13 Useful Commands: #action #agreed #help #info #idea #link #topic. 13:31:13 The meeting name has been set to 'acumos_tsc_security_committee' 13:31:53 #info Bryan Sullivan 13:32:02 #topic Agenda 13:32:25 #info Agenda is at https://wiki.acumos.org/display/SEC/Meetings 13:32:52 #info Bridge is shown on that page 14:04:57 #info Present: Yash, Bryan, Jack, Manoop, Chuxin 14:13:11 #topic High-level goals and planning 14:20:52 #info The list of items in the agenda will be associated with Jira Epic items and further described in detail as use case analysis tasks, with considerations etc for the area of functionality related to the use case 14:24:43 #info Examples so far include https://jira.acumos.org/browse/ACUMOS-1175 and https://jira.acumos.org/browse/ACUMOS-1176 as discussed on the call 14:26:11 #info The security committee members need to consider the priority and their ability to resource implementation of the four main items below. The Jira items above relate to the last one: 14:26:48 #info 1) project (gerrit gates for license/vulnerability scan) - working with the LF infra team 14:26:58 #info 2) platform (hardening, testing, best practices) - working with the various projects 14:27:08 #info 3) model deployment (hardening, best practices) - working with the Deployment project 14:27:16 #info 4) model contribution (license/vulnerability scan) - working with the Common Services project 14:27:56 #topic https://jira.acumos.org/browse/ACUMOS-1175 14:32:14 #info Jack: suggested that the use cases on https://wiki.acumos.org/display/SEC/Security+Home be associated with the focus areas above (project, platform deployment, model deployment, model scanning) so that members can determine which they are most interested in supporting 14:34:37 #info Jack: we should ensure that for the record of scanning, we have entries in the log (as collected/exported into logstash) in addition to the step table entry in the database, and record of the scan in the artifact list 14:37:50 #info Jack: the record of the scan should include what was done, and what was not done because it was not possible at the time, so that companies/users can make their own contextual decisions about whether the scan result is adequate for their purposes. 14:40:50 #info Bryan: as part of the planning for some of the impacts, we will consider the impact to other platform components, and the feasibility of getting the related changes in to this release will factor into that. For example, adding source code to the package impacts the client libraries. 14:44:16 #info #info As new scan operations get executed, the metadata related to the history of scanning should be added to the various places it is recorded 14:51:02 #info Jack: suggest that we work on an overall security document for Acumos, e.g. with policies and best practices for operators and the platform, supporting overall security of the ecosystem per the needs of its members 14:51:38 #info Bryan: that doc will need specific input from the community members 14:54:17 #info Bryan: that doc is currently represented by the wiki page content, and should address such items as policies for workflows (e.g. onboarding, publication, federation), security issue reporting, security issue resolution 14:55:30 #info Jack: to kickstart that document, Chuxin should put together an outline of example security policies 14:57:07 #info Bryan: suggest that we first work on a set of questions that we can send to members, focused on what their own (company) goals are for the security of the Acumos platform and ecosystem, to help drive their input in the committee, and participation in the effort to document its goals. 14:57:12 #endmeeting