Date   

Re: [VOTE] Streamlining incubation process

Josh Berkus
 

On 4/22/21 2:05 PM, Amye Scavarda Perrin wrote:
A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 <https://github.com/cncf/toc/pull/640>
+1 NB

As someone who frequently advises projects on how to get through the process, this is a huge step forwards.

--
-- Josh Berkus
Kubernetes Community Architect
OSPO, OCTO


Re: [VOTE] Streamlining incubation process

Santiago Torres Arias <santiago@...>
 

+1 (NB)

On Thu, Apr 22, 2021 at 02:05:02PM -0700, Amye Scavarda Perrin wrote:
A proposal has been made to streamline the incubation process:
https://github.com/cncf/toc/pull/640

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate
non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@linuxfoundation.org





[VOTE] Streamlining incubation process

Amye Scavarda Perrin
 

A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: Agenda for 4/20

Justin Cormack
 

I have a conflict too, I may be there for part of the call.

Apologies

Justin


On Tue, Apr 20, 2021 at 8:13 AM Lei Zhang <resouer@...> wrote:
Sorry, I happened to have conflict and have to miss this one.

On Mon, Apr 19, 2021 at 10:45 AM Amye Scavarda Perrin <ascavarda@...> wrote:
Hi all, 
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) 



--
Amye Scavarda Perrin | Program Manager | amye@...


Re: Agenda for 4/20

Lei Zhang
 

Sorry, I happened to have conflict and have to miss this one.

On Mon, Apr 19, 2021 at 10:45 AM Amye Scavarda Perrin <ascavarda@...> wrote:
Hi all, 
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) 



--
Amye Scavarda Perrin | Program Manager | amye@...


Re: Agenda for 4/20

Erin Boyd
 

I have to drop after 30 minutes. Apologies in advance,
Erin


On Apr 19, 2021, at 11:45 AM, Amye Scavarda Perrin <ascavarda@...> wrote:

Hi all, 
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) 



Re: [cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack

Richard Hartmann
 

Just to confirm: Chris A already sent this to all maintainers.


Agenda for 4/20

Amye Scavarda Perrin
 

Hi all, 
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) 


[cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack

Liz Rice
 

🙏 Thanks to SIG Security for this advice on Codecov  

@chris @amye you’re probably already on top of this, but please could we make sure the relevant project maintainers are aware and acting on this? Per their note, SIG Security are available on Slack if anyone has any questions


---------- Forwarded message ---------
From: Lorenzo Fontana <fontanalorenz@...>
Date: Sat, 17 Apr 2021 at 23:49
Subject: [cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack
To: <cncf-sig-security@...>


Hello everyone,
On April 15th 2021, the Codecov team published a note [0] acknowledging a supply chain attack affecting their bash uploader.

**Background of the attack**

The Codecov bash uploader is the component responsible for reporting back coverage results to the CI systems of the projects using the service.

This component is usually executed in a CI step by just downloading and executing the script via bash  + cURL directly as described in their documentation [1].

This attack was possible because of an error in the image creation process that allowed the actor to extract the credential required to modify the script.

From their announcement:

The altered version of the bash uploader script could potentially affect:

- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the bash uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the bash uploader to upload coverage to Codecov in CI.


**Action Items**

CNCF projects using Codecov are recommended to do the following:

- Rotate all the private credentials available in the context where the script was executed
- Validate the bash script with a trusted copy of the SHA256 sum as described in the Codecov docs [2]
- Watch out for any suspect usage of the tokens


**Projects**

The SIG does not have visibility on whether or not projects are using Codecov right now. However, we did a research and this is a list of the repositories that we found using Codecov:

https://github.com/argoproj/argo-cd
https://github.com/containerd/containerd
https://github.com/coredns/coredns
https://github.com/etcd-io/etcd
https://github.com/goharbor/harbor
https://github.com/jaegertracing/jaeger
https://github.com/kubernetes/dashboard
https://github.com/kubernetes/ingress-nginx
https://github.com/prometheus/prometheus_api_client_ruby
https://github.com/buildpacks/lifecycle
https://github.com/cri-o/cri-o
https://github.com/opentracing/opentracing-c



If you don’t know how to check or have any other questions regarding this. Please feel free to reach out to the #sig-security channel on the CNCF Slack.

The CNCF SIG-Security Team

P.S: Thanks to Magno Logan, Emily Fox and Dan (POP) Papandrea for helping in getting this ready for the mailing list.


[0] https://about.codecov.io/security-update/
[1] https://docs.codecov.io/docs/about-the-codecov-bash-uploader
[2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script







[RESULT] Emissary-ingress approved for Incubation

Amye Scavarda Perrin
 

The Emissary-ingress project has been approved for incubation. 

9/11 -- passes

+1 NB
Randy Abernethy https://lists.cncf.io/g/cncf-toc/message/5716
Matt Klein https://lists.cncf.io/g/cncf-toc/message/5717
Dave Sudia https://lists.cncf.io/g/cncf-toc/message/5719
Alois Reitbauer  https://lists.cncf.io/g/cncf-toc/message/5724
Lee Calcote https://lists.cncf.io/g/cncf-toc/message/5725
Steve Flanders https://lists.cncf.io/g/cncf-toc/message/5730
Peter ONeill Jr https://lists.cncf.io/g/cncf-toc/message/5736
Flynn https://lists.cncf.io/g/cncf-toc/message/5737
Adam FitzGerald https://lists.cncf.io/g/cncf-toc/message/5738
Chris Short https://lists.cncf.io/g/cncf-toc/message/5739
Richard Li https://lists.cncf.io/g/cncf-toc/message/5740
Kan Yao https://lists.cncf.io/g/cncf-toc/message/5742
Johan Tordsson https://lists.cncf.io/g/cncf-toc/message/5743
Oleg Chornyi https://lists.cncf.io/g/cncf-toc/message/5745
Niraj Tolia https://lists.cncf.io/g/cncf-toc/message/5746
JJ https://lists.cncf.io/g/cncf-toc/message/5747
Barak Stout https://lists.cncf.io/g/cncf-toc/message/5749

--
Amye Scavarda Perrin | Program Manager | amye@...


[cncf-sig-security] Supply Chain Security Paper Open for public comment

Chris Aniszczyk
 

FYI

---------- Forwarded message ---------
From: Emily Fox <themoxiefoxatwork@...>
Date: Fri, Apr 9, 2021 at 11:20 AM
Subject: [cncf-sig-security] Supply Chain Security Paper Open for public comment
To: <cncf-sig-security@...>


Hello!
  The cloud native security supply chain security group has worked diligently in creating an initial draft paper that provides the community with:
* Recommendations for securing each point of an organisation's software supply chain, whether the organisation produces or consumes cloud native software.
* Justifications and explanations for recommendations commensurate with the risk level and assurance requirements of an organization
* Tooling to implement recommendations

We are asking you, the community, to review the paper and provide comments/suggestions/improvements by Friday April 23rd 2021 so that we may incorporate them and finalized the initial version.

You may access the document at the below URL:
https://docs.google.com/document/d/1VURD9rdEhiuqPdixhEozkHw01Tk6e2AaJVjBK3pK6Zc/edit



--
Chris Aniszczyk (@cra)


Re: Agenda for 4/6 TOC meeting

Saad Ali
 

I will miss 4/6 meeting as well.

On Tue, Apr 6, 2021 at 3:11 AM Justin Cormack via lists.cncf.io <justin.cormack=docker.com@...> wrote:
Apologies I don't think I will make it due to reschedules from yesterday's holiday.

Justin


On Tue, Apr 6, 2021 at 1:33 AM Amye Scavarda Perrin <ascavarda@...> wrote:


Re: Agenda for 4/6 TOC meeting

Justin Cormack
 

Apologies I don't think I will make it due to reschedules from yesterday's holiday.

Justin


On Tue, Apr 6, 2021 at 1:33 AM Amye Scavarda Perrin <ascavarda@...> wrote:


Agenda for 4/6 TOC meeting

Amye Scavarda Perrin
 


Brigade 2021 Annual review

Vaughn Dice <Vaughn.Dice@...>
 

Greetings,

I wanted to send an email to notify that Brigade's 2021 Annual review has been posted.

It can be seen via the following pull request: https://github.com/cncf/toc/pull/631
Adds Brigade's 2021 Annual review. Thank you!
github.com
Thank you in advance for your feedback!

Vaughn Dice
Brigade Maintainer


Sandbox Inclusion Meeting Results

Amye Scavarda Perrin
 

The TOC met today to review the applications for projects wishing to be included as sandbox projects. We weren't able to make it through all of the applications, we'll hold a second review meeting on April 27th. 

Ingraind  - passes with a majority TOC vote - https://github.com/cncf/toc/issues/626
Kuberhealthy - passes with a majority TOC vote - https://github.com/cncf/toc/issues/627
k8gb - Kubernetes Global Balancer   - passes with a majority TOC vote -  https://github.com/cncf/toc/issues/628
Vineyard - reviewing SIG Storage presentation, TOC to reach out to get more background
He3local - waiting for more community momentum, reapply in 6 months
Quark - waiting for more community momentum, reapply in 6 months
Trickster - passes with a majority TOC vote - https://github.com/cncf/toc/issues/629
SSVM - TOC would like more clarification around possible rename
ChaosBlade - moved to April 27th
YARP – Yet Another Reverse Proxy - moved to April 27th
KubeInvaders - moved to April 27th
KubePlus - moved to April 27th
Service Mesh Performance - moved to April 27th
Meshery - moved to April 27th
Fluid - moved to April 27th 

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Emissary-Ingress (was: Ambassador) for incubation

Erin Boyd
 

+1 binding


On Mar 25, 2021, at 2:05 PM, Davanum Srinivas <davanum@...> wrote:


+1 Binding

On Fri, Mar 5, 2021 at 3:56 AM Liz Rice <liz@...> wrote:
+1 binding 



On Thu, 4 Mar 2021 at 17:53, Johan Tordsson via lists.cncf.io <johan.tordsson=elastisys.com@...> wrote:

+1 NB

Den 2021-03-03 kl. 20:44, skrev Richard Li:
+1 NB

On Wed, Mar 3, 2021 at 2:42 PM Chris Short <chris@...> wrote:
+1 non-binding

Chris Short
He/Him/His
TZ=America/Detroit


On Wed, Mar 3, 2021 at 2:40 PM Adam FitzGerald via lists.cncf.io <adam.fitzgerald=hashicorp.com@...> wrote:
+1 NB

Regards
Adam

On Wed, Mar 3, 2021 at 7:19 AM Flynn <flynn@...> wrote:
+1 NB
-- 
Johan Tordsson, PhD
CTO & Co-founder
www.elastisys.com



--
Davanum Srinivas :: https://twitter.com/dims


Re: [VOTE] Emissary-Ingress (was: Ambassador) for incubation

Davanum Srinivas
 

+1 Binding

On Fri, Mar 5, 2021 at 3:56 AM Liz Rice <liz@...> wrote:
+1 binding 



On Thu, 4 Mar 2021 at 17:53, Johan Tordsson via lists.cncf.io <johan.tordsson=elastisys.com@...> wrote:

+1 NB

Den 2021-03-03 kl. 20:44, skrev Richard Li:
+1 NB

On Wed, Mar 3, 2021 at 2:42 PM Chris Short <chris@...> wrote:
+1 non-binding

Chris Short
He/Him/His
TZ=America/Detroit


On Wed, Mar 3, 2021 at 2:40 PM Adam FitzGerald via lists.cncf.io <adam.fitzgerald=hashicorp.com@...> wrote:
+1 NB

Regards
Adam

On Wed, Mar 3, 2021 at 7:19 AM Flynn <flynn@...> wrote:
+1 NB
-- 
Johan Tordsson, PhD
CTO & Co-founder
www.elastisys.com



--
Davanum Srinivas :: https://twitter.com/dims


[RESULT] Tech Leads for SIG Storage Approved

Amye Scavarda Perrin
 


Re: security & CNCF projects

alexis richardson
 

Hi all

Can we have a refresh on this. 


I think we need to get grown up about security processes for our projects. 

Alexis 




On Wed, 17 Feb 2021, 11:44 Luke Hinds, <lhinds@...> wrote:
Not on the TOC, so hope it's ok to comment.

I have the same concerns as Liz, quite often metrics are gathered without all factors considered.

Take kubernetes for example, huge code base, huge user base and so many eyes looking to find vulnerabilities, compounded even more by a financial incentive with the bug bounty system. I monitor the hackone queue as a PSC member, and they come in thick and fast everyday (pleased to say most of them are invalids).

This naturally results in a high vulnerability count, but it's not as simple as a high count equals bad project, if just means more have been discovered, not necessarily produced. 

I am also sceptical of using code scanners to assess the security posture of a project, great tools to use, but they do get it wrong and unless the false positives are constantly pruned out, they will make a project look much worse than it is.  I can say this even after maintaining an OSS scanner project that hits around 100k downloads a week [0]


On Wed, Feb 17, 2021 at 10:05 AM Liz Rice <liz@...> wrote:

I've realised that one reason the results look so damning for the projects is that they are the sum of vulnerabilities found over a period of time (and an arbitrary period of time at that). For example, here's the front page result for Kubernetes, which makes it look incredibly bad: 
image.png

It's pretty hard to tell, but I think this is telling me that the latest release of Kubernetes has 9 high sev vulns, not 261

Screenshot 2021-02-17 at 09.54.59.png

These pretty graphs are pointless if they don't convey useful information. IMO, the most useful result for an end user is whether the current release has vulnerabilities. What maintainers need to see is what vulnerabilities exist in the currently-supported set of releases, plus the main branch. Neither of these are currently easy to access, as presented. 

Liz

On Tue, Feb 16, 2021 at 7:38 PM Alexis Richardson <alexis@...> wrote:
I understand this is Beta

I believe all of the CNCF community should have equal access.   



On Tue, 16 Feb 2021 at 19:25, Chris Aniszczyk <caniszczyk@...> wrote:
Alexis, the tool is freely available just like a variety of other security tools that CNCF projects use, from LFX Security (white labeled Snyk), Snyk, FOSSA, CodeQL, WhiteSource etc, lots of great options out there that we all support and encourage projects to check out. This tool is simply white labeled Snyk so it's nothing necessarily new and properly labeled here: https://github.com/cncf/servicedesk#tools - projects use what is best for them always.  We will have it setup for Flux soon for you to experiment with both inside and outside of GitHub.

To Liz's point, like any security tool, there's a ton of false positives to deal with and should be handled on a per project / maintainer basis. Almost by default, every project looks terrible based on the default scan. This is why things like GitHub's codescan tooling is built in by default to only show information to maintainers: first https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning

The LFX Security work is still in "beta" and a work in progress so keep that in mind.



On Tue, Feb 16, 2021 at 1:10 PM Alexis Richardson <alexis@...> wrote:
I strongly disagree Chris, this is a great resource that all should be aware of.

Now that we don’t have FPs, can we just publish the data?  Please do not assume that end users will not run their own scans too


On Tue, 16 Feb 2021 at 18:49, Chris Aniszczyk <caniszczyk@...> wrote:
+1 to what Liz said here, this should be opt-in for project maintainers like any tool

Can we please just leave this as a per project decision as any other tool as we decided last time this came up, the TOC list is the wrong place for this discussion

Thanks!

On Tue, Feb 16, 2021 at 12:47 PM Shubhra Kar <skar@...> wrote:
The scan data from Snyk right now is fairly clean as they curate and weed out false positives proactively. In the tool, we do have flags on the bugs to dismiss it (in case it's still a false positive).

We can definitely put a big Beta tag on the service. We are adding code secrets scanning from another vendor partnership in the next couple of months. We are planning to provide a  "regex" filter to maintainers to eliminate FPs globally as well. 


Shubhra



On Tue, Feb 16, 2021, 10:36 AM Liz Rice <liz@...> wrote:
I have an idea that there were concerns about making the data publicly available because of false positives, and the worry that if projects appear (incorrectly) to be unsafe that will impede adoption. Do we have progress on reducing those FPs e.g. being able to flag parts of a project as not relevant to scan? (I hope Kubernetes doesn't really have 261 high-severity vulnerabilities, as it currently appears). 

Can we also more clearly flag that this is a work in progress? 

Thanks,
Liz



On Tue, Feb 16, 2021 at 6:23 PM Shubhra Kar <skar@...> wrote:
Essentially we want them to create LFIDs to grant access.


Shubhra


On Tue, Feb 16, 2021, 10:05 AM Vasu Naidu <vnaidu@...> wrote:

Thanks Stephen.

 

We have granted access to given access to stefan@....

 

We are unable to find accounts for hidde@... and michael@... .

 

Regards,

Vasu

 

 

From: Stephen Augustus <hey@...>
Date: Tuesday, February 16, 2021 at 9:52 AM
To: Shubhra Kar <skar@...>
Cc: Alexis Richardson <alexis@...>, Vasu Naidu <vnaidu@...>, St Leger, Jim <jim.st.leger@...>, Chris Aniszczyk <caniszczyk@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

As I understand it, https://maintainers.cncf.io/ holds the aggregate maintainers for CNCF project.

 

-- Stephen

 

On Tue, Feb 16, 2021 at 12:46 PM Shubhra Kar <skar@...> wrote:

I would suggest we add access for all the maintainers of the project and anyone on the governance committees (example TSCs).

 

Do you maintain a maintainers.md file or better for us to just scan the repos and find the contributors ?


Kind Regards,

 

Shubhra Kar

CTO and GM of Products and IT

tweet: @shubhrakar

 

 

On Tue, Feb 16, 2021 at 9:10 AM Alexis Richardson <alexis@...> wrote:

thanks, how do I share these with the flux maintainers and community

 

On Tue, Feb 16, 2021 at 4:59 PM Vasu Naidu <vnaidu@...> wrote:

Hi Alexis,

 

You should have access to the security reports of the flux project. Please let me know if you have any questions.

 

https://security.lfx.linuxfoundation.org/#/a0941000002wBz4AAE/foundation-details

 

Regards,

Vasu

 

 

From: St Leger, Jim <jim.st.leger@...>
Date: Tuesday, February 16, 2021 at 7:06 AM
To: Chris Aniszczyk <
caniszczyk@...>, alexis richardson <alexis@...>, Pranab Bajpai (pbajpai@...) <pbajpai@...>, Vasu Naidu (vnaidu@...) <vnaidu@...>
Cc: Alexis Richardson via cncf-toc <
cncf-toc@...>
Subject: RE: [cncf-toc] security & CNCF projects

+ Pranab and Vasu (product/eng leads on LFX I believe.)

 

Jim

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Chris Aniszczyk
Sent: Tuesday, February 16, 2021 7:13 AM
To: alexis richardson <alexis@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>
Subject: Re: [cncf-toc] security & CNCF projects

 

I'll follow up Alexis on the ticket but it's just white labeled https://snyk.io 

 

If you are already using, say Snyk via github action (https://github.com/snyk/actions/tree/master/golang) you won't see anything new (which is available for open source projects).

 

On Tue, Feb 16, 2021 at 3:54 AM alexis richardson <alexis@...> wrote:

Hi all

 

Has anyone looked at this? 

 

How do we see project data?  I wanted to take a look at flux.  I had to create a login.  Then, I had to "request" a view, which turned out to mean filing a JIRA ticket.  Since then, tumbleweed.

 

Can we have something more open & useful please?

 

a

 

 


 

--

Chris Aniszczyk (@cra)



--
Chris Aniszczyk (@cra)


--
Chris Aniszczyk (@cra)




541 - 560 of 6343