|
FYI: Cloud Native Security Whitepaper 2020
The CNCF Security SIG did an excellent job putting together a white paper around cloud native security: https://github.com/cncf/sig-security/blob/master/security-whitepaper/cloud-native-security-whitepaper.md It's great! Please check it out and feel free to provide their community feedback on it! Chris Aniszczyk (@cra)
|
|||||||||||||
|
|
|||||||||||||
|
Re: FYI: New Training Course on Diversity in Open Source
Let's put it as a discussion item for the next meeting and consider rolling it out in 2021
On Wed, Nov 18, 2020 at 9:47 AM Liz Rice <liz@...> wrote:
--
Chris Aniszczyk (@cra)
|
|||||||||||||
|
|
|||||||||||||
|
Re: [cncf-sig-security] Vulnerability scanning for CNCF projects
" Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)?" We have a graduation requirement around CII badging which requires a security disclosure process so it's there but not codified formally, we could do that, I think the important thing is that projects also publish advisories in a standard way (like via the github security API) We should treat the LF tool suite as another option for projects to take advantage of, already many projects are using Snyk, FOSSA, Whitesource etc that is listed here: https://github.com/cncf/servicedesk#tools You can kind of get an SBOM (depending you define sbom ;p) for some of our projects already: https://app.fossa.com/attribution/c189c5b9-fe2c-45f2-ba40-c34c36bab868 I think offering projects more choice is always better as the landscape changes often in tooling.
On Wed, Nov 18, 2020 at 10:54 AM Emily Fox <themoxiefoxatwork@...> wrote:
--
Chris Aniszczyk (@cra)
|
|||||||||||||
|
|
|||||||||||||
|
Re: [cncf-sig-security] Vulnerability scanning for CNCF projects
Liz, Love this. As part of the assessments SIG-Security performs, we've begun highlighting the importance of secure development practices. The last few assessments we've begun pushing more for this, as well as responsible disclosure instructions and general security mindedness for project sustainment. This fits in alignment with those efforts. We currently have the assessment process undergoing some updates (held currently for kubecon) and this make it a great time to potentially include this. I personally would like to see license dependencies and dependency trees to help push forward in the area of SBOM. I think we should be clear however in what our thresholds and terms are in this area, offhand i can think of the following potentials: * Listing of vulns in deliverable artifacts * Listing licensing dependencies * SBOM * vulnerability threshold and prioritizing resolution in prior to artifact delivery * vulnerability threshold and prioritizing resolution post artifact delivery Definitely worth a conversation and follow-ups. Do you have anything in mind that are must haves off the above or anything I missed or misunderstood? ~Emily Fox
On Wed, Nov 18, 2020 at 11:41 AM Liz Rice <liz@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Vulnerability scanning for CNCF projects
Liz Rice
Hi TOC and SIG Security folks On Friday I got a nice preview from Shubhra Kar and his team at the LF about some tools they are building to provide insights and stats for LF (and therefore CNCF) projects. One that's of particular interest is an integration of scanning security issues. We require graduated projects to have security reviews, and SIG Security are offering additional assessments, but we don't really have any standards around whether project artifacts shipping with vulnerabilities. Should we have something in place for requiring projects to have a process to fix vulnerability issues (at least the serious ones)? This tooling is off to a great start. The current numbers for a lot of our projects look really quite bad, but this may be to do with scanning all the repos related to a project's org. I'd imagine there are also some false positives from things like dependencies only used in test that don't affect the security of the executables that end users run - we may want to look at just reporting vulnerabilities from a project's deployable artifacts. As well as vulnerability scanning this is showing license dependencies, which could be very useful. For discussion, how we want to use this kind of info, and whether we want to formalize requirements on projects (e.g. at graduation or incubation levels). Copying Shubra in case he would like to comment further. . Enjoy KubeCon! Liz
|
|||||||||||||
|
|
|||||||||||||
|
Re: FYI: New Training Course on Diversity in Open Source
Liz Rice
Thanks Chris. We could also require it for TOC members & SIG chairs too
On Wed, Nov 18, 2020 at 2:40 PM Chris Aniszczyk <caniszczyk@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: FYI: New Training Course on Diversity in Open Source
Thanks! Liz I have added this as a requirement per the project proposal process: https://github.com/cncf/toc/pull/570 We can discuss at the next TOC meeting to vote/finalize the changes, but I think the best place to put the requirement is at the project proposal phase where we can easily check against the initial list of maintainers. In the future, we can try to do something fancy like an automated audit report based on what's in maintainers.cncf.io and if they have taken the course.
On Wed, Nov 18, 2020 at 8:30 AM Bartłomiej Płotka <bwplotka@...> wrote:
--
Chris Aniszczyk (@cra)
|
|||||||||||||
|
|
|||||||||||||
|
Re: FYI: New Training Course on Diversity in Open Source
Hi, Just completed it (takes ~20 min) and definitely can recommend it to all who maintain projects on open source! 🤗 It's actionable and insightful, +1 to make it mandatory. BTW, direct training link: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/ (it's free) Kind Regards, Bartek Płotka (@bwplotka)
On Wed, 18 Nov 2020 at 10:07, Liz Rice <liz@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] Buildpacks to move to incubation
Archy k
+1 NB
On Wed, Oct 7, 2020 at 5:21 PM Amye Scavarda Perrin <ascavarda@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] Buildpacks to move to incubation
Romaric Philogène
+1
--
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] Buildpacks to move to incubation
Liz Rice
+1 binding
On Tue, 3 Nov 2020 at 17:08, sandeep lahane <sandeep@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: FYI: New Training Course on Diversity in Open Source
Liz Rice
I’d like to see all project maintainers taking this at all maturity levels Probably getting carried away here, but it would be nice if we could automate this, a bit like CLA bots: automatically flagging up anyone who’s listed in a Maintainers file if they haven’t taken the course
On Fri, 13 Nov 2020 at 15:31, Chris Aniszczyk <caniszczyk@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] etcd for graduation
Robert Wilkins III
+1 NB
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] etcd for graduation
Liz Rice
+1 binding
On Mon, Nov 16, 2020 at 4:36 PM Justin Cormack via lists.cncf.io <justin.cormack=docker.com@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] etcd for graduation
Justin Cormack
+1 (binding) Justin
On Fri, Nov 13, 2020 at 5:51 PM Amye Scavarda Perrin <ascavarda@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] etcd for graduation
Tzury Bar Yochay
+1
On Fri, Nov 13, 2020 at 7:51 PM Amye Scavarda Perrin <ascavarda@...> wrote:
--
Tzury Bar Yochay Founder and CTO
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] etcd for graduation
Sunny Raskar <sunny.raskar@...>
On Fri, Nov 13, 2020 at 11:49 PM Owens, Ken <ken.owens@...> wrote:
****** DISCLAIMER -
This email message, contents
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] etcd for graduation
Isaac Mosquera
On Mon, Nov 16, 2020 1:55 PM, Thomas Schuetz via lists.cncf.io thomas.schuetz=dynatrace.com@... wrote: +1 non-binding
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] etcd for graduation
Thomas Schuetz
+1 non-binding
The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. Dynatrace Austria GmbH (registration number FN 91482h) is a company registered in Linz whose registered office is at 4020 Linz, Austria, Am Fünfundzwanziger Turm 20
|
|||||||||||||
|
|
|||||||||||||
|
Re: [VOTE] etcd for graduation
+1 non-binding
From: cncf-toc@... <cncf-toc@...> on behalf of Amye Scavarda Perrin via lists.cncf.io <ascavarda=linuxfoundation.org@...>
Sent: 13 November 2020 17:51 To: CNCF TOC <cncf-toc@...> Subject: [cncf-toc] [VOTE] etcd for graduation The etcd project has applied for graduation: https://github.com/cncf/toc/pull/541
The due diligence document can be found here: https://docs.google.com/document/d/10IRk__v_nehw-0BpqUnNSY4A8RNP2ztdqKLX2mh0PlU/edit?usp=sharing Xiang Li is the TOC sponsor. Please vote (+1/0/-1) by replying to this thread. Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support! Thank you! - amye Amye Scavarda Perrin | Program Manager |
amye@...
|
|||||||||||||
|
|
