We will start by mentioning the project's Antitrust Policy, which you can find linked from the LF and project websites. The policy is important where multiple companies, including potential industry competitors, are participating in meetings. Please review and if you have any questions, please contact your company legal counsel. Members of the LF may contact Andrew Updegrove at the firm Gesmer Updegrove LLP, which provides legal counsel to the LF.
Introduction of Committer Representative to the TAC Amy Zwarico
TAC attendance at TSC meetings
Committer representative election mechanics
Discussion: how to resolve communities that have different voting populations for different classes in a TSC? Community picks which voting class or take the broadest class.
VOTE: For the committer representative election, the eligible voter population for each community will match that community's voting population for their TSC elections.
Intent: Get TAC members to attend the project TSC meetings that are not a part of the daily working routine to gain more perspective
Casey CainTo share out the meeting schedules for all the TSC meetings to facilitate TAC member drop-ins
LFN-wide Security
Ranny Haiby On-going need for security best practice exchange for all LFN projects
Perhaps a forum for on-going dialogue on security topics?
Informal engagements - not a requirements generation body
Also need a unified LFN messaging about security
Amy Zwarico Great idea - ONAP experience has given some best practices
Security includes additional work for all project teams
Getting LFN wide approaches to security would be useful
Security requirements are a part of every release
Some interdependencies between projects exist - so uniform approaches are important (eg. ONAP and ODL)
EVERY component of ONAP pulls in other upstream code - many external dependencies
Brian Freeman SolarWinds was a supply chain attack - so treating all the attack surfaces and supply chain is essential
A TAC recommendation would be useful to help establish the minimum acceptable
The component list is long: MariaDB, K8s, etc. - all have extensive SW BOM
Next Steps
Proposal: Start with a mailing list and wiki space for sharing security tools/processes
Morgan Richomme A TAC recommendation on basics would be useful
Build/publish docker containers should be more automated with more scanners as provided by LF IT
Claiming security when not being thorough is worse than not claiming/doing anything.
Committer representative election mechanics
How to enable communities that have different structures than just committers/contributors?
Proposal: Each community provides the list of eligible voters for the committer representative election
RESOLVED: The TAC agrees that the eligible voter population for the Committer Representative shall match that community's voting population for their TSC General Elections.