2025-05-07 SIG-2 Agenda & Minutes
Community Attendees:
@Liam Fallon
@Francesco Davide Lapenta
@James McDermott
Kolawole Adebisi-Adeolokun
@Girish Kumar
Community Attendees:
@Nagy Gergely
@Kushal Harish Naidu
@Rahul Jadhav
@Vishwanath Jayaraman
@balaji varadaraju
LF Staff:
Agenda
Antitrust Policy
Action Items Review
https://github.com/nephio-project/nephio/issues/906 @Nagy Gergely
Status update on R5 Planning: R5 Planning
Security scans on Dockerhub @Rahul Jadhav
(Slack post from @Rahul Jadhav ) Folks, for security measures SIG-Security was checking options to enable periodic scanning of Nephio images in dockerhub. We approached Linux Foundation support and they mentioned that they would need a particular LF user to be added as the admin/owner for the dockerhub account. Wondering if this can be done ...The problem statement SIG-Security is trying to address is ... currently the container images are scanned only during create/update time as part of CI/CD workflows ... However, if the a vulnerability is disclosed at a later point in time, there is no way to identify that in the context of images that are already pushed. Periodic scanning would enable us to identify these vulnerabilities. Considering that most of the 5G core and RAN functions Nephio has are from open source, it might be important to ensure that vulnerabilities are disclosed as soon as possible.This is relatively a low hanging fruit to get visibility on the exposed vulnerabilities ... There was an article published few months back which talked about such risks that resulted in this action item.
Update on platform items for R5
DB Cache https://github.com/nephio-project/nephio/issues/836
Update/3 way merge https://github.com/nephio-project/nephio/issues/892
PVS/PV
kpt
test-infra tests
Other items?
Platform slot
Quick PR scan
Tests on test-infra
Issue list triage on Nephio
Minutes
Module Versioning
https://github.com/nephio-project/nephio/issues/906 presented by @Nagy Gergely
The Porch major version changes on each Nephio release, this means that any client using Porch has to update its version, every 6 months
We need to change the Nephio release process to remove the need for lock stepping the Porch major version to Nephio releases
We probably should do the same for the Nephio controllers
Security Measures
Administrator access is needed to Dockerhub to perform periodic scans on released Nephio/Porch images. SIG-Security needs this access from SIG-Release
Infrastructure code has yaml files, ansible scripts, bash scripts, terraform scripts etc. There are tools that check these types of files for vulnerabilities in “infrastructure as code”. Would this be of interest to SIG-Release because SIG-Security already has done some work in this area. SIG-Security will raise a PR on test-infra to bring in this tooling.