2025-05-07 SIG-2 Agenda & Minutes

2025-05-07 SIG-2 Agenda & Minutes

Community Attendees:

@Liam Fallon

@Francesco Davide Lapenta

@James McDermott

Kolawole Adebisi-Adeolokun

@Girish Kumar

Community Attendees:

@Nagy Gergely

@Kushal Harish Naidu

@Rahul Jadhav

@Vishwanath Jayaraman

@balaji varadaraju

LF Staff:

Agenda

Antitrust Policy

  • Action Items Review

  • https://github.com/nephio-project/nephio/issues/906 @Nagy Gergely

  • Status update on R5 Planning: R5 Planning

  • Security scans on Dockerhub @Rahul Jadhav

    • (Slack post from @Rahul Jadhav ) Folks, for security measures SIG-Security was checking options to enable periodic scanning of Nephio images in dockerhub. We approached Linux Foundation support and they mentioned that they would need a particular LF user to be added as the admin/owner for the dockerhub account. Wondering if this can be done ...The problem statement SIG-Security is trying to address is ... currently the container images are scanned only during create/update time as part of CI/CD workflows ... However, if the a vulnerability is disclosed at a later point in time, there is no way to identify that in the context of images that are already pushed. Periodic scanning would enable us to identify these vulnerabilities. Considering that most of the 5G core and RAN functions Nephio has are from open source, it might be important to ensure that vulnerabilities are disclosed as soon as possible.This is relatively a low hanging fruit to get visibility on the exposed vulnerabilities ... There was an article published few months back which talked about such risks that resulted in this action item.

  • Update on platform items for R5

  • Platform slot

    • Quick PR scan

    • Tests on test-infra

    • Issue list triage on Nephio

Minutes

Module Versioning

  • https://github.com/nephio-project/nephio/issues/906 presented by @Nagy Gergely

    • The Porch major version changes on each Nephio release, this means that any client using Porch has to update its version, every 6 months

    • We need to change the Nephio release process to remove the need for lock stepping the Porch major version to Nephio releases

    • We probably should do the same for the Nephio controllers

Security Measures

  • Administrator access is needed to Dockerhub to perform periodic scans on released Nephio/Porch images. SIG-Security needs this access from SIG-Release

  • Infrastructure code has yaml files, ansible scripts, bash scripts, terraform scripts etc. There are tools that check these types of files for vulnerabilities in “infrastructure as code”. Would this be of interest to SIG-Release because SIG-Security already has done some work in this area. SIG-Security will raise a PR on test-infra to bring in this tooling.

Action items