Abhijit, can we bring this topic in tonight’s TSC?

BR/Luis

Begin forwarded message:

From: "Allan" <aclarke@...>

Subject: [OpenDaylight TSC] Issue with Linux Foundation and expectations on ODL projects

Date: March 5, 2020 at 8:05:00 AM PST

To: tsc <TSC@...>

Cc: Thanh Ha <thanh.ha@...>

Greetings!

 

I have been trying to get a new release of the Plastic sub-project out for 3 weeks now and have been clogged up in LF helpdesk. 

 

*Summary*

 

LF is not allowing newer release of Plastic 2.1.7 that fixes 3^rdparty vulnerabilities already in 2.1.6 release.

LF wants ODL after-the-fact approval for Plastic 2.1.6 that is already publicly available. 

Both LF tooling (Nexus IQ) and vulnerability process is broken.

 

*Details*

 

Here is the sequence of events AFAIKT:

 

• Plastic 2.1.6 released (months ago)
• LF silently changes release process to require Nexus IQ passing (no docs, no links to help PTLs BTW)
• Plastic 2.1.7 candidate build successful but not available for testing
• LF helpdesk says Nexus IQ violations making build unavailable
• (Older version of Guava and Groovy have exposure on features not used by Plastic)
• LF finally gets accounts and links fixed so Nexus IQ reports are available to PTL
• New version of Plastic 2.1.7 candidate build (violations fixed)
• Build still not available due to “violations” (what???)
• Nexus IQ report is all screwed up in the UI, mixing 2.1.6 and 2.1.7 up, mislabeling, clearly buggy
• Nexus IQ report appears to be showing old violations against ALREADY RELEASED 2.1.6
• LF says because security violations are involved, the ODL Security group needs waivers.

 

*Conclusion*

 

I would like to release Plastic 2.1.7. It has improvements and fixes violations in 3^rd party libraries.

It has been languishing and holding up the next major release.

I would like a release process that understands when “the horse has left the barn” and that thinks it is a good thing when a new release fixes vulnerabilities in an old release.

 

Allan Clarke

Plastic PTL