- Issue with Linux Foundation and expectations on ODL projects
Re: Issue with Linux Foundation and expectations on ODL projects
toggle quoted messageShow quoted text
Yes - let us discuss it tonight at the TSC meeting.
On Thu, Mar 5, 2020 at 10:47 AM Luis Gomez <ecelgp@...
Abhijit, can we bring this topic in tonight’s TSC?
Begin forwarded message:
Subject: [OpenDaylight TSC] Issue with Linux Foundation and expectations on ODL projects
Date: March 5, 2020 at 8:05:00 AM PST
I have been trying to get a new release of the Plastic sub-project out for 3 weeks now and have been clogged up in LF helpdesk.
LF is not allowing newer release of Plastic 2.1.7 that fixes 3rdparty vulnerabilities already in 2.1.6 release.
LF wants ODL after-the-fact approval for Plastic 2.1.6 that is already publicly available.
Both LF tooling (Nexus IQ) and vulnerability process is broken.
Here is the sequence of events AFAIKT:
- Plastic 2.1.6 released (months ago)
- LF silently changes release process to require Nexus IQ passing (no docs, no links to help PTLs BTW)
- Plastic 2.1.7 candidate build successful but not available for testing
- LF helpdesk says Nexus IQ violations making build unavailable
- (Older version of Guava and Groovy have exposure on features not used by Plastic)
- LF finally gets accounts and links fixed so Nexus IQ reports are available to PTL
- New version of Plastic 2.1.7 candidate build (violations fixed)
- Build still not available due to “violations” (what???)
- Nexus IQ report is all screwed up in the UI, mixing 2.1.6 and 2.1.7 up, mislabeling, clearly buggy
- Nexus IQ report appears to be showing old violations against ALREADY RELEASED 2.1.6
- LF says because security violations are involved, the ODL Security group needs waivers.
I would like to release Plastic 2.1.7. It has improvements and fixes violations in 3rd party libraries.
It has been languishing and holding up the next major release.
I would like a release process that understands when “the horse has left the barn” and that thinks it is a good thing when a new release fixes vulnerabilities in an old release.
Join TSC@lists.opendaylight.org to automatically receive all group messages.