Re: Issue with Linux Foundation and expectations on ODL projects
Greetings!
I have been trying to get a new release of the Plastic sub-project out for 3 weeks now and have been clogged up in LF helpdesk.
*Summary*
LF is not allowing newer release of Plastic 2.1.7 that fixes 3rd party vulnerabilities already in 2.1.6 release.
LF wants ODL after-the-fact approval for Plastic 2.1.6 that is already publicly available.
Both LF tooling (Nexus IQ) and vulnerability process is broken.
*Details*
Here is the sequence of events AFAIKT:
- Plastic 2.1.6 released (months ago)
- LF silently changes release process to require Nexus IQ passing (no docs, no links to help PTLs BTW)
- Plastic 2.1.7 candidate build successful but not available for testing
- LF helpdesk says Nexus IQ violations making build unavailable
- (Older version of Guava and Groovy have exposure on features not used by Plastic)
- LF finally gets accounts and links fixed so Nexus IQ reports are available to PTL
- New version of Plastic 2.1.7 candidate build (violations fixed)
- Build still not available due to “violations” (what???)
- Nexus IQ report is all screwed up in the UI, mixing 2.1.6 and 2.1.7 up, mislabeling, clearly buggy
- Nexus IQ report appears to be showing old violations against ALREADY RELEASED 2.1.6
- LF says because security violations are involved, the ODL Security group needs waivers.
*Conclusion*
I would like to release Plastic 2.1.7. It has improvements and fixes violations in 3rd party libraries.
It has been languishing and holding up the next major release.
I would like a release process that understands when “the horse has left the barn” and that thinks it is a good thing when a new release fixes vulnerabilities in an old release.
Allan Clarke
Plastic PTL
1. The policy violations are security issues outside the scope of LF/RE's to determine if they can be waived.
I've also set this up as a topic on today's TSC agenda.