Re: Issue with Linux Foundation and expectations on ODL projects


Allan
 

Thanks for the reply, Anil. That did answer some questions I had.

 

My questions:

  1. Why is there no link or docs connecting a built-but-not-available staging build to a vulnerability report?
  2. Why are there two projects in Nexus IQ (both plastic and odl-plastic)?
  3. Why does the Nexus IQ report show 2.1.6 in the titles/labels but shows 2.1.6 and 2.1.7 as detailed names?
  4. Why does anyone need anyone’s permission to release a new version that fixes vulnerabilities?

 

These questions point to 4 serious issues with releasing projects. It would be great if answers to these are covered in the TSC meeting.

 

The response “you need security waivers” (for a past release!) dodges all of the issues raised above and really does nothing to address the 4 issues above.

 

Allan Clarke

Plastic PTL

 

PS - It is possible (maybe probable) that I have misunderstandings here, so please feel free to correct me.

 

From: Anil Belur <abelur@...>
Date: Thursday, March 5, 2020 at 3:45 PM
To: Allan <aclarke@...>
Cc: tsc <TSC@...>, Thanh Ha <thanh.ha@...>, Jordan Conway <jconway@...>, Andrew Grimberg <agrimberg@...>, Casey Cain <ccain@...>
Subject: Re: [OpenDaylight TSC] Issue with Linux Foundation and expectations on ODL projects

 

 

 

On Fri, Mar 6, 2020 at 2:05 AM Allan <aclarke@...> wrote:

Greetings!

 

I have been trying to get a new release of the Plastic sub-project out for 3 weeks now and have been clogged up in LF helpdesk.

 

*Summary*

 

LF is not allowing newer release of Plastic 2.1.7 that fixes 3rd party vulnerabilities already in 2.1.6 release.

LF wants ODL after-the-fact approval for Plastic 2.1.6 that is already publicly available.

Both LF tooling (Nexus IQ) and vulnerability process is broken.

 

*Details*

 

Here is the sequence of events AFAIKT:

 

  • Plastic 2.1.6 released (months ago)
  • LF silently changes release process to require Nexus IQ passing (no docs, no links to help PTLs BTW)
  • Plastic 2.1.7 candidate build successful but not available for testing
  • LF helpdesk says Nexus IQ violations making build unavailable
  • (Older version of Guava and Groovy have exposure on features not used by Plastic)
  • LF finally gets accounts and links fixed so Nexus IQ reports are available to PTL
  • New version of Plastic 2.1.7 candidate build (violations fixed)
  • Build still not available due to “violations” (what???)
  • Nexus IQ report is all screwed up in the UI, mixing 2.1.6 and 2.1.7 up, mislabeling, clearly buggy
  • Nexus IQ report appears to be showing old violations against ALREADY RELEASED 2.1.6
  • LF says because security violations are involved, the ODL Security group needs waivers.

 

*Conclusion*

 

I would like to release Plastic 2.1.7. It has improvements and fixes violations in 3rd party libraries.

It has been languishing and holding up the next major release.

I would like a release process that understands when “the horse has left the barn” and that thinks it is a good thing when a new release fixes vulnerabilities in an old release.

 

Allan Clarke

Plastic PTL

 

 

 

Greetings Allan:

I understand the concerns on the delay in releasing Plastic, please find my response below.

 
1. The policy violations are security issues outside the scope of LF/RE's to determine if they can be waived.

2. The policy violations showing up on stage repositories is a "feature" and not a "bug", and a proactive way to ensure these violations are going to be addressed early on before a release. 

3. The violations seen recently in plastic is a result of updating the "Nexus platform plugin", which is working as expected and not a result of any to Nexus repository level setting. 

4. It's seldom up to LF or the PTL's to waive IQ policy violations, waivers can only come from the ODL security team as approved by the TSC.

I've also set this up as a topic on today's TSC agenda.  

 

Regards,

Anil

Join TSC@lists.opendaylight.org to automatically receive all group messages.