1. Messages
  2. LFN TAC Meeting Minutes, Feb. 10, 2021

Re: LFN TAC Meeting Minutes, Feb. 10, 2021

Brian Freeman
 

Jason, Robert,

 

Interesting tool.

 

I added it to the parent pom.xml for one of the ONAP repo’s and did a test run

 

quite intensive (saturated 1 cpu core for 5 minutes or so – single threaded ? )

 

Not sure if there are other tools being used in Opensource for SBOM generation but the xml and json format of the data seems like it would be the kind of electronic format that could be provided with packaged software for those organizations that require SBOM tracking.

 

We also have python code in a lot of projects so not sure how an SBOM would be created for that.

 

I think this allows us to publish our dependencies so someone could quickly determine if we were affected by an attack on someone else.

 

I don’t think this would prevent an attack on our code would it ?

 

Brian

 

 

 

 

 

 

 

From: lfn-tac@... <lfn-tac@...> On Behalf Of Jason Hunt
Sent: Thursday, February 11, 2021 4:20 PM
To: lfn-tac@...
Subject: Re: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021

 

 

Thanks Robert for the input.  What do other TAC members (and, in particular, project leads) think?

 


Regards,
Jason Hunt
Distinguished Engineer, IBM

Phone: +1-314-749-7422
Email: djhunt@...
Twitter: @DJHunt

 

 

----- Original message -----
From: "Robert Varga" <nite@...>
Sent by: lfn-tac@...
To: lfn-tac@...
Cc:
Subject: [EXTERNAL] Re: [lfn-TAC] LFN TAC Meeting Minutes, Feb. 10, 2021
Date: Thu, Feb 11, 2021 1:45 PM
 

Hello everyone,

On 10/02/2021 17:03, Kenny Paul wrote:
> 2021-02-10 TAC Minutes
> <https://wiki.lfnetworking.org/display/LN/2021-02-10+TAC+Minutes>

[snip]

>   * *Next version of LFN Technical Whitepaper Ranny Haiby
>     <https://wiki.lfnetworking.org/display/~rannyh>*
>       o 2021 Whitepaper Workgroup
>         <https://wiki.lfnetworking.org/display/LN/2021+Whitepaper+Workgroup>
>       o Need volunteers to contribute - 1-2 hrs. per week for ~8 weeks
>       o Contributors also include folks that need to review content
>       o Project reps please mentioned at your next TSC meetings
>       o Brian Freeman
>         <https://wiki.lfnetworking.org/display/~bdfreeman1421>  - eval
>         of SolarWinds type of attack on supply chain
>       o Martin Jackson
>         <https://wiki.lfnetworking.org/display/~mhjacks> - Supply chain
>         attacks is top of mind for enterprise - this was already FUD in
>         the enterprise space. Should discuss it head on.

Maven Central has provisions for SBOMs.

Would it make sense to create some guidance as how to deploy
https://github.com/CycloneDX/cyclonedx-maven-plugin in Java projects
based on which https://cyclonedx.org/use-cases/ are deemed critical?

Regards,
Robert





 

 

 

 

?
bom.json

Join {lfn-tac@lists.lfnetworking.org to automatically receive all group messages.