Attendees:

• Paul Baker paul.baker@modusbox.com (PB)
• Pedro Barreto pedrob@crosslaketech.com (PSB)
• Mpumbulula Aime Bukasa aime.bukasa@friedcorp89cc.com (AB)
• Johann Foley johannes.foley@sybrin.com (JF)
• Sam Kummary sam@modusbox.com (SK)
• Istvan Molnar istvan.molnar@dpc.hu (IM)
• Simeon Oriko simeonoriko@gmail.com (SO)
• Michael Richards Michael.Richards@modusbox.com (MR) (Chair)

Apologies:

• Godfrey Kutumela godfreyk@crosslaketech.com (GK)

Absent:

• Lewis Daly lewisd@crosslaketech.com (LD)
• Miguel de Barros miguel.debarros@modusbox.com (MdB)
• Justus Ortlepp justus.ortlepp@gmail.com (JO)

Agenda:

• Review actions from previous meeting
• Issue 78: Upgrading node version to the latest LTS
  • Review of actions
• Issue 88: Preventing or Mitigating Open Source Supply Chain Attacks
  • LD to report back
• Issue 89: Mojaloop Code Signing using Helm Provenance and Integrity
  • Aime to present
• AOB

Minutes

• Issue 78 (follow-up from previous action item)
  • Under way
  • New version of logger, SDK shared components, central services shared library.
  • Moving on to ML-API adapter next…
  • Library used to check and resolve audit issues. Not compatible with NPM for node 16. Temporary work-round: run native audit. This will mean there is no history. We’ll see changes to lock file. They’re working on version to fix, but not known how long this will take.
  • Do we have an ETA? Not yet, we will link to issues in GitHub.
  • MdB is also refactoring CI-CD flows to use latest Ubuntu version etc and refactoring some repos to follow good practice.
• Issue 88 (follow-up from previous action item))
  • Could use an allowlist. Extra level of admin and slows down developers. How will that work with nested dependencies? Will need review process.
  • Or PackageInstaller - looks out for packages.
  • MdB: Only way is to protect the edges: restricting ports that can be used.
  • PSB: should we use a blocklist? not as efficient. Technically, we already have one in our dependencies analysis.
  • LD: what if we do nothing? If we’re confident that NPM audit can do it. Need more policies about what to do if we come across a high-risk issue.
  • PSB: we sign our Docker images, so that should be solid.
  • JF: should be managed by always deploying specific versions.
  • CI should guarantee that packages are always locked and have not been changed.
  • PSB: we should have a focused meeting to decide what we can try to fix. What can we do? Output is an action plan and/or statement.
  • MdB: changes to CI/CD flows could be included in work that’s being done.
• Issue 89
  • Aime presented on issue (reference on DA Slack channel)
  • MdB: Helm chart is not generated until installation, so it does not contain the actual content.
  • PSB: Proposal is to sign the Helm charts. Why aren’t we using Docker hub signatures? AB: we should do that too. MdB: people use Helm to get the packages.
  • How much work is required? LD: what is the workflow? AB/MdB: it’s one command to make it, another command to validate it.
  • AB: we’re just adding additional security, not replacing the security that already exists in Docker. The people who build the packages are trusted. We should still sign the Docker images.

Actions:

• MdB will continue with node upgrade tasks
• LD will look into policies around NPM audit and report back.
• MR will talk to GK about setting up a meeting.
• GK to present issue 90 at next meeting

Attendees:

• Paul Baker paul.baker@modusbox.com (PB)
• Pedro Barreto pedrob@crosslaketech.com (PSB)
• Mpumbulula Aime Bukasa aime.bukasa@friedcorp89cc.com (AB)
• Lewis Daly lewisd@crosslaketech.com (LD)
• Johann Foley johannes.foley@sybrin.com (JF)
• Sam Kummary sam@modusbox.com (SK)
• Godfrey Kutumela godfreyk@crosslaketech.com (GK)
• Simeon Oriko simeonoriko@gmail.com (SO)
• Michael Richards Michael.Richards@modusbox.com (MR) (Chair)

Apologies:

Absent:

• Miguel de Barros miguel.debarros@modusbox.com (MdB)
• Istvan Molnar istvan.molnar@dpc.hu (IM)
• Justus Ortlepp justus.ortlepp@gmail.com (JO)

Agenda:

• Review actions from previous meeting
• Issue 78: Upgrading node version to the latest LTS
  • Review of actions
• Issue 88: Preventing or Mitigating Open Source Supply Chain Attacks
  • LD to report back
• Issue 89: Mojaloop Code Signing using Helm Provenance and Integrity
  • Aime to present
• AOB

Minutes

• Issue 78 (follow-up from previous action item)
  • Under way
  • New version of logger, SDK shared components, central services shared library.
  • Moving on to ML-API adapter next…
  • Library used to check and resolve audit issues. Not compatible with NPM for node 16. Temporary work-round: run native audit. This will mean there is no history. We’ll see changes to lock file. They’re working on version to fix, but not known how long this will take.
  • Do we have an ETA? Not yet, we will link to issues in GitHub.
  • MdB is also refactoring CI-CD flows to use latest Ubuntu version etc and refactoring some repos to follow good practice.
• Issue 88 (follow-up from previous action item))
  • Could use an allowlist. Extra level of admin and slows down developers. How will that work with nested dependencies? Will need review process.
  • Or PackageInstaller - looks out for packages.
  • MdB: Only way is to protect the edges: restricting ports that can be used.
  • PSB: should we use a blocklist? not as efficient. Technically, we already have one in our dependencies analysis.
  • LD: what if we do nothing? If we’re confident that NPM audit can do it. Need more policies about what to do if we come across a high-risk issue.
  • PSB: we sign our Docker images, so that should be solid.
  • JF: should be managed by always deploying specific versions.
  • CI should guarantee that packages are always locked and have not been changed.
  • PSB: we should have a focused meeting to decide what we can try to fix. What can we do? Output is an action plan and/or statement.
  • MdB: changes to CI/CD flows could be included in work that’s being done.
• Issue 89
  • Aime presented on issue (reference on DA Slack channel)
  • MdB: Helm chart is not generated until installation, so it does not contain the actual content.
  • PSB: Proposal is to sign the Helm charts. Why aren’t we using Docker hub signatures? AB: we should do that too. MdB: people use Helm to get the packages.
  • How much work is required? LD: what is the workflow? AB/MdB: it’s one command to make it, another command to validate it.
  • AB: we’re just adding additional security, not replacing the security that already exists in Docker. The people who build the packages are trusted. We should still sign the Docker images.
  • MdB: could we use GitHub to store the keys?
  • LD: what about key lifecycle? How are keys stored and rotated?

Actions:

• MdB will continue with node upgrade tasks
• LD will look into policies around NPM audit and report back.
• MR will talk to GK about setting up a meeting to review policies on hacking protection.
• AB/GK to facilitate a session Make a proposal on key management