DA Meeting Minutes 2022-05-11

Attendees:

Apologies:

Absent:

Agenda:

  • Review actions from previous meeting
  • Issue 78: Upgrading node version to the latest LTS
    • Review of actions
  • Issue 88: Preventing or Mitigating Open Source Supply Chain Attacks
    • LD to report back
  • Issue 89: Mojaloop Code Signing using Helm Provenance and Integrity
    • Aime to present
  • AOB

Minutes

  • Issue 78 (follow-up from previous action item)
    • Under way
    • New version of logger, SDK shared components, central services shared library.
    • Moving on to ML-API adapter next…
    • Library used to check and resolve audit issues. Not compatible with NPM for node 16. Temporary work-round: run native audit. This will mean there is no history. We’ll see changes to lock file. They’re working on version to fix, but not known how long this will take.
    • Do we have an ETA? Not yet, we will link to issues in GitHub.
    • MdB is also refactoring CI-CD flows to use latest Ubuntu version etc and refactoring some repos to follow good practice.
  • Issue 88 (follow-up from previous action item))
    • Could use an allowlist. Extra level of admin and slows down developers. How will that work with nested dependencies? Will need review process.
    • Or PackageInstaller - looks out for packages.
    • MdB: Only way is to protect the edges: restricting ports that can be used.
    • PSB: should we use a blocklist? not as efficient. Technically, we already have one in our dependencies analysis.
    • LD: what if we do nothing? If we’re confident that NPM audit can do it. Need more policies about what to do if we come across a high-risk issue.
    • PSB: we sign our Docker images, so that should be solid.
    • JF: should be managed by always deploying specific versions.
    • CI should guarantee that packages are always locked and have not been changed.
    • PSB: we should have a focused meeting to decide what we can try to fix. What can we do? Output is an action plan and/or statement.
    • MdB: changes to CI/CD flows could be included in work that’s being done.
  • Issue 89
    • Aime presented on issue (reference on DA Slack channel)
    • MdB: Helm chart is not generated until installation, so it does not contain the actual content.
    • PSB: Proposal is to sign the Helm charts. Why aren’t we using Docker hub signatures? AB: we should do that too. MdB: people use Helm to get the packages.
    • How much work is required? LD: what is the workflow? AB/MdB: it’s one command to make it, another command to validate it.
    • AB: we’re just adding additional security, not replacing the security that already exists in Docker. The people who build the packages are trusted. We should still sign the Docker images.

Actions:

  • MdB will continue with node upgrade tasks
  • LD will look into policies around NPM audit and report back.
  • MR will talk to GK about setting up a meeting.
  • GK to present issue 90 at next meeting

Attendees:

Apologies:

Absent:

Agenda:

  • Review actions from previous meeting
  • Issue 78: Upgrading node version to the latest LTS
    • Review of actions
  • Issue 88: Preventing or Mitigating Open Source Supply Chain Attacks
    • LD to report back
  • Issue 89: Mojaloop Code Signing using Helm Provenance and Integrity
    • Aime to present
  • AOB

Minutes

  • Issue 78 (follow-up from previous action item)
    • Under way
    • New version of logger, SDK shared components, central services shared library.
    • Moving on to ML-API adapter next…
    • Library used to check and resolve audit issues. Not compatible with NPM for node 16. Temporary work-round: run native audit. This will mean there is no history. We’ll see changes to lock file. They’re working on version to fix, but not known how long this will take.
    • Do we have an ETA? Not yet, we will link to issues in GitHub.
    • MdB is also refactoring CI-CD flows to use latest Ubuntu version etc and refactoring some repos to follow good practice.
  • Issue 88 (follow-up from previous action item))
    • Could use an allowlist. Extra level of admin and slows down developers. How will that work with nested dependencies? Will need review process.
    • Or PackageInstaller - looks out for packages.
    • MdB: Only way is to protect the edges: restricting ports that can be used.
    • PSB: should we use a blocklist? not as efficient. Technically, we already have one in our dependencies analysis.
    • LD: what if we do nothing? If we’re confident that NPM audit can do it. Need more policies about what to do if we come across a high-risk issue.
    • PSB: we sign our Docker images, so that should be solid.
    • JF: should be managed by always deploying specific versions.
    • CI should guarantee that packages are always locked and have not been changed.
    • PSB: we should have a focused meeting to decide what we can try to fix. What can we do? Output is an action plan and/or statement.
    • MdB: changes to CI/CD flows could be included in work that’s being done.
  • Issue 89
    • Aime presented on issue (reference on DA Slack channel)
    • MdB: Helm chart is not generated until installation, so it does not contain the actual content.
    • PSB: Proposal is to sign the Helm charts. Why aren’t we using Docker hub signatures? AB: we should do that too. MdB: people use Helm to get the packages.
    • How much work is required? LD: what is the workflow? AB/MdB: it’s one command to make it, another command to validate it.
    • AB: we’re just adding additional security, not replacing the security that already exists in Docker. The people who build the packages are trusted. We should still sign the Docker images.
    • MdB: could we use GitHub to store the keys?
    • LD: what about key lifecycle? How are keys stored and rotated?

Actions:

  • MdB will continue with node upgrade tasks
  • LD will look into policies around NPM audit and report back.
  • MR will talk to GK about setting up a meeting to review policies on hacking protection.
  • AB/GK to facilitate a session Make a proposal on key management