DA Meeting Minutes 2022-06-15

#88 Update on Mitigating Supply Chain Attacks (Lewis)

  • LD: Presented latest update from whitesource and npm

  • MDB npm audit fix --force is taking things to older versions, so it’s not a solution

    • There’s pretty much no fix for some
    • We’re also using outdated libraries, e.g. gRPC needs to be replaced
  • LD: Where are we at with this issue?

  • MDB: What else can be done?

  • MDB: There’s many packages with no fixes, so we still need to be able to enforce strict policies, but still override for specific package with no fixes

  • MDB: Most of the time, there is no attack vector that we are vulnerable to

  • Action Item:

    • @LD: need to run npm audit and whitesource on the very same day

#91 Kubernetes Versions

  • TD: version 1.21 of K8s reaches EOL by the end of the month

    • that means that there wouldn’t be a current release of K8s that Mojaloop can deploy to
    • e.g. rancher k3s can’t get 1.20 version of K3s to deploy
    • for 1.21, you need to have with Docker, but docker is going away
  • TD: 2 main problems: (1) Percona and (2) Networking

  • TD: Proposal - Why don’t we move these changes into 13.X?

  • MDB: Removing the DB is a breaking change, but users can turn off their database and deploy it themselves

  • TD: The trouble is turning off the database and deploying it youself is hard

  • TD: Disabling the database is easy, but deploying one yourself is more work

  • LD: I think it’s a question of sensible defaults

  • SK: What is Tom’s proposal?

  • TD: Still want to be able to install from packaged helm charts, without requiring users to git clone and fix

  • TD: This is a multi-layer issue, between k8s flavours, linux distros and versions

  • MdB: Our product isn’t kubernetes but it runs on kubernetes, as long as people come with the right versions it can work

    • We know there are issues with Helm, but those are the things we are fixing
  • MdB: Concerned about the approach here - our product is how we are packaging helm. We are trying to abstract away from worrying

  • LD: Tom is looking at the whole lifecycle of new community members coming along and getting up and running

  • Decision to be made:

    1. Either update Percona to something modern (breaking)
    2. Remove chart dependencies and issue a breaking change
    3. Do nothing, wait for new refactored charts
    4. Just make the ingress change (non-breaking) and flip the default to not deploy percona by default

#86 Update on Accepting Code Contributions

  • No time! Will schedule for next week when we have Bryan as well

Call recording:
Topic: Mojaloop OSS - DA Meeting (10 am UTC)
Start Time: Jun 15, 2022 12:59
Meeting Recording: