Re: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

[Michael O'Brien]

Catherine,
   The situation on the ground is more fluid - we may get someone to fix a CLM 
issue for a couple hours - then they get assigned to other work.   All of us 
are security experts as some point.  A developer may take the initiative.
   Some workarounds
        Move the read/write part of the wiki where any contributor can edit 
what is being worked on.
   We can follow the rest of the security issues identified keeping us from 
violating our license.
   Bottom line is that running this commercial software does not mix well with 
open source development - I recommend we use something less restrictive.
   /michael

-----Original Message-----
From: Lefevre, Catherine via RT <onap-helpd...@rt.linuxfoundation.org> 
Sent: Wednesday, October 10, 2018 7:04 AM
To: Michael O'Brien <frank.obr...@amdocs.com>
Cc: onap-disc...@lists.onap.org; onap-tsc@lists.onap.org; Prudence Au 
<prudence...@amdocs.com>
Subject: [ONAP Helpdesk #61994] [linuxfoundation.org #61994] RE: [onap-tsc] 
Allow non-PTLs to view/edit the CLM security wiki pages #clm #security

Good morning Michael, Manoop,

As previously discussed, we are not authorized to copy/paste the complete CLM 
report to the ONAP wiki.

What you can or can’t do - has been previously documented here:
https://wiki.onap.org/display/DW/TSC+2018-09-13?preview=/41420751/41422209/ONAP%20CLM%20License%20Version3.pdf

Nevertheless if you have identified your security expert(s) then I believe we 
might be able to swap them with 1-2 of your committers.
Feel free to reach Gildas to explore this possibility with the Linux Foundation.

Best regards
Catherine

From: onap-tsc@lists.onap.org [mailto:onap-tsc@lists.onap.org] On Behalf Of 
TALASILA, MANOOP
Sent: Tuesday, October 09, 2018 6:22 PM
To: onap-tsc@lists.onap.org; onap-disc...@lists.onap.org; OBRIEN, FRANK MICHAEL 
<frank.obr...@amdocs.com>; helpd...@onap.org
Cc: AU, PRUDENCE <prudence...@amdocs.com>
Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages 
#clm #security

***Security Advisory: This Message Originated Outside of AT&T *** Reference 
http://cso.att.com/EmailSecurity/IDSP.html for more information.
+1
The Portal team also in similar situation. The two security experts in our team 
are not PTL or committers, so they cannot access the CLM reports leading to 
delay in analyzing the impact and action on the identified vulneribilities.

Please see, if you can relax the access or at least to provide access to 
requested team members (in our case we need access to these IDs – 
“f...@research.att.com<mailto:f...@research.att.com>” and 
“arund...@in.ibm.com<mailto:arund...@in.ibm.com>”).

Manoop

From: <onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>> on behalf of 
Michael O'Brien <frank.obr...@amdocs.com<mailto:frank.obr...@amdocs.com>>
Reply-To: "onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>" 
<onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>>
Date: Tuesday, October 9, 2018 at 11:48 AM
To: "onap-disc...@lists.onap.org<mailto:onap-disc...@lists.onap.org>" 
<onap-disc...@lists.onap.org<mailto:onap-disc...@lists.onap.org>>, Michael 
O'Brien <frank.obr...@amdocs.com<mailto:frank.obr...@amdocs.com>>, 
"onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>" 
<onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>>, 
"helpd...@onap.org<mailto:helpd...@onap.org>" 
<helpd...@onap.org<mailto:helpd...@onap.org>>
Cc: Prudence Au <prudence...@amdocs.com<mailto:prudence...@amdocs.com>>
Subject: Re: [onap-tsc] Allow non-PTLs to view/edit the CLM security wiki pages 
#clm #security

Hi, I was wondering if we can get the security rules relaxed – currently I 
would need to copy/paste wiki content for other members of the team doing the 
CLM work.
Thank you
/michael

From: onap-disc...@lists.onap.org<mailto:onap-disc...@lists.onap.org> 
<onap-disc...@lists.onap.org<mailto:onap-disc...@lists.onap.org>> On Behalf Of 
Michael O'Brien
Sent: Friday, October 5, 2018 10:14 AM
To: onap-disc...@lists.onap.org<mailto:onap-disc...@lists.onap.org>; 
onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>; 
helpd...@onap.org<mailto:helpd...@onap.org>
Cc: Prudence Au <prudence...@amdocs.com<mailto:prudence...@amdocs.com>>
Subject: [onap-discuss] Allow non-PTLs to view/edit the CLM security wiki pages 
#clm #security

Team,
   Hi, I have a request on behalf of my team and likely others.
   The CLM security pages are locked down too tightly – I would like other 
members of the team – in particular Prudence Au (my co-PTL along with Luke 
Parker) to be able to view and edit pages in the wiki space

https://wiki.onap.org/display/SV/Security+Vulnerabilities+Home<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_SV_Security-2BVulnerabilities-2BHome&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=ep9iQknKUgFi9kibTREZn9VuMmQ4Jqr49fOkC1sMQHk&e=>
https://wiki.onap.org/pages/viewpage.action?pageId=43385152<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D43385152&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=iUq2e1fcZ0ZWUCIQM8Kkn3CfYoukoHtjTFsSOQU0pLg&s=VRSjVGDc4SFvxR_Pd22P5pkl-MDJ7q0njmdxbh59lJ4&e=>

   The issue that we did not forsee – distribution of CLM work among the team.
   Also when a PTL is out for a 1 day vacation – the delegate PTL does not have 
access to the site.

   If the SV space is locked down – then the bottleneck is the PTL – in my case 
Prudence is a go-getter and would like to fix the remaining vulnerabilities – 
in our case we inherited several from another project we have a dependency – 
they already marked that vulnerability as a red-herring and have a pom override 
– but without myself acting as the wiki conduit – this work is slowed down with 
some re-inventing the wheel occurring.

    Can we make the site read/only at least for any of the following
-        Committers of a project
-        Ideally any committer of a project can see the pages of the other 
project – so one fix can be distributed among several



Thank you

/michael


“Amdocs’ email platform is based on a third-party, worldwide, cloud-based 
system. Any emails sent to Amdocs will be processed and stored using such 
system and are accessible by third party providers of such system on a limited 
basis. Your sending of emails to Amdocs evidences your consent to the use of 
such system and such processing, storing and access”.

“Amdocs’ email platform is based on a third-party, worldwide, cloud-based 
system. Any emails sent to Amdocs will be processed and stored using such 
system and are accessible by third party providers of such system on a limited 
basis. Your sending of emails to Amdocs evidences your consent to the use of 
such system and such processing, storing and access”.


“Amdocs’ email platform is based on a third-party, worldwide, cloud-based 
system. Any emails sent to Amdocs will be processed and stored using such 
system and are accessible by third party providers of such system on a limited 
basis. Your sending of emails to Amdocs evidences your consent to the use of 
such system and such processing, storing and access”.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3861): https://lists.onap.org/g/onap-tsc/message/3861
Mute This Topic: https://lists.onap.org/mt/27157280/21656
Mute #clm: https://lists.onap.org/mk?hashtag=clm&subid=2743226
Mute #security: https://lists.onap.org/mk?hashtag=security&subid=2743226
Group Owner: onap-tsc+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-