17. January 2023

[dimakuv]

Agenda

(please write your proposed agenda items in comments under this discussion)

• Woju: tracking vulnerabilities in upstream projects (like CVE-2022-46392, which we've narrowly missed). See also 10. January 2023 #1105 (comment).
• Woju: gramine-sgx-sign plugin architecture.
• Benny: Current status of docu restructuring

Opens

Mona: we should ask Don about whether he wants to reschedule the meeting, so he can attend.

Woju: tracking vulnerabilities in upstream projects

Woju: stumbled upon a security issue in mbedTLS. Is there any security process how we track/receive notifications from our upstream projects that Gramine is dependent upon? Until now, it was ad-hoc.

• Follow up question: if there is a security release in one of the dependent projects, do we do a minor (security) release of Gramine?

Sankar: before every Gramine release, we run some tool (at Intel) to verify there are no known vulnerabilities in the dependencies.

• We can increase the frequency of this scan.

• Woju: what does this scan do exactly?

  • Sankar: we need to check our scan procedure, what exactly it does and how it reacts to new CVEs, and then share this info...

• Michal: propose to do a minor release after few days when we patch/fix vulnerabilities.

• Woju: what is the exact process we follow when we find out about such security vulnerabilities?

  • Mona: we simply discuss during our Gramine meetings and agree on the next steps and whether to do a minor release.
  • Woju: sometimes there are vulnerabilities that don't really affect us -- we need to explain this to customers somewhere, somehow. (Well, we also need to forward/explain new security releases of Gramine to them.)

TODOs:

• Anees and Sankar: check if we can run the vulnerability scan tool at a shorter cadence.
• Woju: come up with some policy on how to detect security vulnerabilities and how we discuss them and how we do security releases of Gramine.

Mona: Public list of what's included in the next release

Mona: there is no public list of what goes into the upcoming release (or just generally, what is the plan and priorities for Gramine features, i.e. there is no Gramine roadmap).

• Some customers would like to know and track.
  • Michal: but they can see it in the master branch.
  • Mona: this is too low level, complex and doesn't show the plan in the beginning of the release cycle (since there are no commits yet).
• Woju: the simplest is to write a blog post...
• Dmitrii: should we try GitHub Projects? E.g. https://github.com/firecracker-microvm/firecracker/projects/13 and https://github.com/orgs/cloud-hypervisor/projects/6/views/4 are two examples.
  • Mona: Looks nice, can we create the same? Can discuss in the other Gramine meeting.
  • Dmitrii or Michal will set up this and try to keep this list up to date.

TODOs:

• Dmitrii: try out this GitHub projects, similar to Cloud Hypervisor style.

Woju: gramine-sgx-sign plugin architecture

Woju: there is a PR with a complicated way of having signing plugins in GSC (by supplying Dockerfile templates).

[ Woju schreenshares how his proposed plugin arch works ]

See #1118.

• Dmitrii: This plugin arch is great for direct use of Gramine signing tools. But we will need some solution for GSC, because we must install the plugin inside the Docker container (so, change Docker images?).
  • Woju: needs to think about it.

TODOs:

• Woju: come up with some proposal for GSC signing plugins.

[BFuhry]

Benny: Current status of docu restructuring