Re: [onap-discuss] SECCOM 5 April update for PTLs

Tony Hansen

Are the repos for these projects marked as readonly in Gerrit?


Is there a release name or date available for each of these as to when they were first considered unmaintained? An example might be “beginning with the Honolulu release.”


It would also be good if the wiki pages that points to were to be modified to indicate clearly that they are indeed unmaintained.


Examples from the CII badging folks on how to clearly mark a project as unmaintained that apply to ONAP are:


For example, use “DEPRECATED” as the first heading of its README title, . . . add a no-maintenance-intended badge ( ) in its README, and/or use the code repository's marking system (e.g., . . . Gerrit's "readonly" status, . . .). Additional discussion can be found here: .


- Tony


From: <onap-discuss@...> on behalf of Thomas Kulik <thomas.kulik@...>
Reply-To: "onap-discuss@..." <onap-discuss@...>, "thomas.kulik@..." <thomas.kulik@...>
Date: Tuesday, April 6, 2021 at 1:53 PM
To: "fabian.rouzaut@..." <fabian.rouzaut@...>, "onap-discuss@..." <onap-discuss@...>, "morgan.richomme@..." <morgan.richomme@...>, "ZWARICO, AMY" <az9121@...>
Cc: "onap-seccom@..." <onap-seccom@...>
Subject: Re: [Onap-seccom] [onap-discuss] SECCOM 5 April update for PTLs


Hi Fabian.


A general definition can be found here:

Project State: Unmaintained


The list of unmaintained state projects is here:

Best regards,


Von: fabian.rouzaut@... <fabian.rouzaut@...>
Gesendet: Dienstag, 6. April 2021 17:21
An: Kulik, Thomas <Thomas.Kulik@...>; onap-discuss@...; RICHOMME Morgan TGI/OLN <morgan.richomme@...>; amy.zwarico@...
Cc: onap-seccom@...
Betreff: RE: [Onap-seccom] [onap-discuss] SECCOM 5 April update for PTLs


Hi Thomas,

Do we have a list for the ‘unmaintained project”?





De : onap-seccom@... [mailto:onap-seccom@...] De la part de Thomas.Kulik@...
Envoyé : mardi 6 avril 2021 14:53
À : onap-discuss@...; RICHOMME Morgan TGI/OLN <morgan.richomme@...>; amy.zwarico@...
Cc : onap-seccom@...
Objet : Re: [Onap-seccom] [onap-discuss] SECCOM 5 April update for PTLs



Just a small hint about wording: Please use „unmaintained“ instead of “in maintenance mode”.


Von: onap-discuss@... <onap-discuss@...> Im Auftrag von Morgan Richomme via
Gesendet: Dienstag, 6. April 2021 14:07
An: onap-discuss@...; amy.zwarico@...
Cc: onap-seccom@...
Betreff: Re: [onap-discuss] SECCOM 5 April update for PTLs



Java 8: 24+3 (dual java8 and java11)

Python 2.7: 13 + 10 (dual python 2.7 and python 3)


if we look at the issues

java 8

- portal: in maintenance mode since Honolulu

- music: in maintenance since Guilin

- msb:  not sure that it is officially in maintenance but not lots of changes recently

- esr: in maintenanc emode since Guilin

- appc in maintenance mode since Guilin

- ...


python 2.7

- appc: in maintenance mode since Guilin

- awx: tooling

- dcae

- robot: tooling

- uui

- vfx-huawei-vnf-driver



I raised the question on appc in a gerrit as the HC is also regularly FAIL

As far as I can see appc is still mentioned in 2 use cases (vFWDT and scaleout) but should we not

- remove appc from the deployment

- in the vFWDT and scaleout use case doc, if they are still maintained, indicate how to launch the old appc for the use case but not include appc in teh official honolulu deployment


I know that there was a working group on this topic and that the question of dependencies is > OOF,, MSB > CNF use cases...



De : onap-discuss@... [onap-discuss@...] de la part de Amy Zwarico [amy.zwarico@...]
Envoyé : lundi 5 avril 2021 17:45
À : onap-discuss@...
Cc : onap-seccom@...
Objet : [onap-discuss] SECCOM 5 April update for PTLs

5 April SECCOM update for the PTLs.


  • SECCOM is proposing that the TSC promote vulnerable package upgrade (REQ-439) and CII Badging (REQ-443) to Global Requirements for Istanbul.
    • Package upgrades will be negotiated with the PTLs based on NexusIQ reports
    • Package upgrades to be complete at code freeze
    • SECCOM Istanbul vulnerable package update recommendations will be created after Honolulu RC0/RC1
    • CII badging requirements for the Istanbul release: crypto questions plus unanswered questions from prior releases
  • Please email SECCOM (onap-seccom@...) if you are a project with repos that do not write log files stdout. SECCOM needs this input to evaluate whether to request that the TSC promote the Logging POC (REQ-441) to a Best Practice
  • The LF is setting up SonarCloud training sessions and can make those sessions available to PTLs.
  • Java and Python upgrade status continues to improve
    • Remaining (March 29) Java 8: 36/104 repos (improvement of 2 from March 4)
    • Remaining (March 29) Python 2: 24/63 repos (improvement of 16 from March 4)


Amy Zwarico, LMTS

Chief Security Office / Platform Security

AT&T Services

(205) 613-1667



Join to automatically receive all group messages.