[ofiwg] OFIWG Meeting Minutes 7/23/2024

Xiong, Jianxin jianxin.xiong at intel.com
Wed Jul 24 09:35:42 PDT 2024 

Thank Zach for taking the notes.

Date July 23, 2024

Participants
-----------------
Jianxin Xiong (Working Group Chair)
Zach Dworkin
Peinan Zhang
Rajalaxmi Angadi
Alex McKinley
Chien Tung
Juee Desai
Jerome Soumagne
Shi Jin (AWS)
Amir
Nathan Hanford
Ken Raffenetti (ANL)
Charles Shereda [Cornelis]
Ben Lynam [Cornelis]
Steve Welch [HPE]
John Byrne [HPE]

Notes
---------
No Opens
    *  OFA List Server Issue & Release Status
        o	Unable to send notice to ofiwg & libfabric users lists
        o	Error "connection refused"
        o	1.22.0rc2 & 1.21.1rc2 are available
       o	Notice on slack "general" channel
       o	GA releases are on track (7/26 Friday)
    * CI Security Risk
        o	CI Scripts are usually protected, but the tests run by the CI are not
        o	A hacker could create a PR with malicious code that will be built and run by CI
            -	  Compromises the CI machines
            - 	  Information leaking
            -	  DOS attack
        o	Want some sanity checking before CI job is run
            -	  Minimize the overhead
            -	  Team members (ofiwg github group) are trusted
        o	GitHub Settings
            -	  Can require approval for first-time contributors to protect against this
            - 	  Should we change to the third option: "Require approval for all outside collaborators"?
    * This only works for actions
    * Other options may be in a virtual machine or in a container so moving to this option will not cause too much stress on what we already have to do.
    * Decided to move to this 3rd option
    * No objections to making this change
        o	Any suggestions for webhooks & Jenkins?
    * Intel
        o	Turn Jenkins spawn into a github action
    * AWS
        o	Are there 2 AWS CI?
            -	  No. There might have been at one point during an intermediate action but there is now only one webhook that triggers Jenkins
            -	  Shi will double check with his team
        o	Does bot:aws:retest comment trigger an initial run?
            -	  Maybe?
        o	AWS CI runs in containers and has regular reviews from their security team so it is unlikely that this CI is vulnerable to this kind of attack
    * Appveyor
        o	Virtual machine?
        o	Safer to turn into a github action and call it?

Summary
-------------
Discussed the release status of 1.22.0rc2 and 1.21.1rc2. These have been successfully released. Notified the community 
of the OFA List Server connection refused issue but did not find a resolution on how to fix it. It is possible that it will come 
back on its own after. Discussed the CI Security risks and how to mitigate them. The project is moving to the GitHub security 
option that requires all incoming pull requests from users in outside organizations to be approved by a user in the organization 
before any GitHub actions will run. Using this option, Intel Jenkins CI and appveyor will move to being triggered by a GitHub 
action and not automatically run. This needs to happen because there was a test pull request that showed that Intel Jenkins 
and Appveyor will run regardless of whether a pull request is approved by a user in the organization. AWS CI is unaffected by 
this risk because they run their CI in containers and have regular meetings with their security team to assess security 
vulnerabilities and potential attacks. Their CI was designed knowing this type of vulnerability was possible and has already 
protected against it.

More information about the ofiwg mailing list