# Notary Project Meeting Notes ###### tags: `Notary Project`, `notary` [TUF-notary meeting notes](https://hackmd.io/wii3-L8ZQZ-U3ET0XNY8Gg) **NOTE: Time Change** - Starting May 9 2022, we will hold two meetings a a week to account for folks in the US, Europe and Asia times. Meetings are now: - Mondays 5-6pm pacific time, 8-9pm US Eastern, 8-9am Shanghai (US Summer time) - Mondays 4-5pm pacific time (US Winter time) - Thursdays 9-10am pacific time, 12pm US Eastern, 5pm UK Links - [On GitHub](https://github.com/notaryproject/) - [CNCF Calendar](https://www.cncf.io/community/calendar/) - [Zoom Dial-in link](https://zoom.us/my/cncfnotaryproject) - Passcode: 77777 (5x 7) - [Notary Project Conversations on Slack](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/thread/CEX1W7WMD-1582660575.076600) - [Find your local number](https://zoom.us/u/aLDk4OXTu) - [Notary Project GitHub Projects](https://github.com/notaryproject/) - [YouTube Recordings](https://youtube.com/playlist?list=PL1ykZdgmLkb7SlXax-hJVUgvNHmq4Cyz9) - [Recordings prior to April 9, 2021](https://www.youtube.com/playlist?list=PLj6h78yzYM2O1BOGT3hLdJTJCKz0f-bYq) ### Dial by your location 877 369 0926 US Toll-free 855 880 1246 US Toll-free Meeting ID: 611 593 2621 #### One tap mobile +16465588656,,6115932621# US (New York) +16699006833,,6115932621# US (San Jose) **Note:** See Meeting Notes Template below ``` ## Meeting Notes Template (template for copying) ## Meeting Date ### Attendees: - _add yourself_ ### Agenda Items: - _add your topics_ ### Notes: - _meeting minutes_ ### Recording: _recording_url_ Agenda items must identify the (owner) of the item ``` ## Meeting chair rotation - Yi Zha - Feynman Zhou - Samir Kakkar - Pritesh Bandi - Toddy Mladenov - Vani Rao - David Tesar (emeritus) - Justin Cormack (emeritus) - Steve Lasker (emeritus) ## Nov 5 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Yi Zha (Microsoft) - Pritesh Bandi (Amazon) - Feynman Zhou (Microsoft) ### Agenda Items - Updates on Security audit (Yi) - Triage issues in the`Discuss` milestones (Cont.) 1. https://github.com/notaryproject/specifications/milestone/15 1. https://github.com/notaryproject/notation-go/milestone/8 ### Notes - We have resolved several issues reported by the audit team; however, there are still a few that require further follow-up. - Feynman mentioned that a user will be creating an issue requesting the signing of multi-arch images in the Notary Project. We will triage this issue once it has been created. - We continiously triaged issues in the `specification` and `notation-go` repositories. There are still 8 issues in the `notation-go` repository that haven't been triaged yet, and they will be moved to the next meeting. ### Recording https://www.youtube.com/watch?v=W1G1hfXrFZM ## Oct 28 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Yi Zha (Microsoft) - Pritesh Bandi (Amazon) - Feynman Zhou (Microsoft) ### Agenda Items - Security audit and Notation v1.3.0-rc.2 plan (Yi) - Triage issues in the`Discuss` milestones (Cont.) 1. https://github.com/notaryproject/notation/milestone/9 2. https://github.com/notaryproject/specifications/milestone/15 3. https://github.com/notaryproject/notation-go/milestone/8 ### Notes - Security Audti review meeting was scheduled on Wednesday. We will align the next steps with audit team and come up with a detailed plan for Notation v1.3.0-rc.2 - We completed the cleaning up of the `discuss` milestone for `notation`, and parts of those for `speicfication` issue. - Need follow up on https://github.com/notaryproject/specifications/issues/201 to understand whether it was already fixed, or it is still valid. ### Recording - https://www.youtube.com/watch?v=-kFB6oFgXec ## Oct 21 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) - Pritesh Bandi (Amazon) - Feynman Zhou (Microsoft) - Sajay Antony (Microsoft) - Vani Rao (Amazon) ### Agenda Items - Security Audit status check-in - Draft report is available today. Maintainers are suggested reviewing it this week - Find a schedule for the restitution meeting next week - KubeCon NA 2024 readiness & [KubeCon EU 2025 CFP](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/program/cfp/) (deadline is Nov 24, 2024) - Triage issues in the`Discuss` milestones 1. https://github.com/notaryproject/notation/milestone/9 2. https://github.com/notaryproject/specifications/milestone/15 3. https://github.com/notaryproject/notation-go/milestone/8 ### Notes - Regarding the Scarf tool adoption, we need to figure out how to make the existing distribution channels (GitHub/Homebrew/Winget) verifiable before enabling this tool. - Security Audit status check-in: draft report is available today. Maintainers are suggested reviewing the report this week. Maintainers also agreed to schedule a restitution meeting with OSTIF team next Wednesday morning pacific time. - Feynman will confirm the highlights of KubeCon NA 2024 with Toddy for Notary Project maintainers track. We will also prepare the [KubeCon EU 2025 CFP](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/program/cfp/) before Nov 24, 2024. - We triaged two issues and moved them to "Future" milestone. - https://github.com/notaryproject/notation/issues/539 - https://github.com/notaryproject/notation/issues/644 ### Recording https://youtu.be/XANOqrKKBgo?t=376 ## Oct 14 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Yi Zha (Microsoft) - Pritesh Bandi (Amazon) - Feynman Zhou (Microsoft) - Sajay Antony (Microsoft) - Vani Rao (Amazon) - Avi Press (Scarf) - Arjun Devarajan (Scarf) ### Agenda Items - Scarf intro (Scarf team) - A short demo - Case studies about other CNCF projects (e.g. Falco, Dapr). How they are using Scarf to track adoption? - Q&A - Security Audit status check-in (Yi) - Review [proposal for the Notation v2.x plan](https://github.com/notaryproject/notation/issues/1062) (Yi) ### Notes - Scarf Team: Introduced Scarf, gave a demo, and answered questions. - Security Audit Status (Yi): - Report is under preparation. - Plan for Notation v1.3.0-rc.2 to address audit issues; stable release one week after if no issues found. - Notation v2.x Plan (Yi): - Refer to issue [#1062](https://github.com/notaryproject/notation/issues/1062). - Pritesh to summarize blob signing feature for handover. - No resources from AWS side for implementation until end of 2024 (Vani). Pritesh and Raksh can review PRs and join discussions. - Pritesh to check with Milind on attestations; track via issue [#1067](https://github.com/notaryproject/notation/issues/1067). ### Recording https://youtu.be/Rdbyp20JQk8?si=mIQcTKqZgiNEqhV_ ## Oct 7 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Yi Zha (Microsoft) - Pritesh Bandi (Amazon) - Feynman Zhou (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - Notation v1.3.0-rc.1 status check-in (Yi) - Security Audit status check-in (Yi) ### Notes - Notation v1.3.0-rc.1: - We only have Notation CLI `v1.3.0-rc.1` not released yet. We are targeting release it before end of Oct 8 2024 pacific time. - Security Audit: - It is in process. - The audit team has completed reviewing Timestamping feature. - They are reviewing CRL feature. - They will report issues not only related to security but also "bad practice" - They will switch to notation v1.3.0 for testing regarding CRL - Feynman shared the tool [Scarf](https://about.scarf.sh/scarf-measure-open-source-software-adoption) that could be useful for measuring adoption. Feynman will invite scarf team to join the Notary Project meeting next Monday for basic intro and Q&A. ### Recording - https://www.youtube.com/watch?v=O8y_HbTW91E ## Sep 23 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Yi Zha (Microsoft) - Pritesh Bandi (Amazon) ### Agenda Items - Review CRL PRs and approve fuzz testing PRs (Yi) - https://github.com/notaryproject/notation-go/pull/462 - https://github.com/notaryproject/notation/pull/1043 - Triage issues for Notation v2.x (Yi) - Any maintainers can help to host community meeting next Monday, as there are upcoming public holidays in Mainland China 10/1 - 10/7 UTC+8 ### Note - We need to release Notation `v1.3.0-rc.1` for security audit purpose by end of this month. - Fuzz tesing PRs will not block our releases. - `notation-core-go` is ready for `v1.2.0-rc.1` release - We will triage issues on Oct 8, 2024 with more folks joining. ### Recording - https://youtu.be/pf6CCZhsdOw ## Sep 9 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Yi Zha (Microsoft) - Pritesh Bandi (Amazon) - Vani Rao (Amazon) ### Agenda Items - Security Audit on Sep 20 (Yi) - Target release: v1.3.0-rc.1 - CRL PRs: https://github.com/notaryproject/notation-core-go/pull/214 - Triage issues for Notation v2.x (Yi) - Using referrers API by default for storing signatures - Blob signing - Attestations - Incoming public holidays in Mainland China - Mid-Autumn Festival: 9/15 - 9/17 UTC+8 - National Day: 10/1 - 10/7 UTC+8 ### Notes - **Pritesh** confirmed that he will review CRL PRs starting from Sep 10 - **Vani** will update engineering resources status in near future - Currently, we do not have any resources from AWS team assigned to work on the following issues: - Using referrers API by default for storing signatures - Blob signing - In the meeting, we triaged some issues under `Future` milestone. Features planned for Notation v2 will be labelled with `v2`. We will assign a specific milestone once we determine the assignee and set the priorities. ### Recording - https://youtu.be/Rdbyp20JQk8 ## Aug 26 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Yi Zha (Microsoft) - Feynman Zhou (Microsoft) - Pritesh Bandi (Amazon) - Vani Rao (Amazon) ### Agenda Items - KubeCon recap (Yi&Feynman) - https://kccncossaidevchn2024.sched.com/event/1eYcD?iframe=no - https://kccncossaidevchn2024.sched.com/event/1eYY0?iframe=no - Release Notation v1.2.0 by Aug 30 (Yi) - Release plan for Security Audit on Sep 20 (Yi) - Target release: v1.3.0-rc.1 - Estimated 4 CRL PRs: 2 for `notation-core-go`, 1 for `notation-go` and 1 for `notation` - The first one is ready for review: https://github.com/notaryproject/notation-core-go/pull/214 ### Meeting Notes - **Yi** and **Feynman** did a brief recap on KubeCon China in Hong Kong. We now have a new adopter Alibaba Cloud who implemented notation plugin for Alibaba secret manager. - We aligned and started the `v1.2.0` release process for `specifications`, `notation-core-go`, `notation-go` and `notation` - We aligned that we need at least release `v1.3.0-rc.1` for security audit, and the CRL PRs are ready for review now. - **Pritesh** brought up the `v2.0.0` release. We aligned that we will first align the scope for `v2.0.0` and then discuss the timeline. We will follow it up next Monday. ### Recording - https://www.youtube.com/watch?v=Q7yVE5eFgVU ## Aug 19 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Pritesh Bandi (Amazon) - Vani Rao (Amazon) ### Agenda Items - ### Meeting notes - We walked through notation cli repo release and maintainers to vote. Patick will create a issue. ### Recording - https://www.youtube.com/watch?v=2mOB1ekPExs ## Aug 13 2024 ### Attendees - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Sajay Antony (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Notation v1.2.0 release status check-in (Yi) ### Meeting notes - Most folks are OOF - We quickly walked through current PRs for Notation `v1.2.0-rc.1` releases ### Recording - https://www.youtube.com/watch?v=k_ZUfDOi-Lg ## Aug 5 2024 ### Attendees - Shiwei Zhang (Microsoft) - Patrick Zheng (Microsoft) - Vani Rao (Amazon) - Junjie Gao (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Release activities (Yi) - Notation v1.2.0-rc.1 release - PRs: - https://github.com/notaryproject/notation-core-go/pull/215 (Mandatory) - https://github.com/notaryproject/notation-go/pull/429 (Mandatory) - https://github.com/notaryproject/notation/pull/1002 (Mandatory) - https://github.com/notaryproject/notation-go/pull/432 (Nice to have) - Notary Project specifications v1.1.0-rc.1 release - Proposal of ad-hoc release meeting this week. - Triage issues (Yi) ### Notes - PRs for **Pritesh** review (Mandatory) 1. https://github.com/notaryproject/notation-core-go/pull/215 1. https://github.com/notaryproject/notation-go/pull/429 1. https://github.com/notaryproject/notation/pull/1002 - PRs for **Pritesh** (Nice to have) - https://github.com/notaryproject/notation-go/pull/432 - Notary Project specifications - We will release `specifications` `v1.1.0-rc.1` this week. - **Vani** will discuss with **Pritesh** about the release meeting this week. It is expected that the meeting will be scheduled not later than Aug 8 pacific time. - The release order of repositories: - Notation `v1.2.0-rc.1`: `tspclient-go` --> `notation-core-go` --> `notation-go` --> `notation` - Notary Project specifications `v1.1.0-rc.1`: `specifications` ### Recording https://www.youtube.com/watch?v=3X7puT7K_xk ## Jul 29 2024 ### Attendees - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Pritesh Bandi (Amazon) - Junjie Gao (Microsoft) - Yi Zha (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - Notation v1.2.0 release (Yi) - ETA: rc.1 on Aug 7 and stable on Aug 16 - Align Notation v1.2.0 release method - repo `notation`, `notation-go` and `notation-core-go` 1. Cut a release branch from main 1. Remove code for blob signing - repo `specification` v1.1.0 - option 1: cut release from main - option 2: cut a release branch from main and remove spec for blob signing - Notation v1.3.0 scope and timeline (Yi) - ETA: Sep 16, 2024 - To meet the security audit starting from Sep 16, 2024 - Feature: Timestamping - Feature: Revocation checking with CRL - Triage issues (Yi) ### Notes - We aligned the release method during the meeting, that is, for `notation`,`notation-go`, `notationc-core-go` and `specifications`, we will keep the blob signing work in main, cut a release branch from main and remove blob signing work from release branch. In other words, blob signing will not be released in Notation v1.2.0 and specification v1.1.0. - We aligned on the v1.3.0 scope and timeline. The CRL feature is the mandatory feature for v1.3.0. v1.3.0 will be used for security audit. - We aligned that v2.0.0 can be started in parallel. The major version is stepped, since the feature `notation sign` using referrers API by default is a breaking change. This feature will be prioritized for v2.0.0, and we can plan v2.0.0-alpha.1 release for customers to try it early. - We triaged issues in the v1.2.0 milestones of `notation-core-go` and `notation-go` repo. Addtionally, we triaged issues in the v1.1.0 milestone of `specifications` repo. ### Recording -https://www.youtube.com/watch?v=ppB6yiMErFg ## Jul 22 2024 ### Attendees - Vani Rao (Amazon) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Junjie Gao (Microsoft) - Yi Zha (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - Release Notation`v1.2.0-beta.1` (Yi) - Next steps for Notation v1.2.0 - Two weeks for testing and bug fixes - Release `v1.2.0-rc.1` after two weeks - Plan for feature [revocation checking using CRL](https://github.com/notaryproject/notation/issues/990) (Yi/Junjie) ### Notes - As previous releases took long lead time, for example, a week, we did a live release in the meeting. We successfully released `notation-core-go` `v1.1.0-beta.1` and `notation-go` `v1.2.0-beta.1`. The notation `v1.2.0-beta.1` will be released after the community meeting. - We are aligned with the plan for feature [revocation checking using CRL](https://github.com/notaryproject/notation/issues/990) with addtinal comments from Pritesh. ### Recording - https://www.youtube.com/watch?v=UEq3ibdb1XE ## Jul 15 2024 ### Attendees - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Junjie Gao (Microsoft) - Yi Zha (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - Celebrate two releases (Feynman): - [notation-action v1.1.0](https://github.com/notaryproject/notation-action/releases/tag/v1.1.0) with sign & verify multiple artifacts support and ability to use `notation plugin install` - [tspclient-go v0.1.0](https://github.com/notaryproject/tspclient-go/releases/tag/v0.1.0): the first release of the core library of Notation's timestamping - Proposal: Release v1.2.0 early for OCI 1.1 support, and v1.3.0 for timestamp (Pritesh) - Notation v1.2.0-beta.1 release status check-in (Yi) - Review [flag names](https://github.com/notaryproject/notation/pull/978) for timestamping used by Notation CLI (Yi/Patrick) ### Notes - Proposal: Release v1.2.0 early for OCI 1.1 support, and v1.3.0 for timestamp - We aligned in the meeting that we will stick to current plan that is the release v1.2.0-beta.1 by this Jul 19, and give two weeks for testing and bug fixes, and then release v1.2.0-rc.1 release in the first week of Aug, and give one week for critical issues, and release v1.2.0 stable release in the 2nd week of Aug - Security Audit will not block the v1.2.0 release. It is scheduled in Mid Sep and will be conducted on Notation v1.3.0 with revocation checking with CRL check supported - The isssue https://github.com/notaryproject/notation/issues/975 will not block Notation v1.2.0 release. The current signature manifest complies to the OCI spec v1.1.0. We need to test to see whether majority of registries support `artifactType`, and we need to update the specification accordingly. These need to be discussed further - Review [flag names](https://github.com/notaryproject/notation/pull/978) for timestamping used by Notation CLI (Yi/Patrick) - Some comments received on the flag `--tsa-root-certificate` for intermediate certs scenarios, Patrick will add the testing results of certificate chains in the reponse of TSA, and we finalize it by Wednesday. ### Recording - https://www.youtube.com/watch?v=b-wkXKfdfbg ## Jul 8 2024 ### Attendees - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Junjie Gao (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Timestamping feature (Yi) - Proposal of releasing tspclient-go 0.1.0 release after the following PRs merged - https://github.com/notaryproject/tspclient-go/pull/25 - https://github.com/notaryproject/tspclient-go/pull/26 - Align on [specification issue](https://github.com/notaryproject/specifications/issues/303#issuecomment-2205098156) - Notation v1.2.0 scope changes (Pritesh/Yi) - Vote for proposal https://github.com/notaryproject/.github/issues/76 (Yi) - Follow-up from last meeting: any interest from AWS on [Project opportunities at KubeCon NA](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/program/project-opportunities/#about-project-participation) ### Notes - **Patrick** will kick-off the release of tspclient-go 0.1.0 - We had a discussion about [issue](https://github.com/notaryproject/specifications/issues/303#issuecomment-2205098156), and the conclusion is to address the issue when there is a valid customer ask in the future. So this issue will be removed from Notary Project specification v1.1.0 release and set to `Future` milestone. Related PRs will be re-opened in the future. **Yi** will document timestamping use cases and mark - Due to lack of resources on AWS side, Blob signing implementation will be paused for a while. It will be removed from Notation v1.2.0 and v1.3.0 release, and not be included in the scope of security audit in Sep. Related PRs will be reverted from main branch. We may consider a feature branch for blob signing. - **Pritesh** will get back to the KubeCon NA opportunity. ### Recording https://www.youtube.com/watch?v=2eZwygzDB2w ## Jul 2 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Junjie Gao (Microsoft) ### Agenda Items: - Info and brainstorming: ACR and ECR are now compliant with OCI Spec v1.1. (Feynman) - [Additional tag pushed to registry during signature](https://github.com/notaryproject/notation/discussions/979) - [Using artifactType to identify the signature type while pushing](https://github.com/notaryproject/notation/issues/975) - Timestamping PR review and discussion (Patrick/Pritesh) - https://github.com/notaryproject/specifications/issues/303 - https://github.com/notaryproject/specifications/issues/304#issuecomment-2188219284 - https://github.com/notaryproject/tspclient-go/pull/23 - https://github.com/notaryproject/tspclient-go/pull/24 - https://github.com/notaryproject/notation-core-go/pull/207 - https://github.com/notaryproject/notation-go/pull/418 - https://github.com/notaryproject/notation/pull/978 - v1.2.0 beta.1 status check-in (Feynman) - Project opportunities at KubeCon NA (Feynman) ### Notes: - Patrick will raise a PR to update the timestamping revocation check based on Millind's proposal in https://github.com/notaryproject/specifications/issues/304. Maintainers need to review and compare these two designs and make a decision by EoW - Need repo-level maintainers to review these PRs after the community meeting: - https://github.com/notaryproject/tspclient-go/pull/23 - https://github.com/notaryproject/tspclient-go/pull/24 - https://github.com/notaryproject/notation-core-go/pull/207 - https://github.com/notaryproject/notation-go/pull/418 - https://github.com/notaryproject/notation/pull/978 - Toddy shared that he has submitted a proposal with a user from Mercedes-benz for KubeCon NA maintainer track. Pritesh will ask Niaz about the project opportunites at KubeCon NA - Feynman shared two announcements of OCI v1.1 support from ECR and ACR. He encourages attendees to review these two issues offline: - [Additional tag pushed to registry during signature](https://github.com/notaryproject/notation/discussions/979) - [Using artifactType to identify the signature type while pushing](https://github.com/notaryproject/notation/issues/975) ### Recording: https://youtube.com/live/KRQjnSdC4EA ## Jun 24 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) - Vani Rao (Amazon) - Junjie Gao (Microsoft) ### Agenda Items: - Proposal for the Thursday meeting schedule (Vani/Toddy) - TSA behaviors update, https://github.com/notaryproject/specifications/issues/304 (Patrick/Yi) - Timestamping follow-up issues (Pritesh/Yi) - https://github.com/notaryproject/specifications/issues/302 - https://github.com/notaryproject/specifications/issues/303 - Target date for Notation v1.2.0-beta.1 release (Yi) - Code freezing on Jul 16, Release on Jul 19 - Timestamping - https://github.com/notaryproject/tspclient-go/pull/18 - https://github.com/notaryproject/notation-core-go/pull/207 - Blob signing: https://github.com/notaryproject/notation-go/pull/394 ### Notes: - **Toddy** will create an issue in `.github` repo for voting for the new schedule for the Thursday meeting - We were aligned during the meeting that we will follow the workflow that was described in the [issue](https://github.com/notaryproject/specifications/issues/304), and iterate it with new requirements in the future. - We were aligned that SHA1 alg will not be supported, but we are open to discuss it if there are some issues or requirements from any users in the future. So, this issue https://github.com/notaryproject/specifications/issues/302 can be closed. - We discussed this [issue](https://github.com/notaryproject/specifications/issues/303) in the meeting, and option-2 seems the best solution for now, but **Pritesh** expects **Milind** to provide any comments. - The new target date Jul 19 is tetative, as we need to review at least 8 PRs in 3 weeks. **Vani** will see whether any more resources can help PR review. **Pritesh** will help to prioritize PR review in upcoming weeks. ### Recording: https://www.youtube.com/watch?v=tvAgTN4IJrU ## Jun 20 2024 ### Attendees: - David Dooling (Docker) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) ### Agenda Items: - Ad-hoc (Vani) discussion about the schedule and purpose of the Thursday meeting ### Meeting Notes - Proposal: Change the schedule to once a month; first Thursday of the month - Topics to discuss in the Thursday - Long term planning - Review of the community progress - Release blockers ### Recording https://www.youtube.com/watch?v=2CZvCDyyuEA ## Jun 17 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) - Vani Rao (Amazon) ### Agenda Items: - Notation v1.1.1 and v1.2.0-alpha.1 released (Yi) - Walk through PR comments (Yi) - Timestamping: - spec: https://github.com/notaryproject/specifications/pull/290 - tspclient: https://github.com/notaryproject/tspclient-go/pull/18 - Notation GitHub Action enhancements (open discussion from Feynman): * Request to release Notation GHA v1.0.2 with [Notation v1.1.1 upgrade](https://github.com/notaryproject/notation-action/pull/60), issued in [#61](https://github.com/notaryproject/notation-action/issues/61) * Plugin prefix problem Error with aws signer plugin · [Issue #58](https://github.com/notaryproject/notation-action/issues/58) * Support signing multiple images at once · [Issue #59](https://github.com/notaryproject/notation-action/issues/59) * Move the plugin installation properties from sign to setup action · [Issue #55](https://github.com/notaryproject/notation-action/issues/55) * Brainstorming (if time permits): Best practice of using Notation GHA to sign OSS projects - [questions from the community](https://github.com/notaryproject/notation/issues/905#issuecomment-2158840717) ### Notes: - It took addtional 2 weeks for releasing v1.1.1 and v1.2.0-alpha.1, **Yi** suggested that we should have a meeting to discuss how to improve the release process. - In the meeting, we walked through some comments in [spec PR](https://github.com/notaryproject/specifications/pull/290) and [tspclient PR](https://github.com/notaryproject/tspclient-go/pull/18), all the spec comments were addressed, **Yi** created an issue to track any follow up actions on handling TSA SHA-1 alg. **Pritesh** will review these two PRs again. - **Pritesh** asked for review on https://github.com/notaryproject/notation-go/pull/394 - Notation GitHub Action enhancements - **Patrck** pointed out [Issue #58](https://github.com/notaryproject/notation-action/issues/58) may not be a bug, **Pritesh** will confirm it. - **Pritesh** will check with **Samir** on GitHub actions documentation. - **Feynman** will create an issue to track the `.sig` filename convention for GitHub to evaluate signed release assets. - **Feynman** will create an issue to track signing notation release assets. - We did not have time to have the brainstorming: Best practice of using Notation GHA to sign OSS projects - [questions from the community](https://github.com/notaryproject/notation/issues/905#issuecomment-2158840717) ### Recording: - https://www.youtube.com/watch?v=F130qhNIr7U ## Jun 10 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) - Vani Rao (Amazon) ### Agenda Items - Quick update (Yi) - Notary Project Security Audit 2024 updated plan - Notary Project v1.3.0 - Mid Sep 2024 - KubeCon China 2024 - HongKong - 21-23 Aug 2024 - Two CFPs were accpected - Strengthening Container Security: A Collaborative Journey - Yi and Beltran from Bitnami - Safeguarding Cloud Native Supply Chain - Notary Project Intro, What’s New and Coming Next - Yi and Mostafa from CloudRoads - Project booth (To be submitted) - Notation v1.1.1 and v1.2.0-alpha.1 release (Yi) - Walk through PR comments: - Timestamping support - `specification`: https://github.com/notaryproject/specifications/pull/290 - `tspclient-go`: https://github.com/notaryproject/tspclient-go/pull/17 - `tspclient-go`:https://github.com/notaryproject/tspclient-go/pull/18 - Blob signing - `notation-go`: https://github.com/notaryproject/notation-go/pull/394 - `notation`: https://github.com/notaryproject/notation/pull/856 - `notation`: https://github.com/notaryproject/notation/pull/888 ### Notes - Yi did a quick update on Security Audit 2024 and KubeCon China CFPs status, see the correspoinding agenda item for details - Continue Notation v1.1.1 and v1.2.0-alpha.1 release this week - We walked through comments in the following PRs - `specification`: https://github.com/notaryproject/specifications/pull/290 - Action for **Patrick** to investigate various TSA behaviors of certificate chain - `tspclient-go`: https://github.com/notaryproject/tspclient-go/pull/17 - `tspclient-go`:https://github.com/notaryproject/tspclient-go/pull/18 - `notation-go`: https://github.com/notaryproject/notation-go/pull/394 ### Recording - https://www.youtube.com/watch?v=WGDZMIdq6mo ## Jun 6 2024 ### Attendees: David Dooling (Docker) Toddy Mladenov (Microsoft) ### Agenda Items - No agenda ### Notes - Due to no agenda and people being out we dropped from the meeting 10 mins after ### Recording https://www.youtube.com/watch?v=w6R6z83geCc ## Jun 3 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Notation v1.1.1 and v1.2.0-alpha.1 release (Yi) - Security Audit status update and next step (Yi) - New target date? - PRs: - Timestamping support - `specification`: https://github.com/notaryproject/specifications/pull/290 - `tspclient-go`: https://github.com/notaryproject/tspclient-go/pull/17 - `tspclient-go`:https://github.com/notaryproject/tspclient-go/pull/18 - Blob signing - `notation-go`: https://github.com/notaryproject/notation-go/pull/394 - `notation`: https://github.com/notaryproject/notation/pull/856 - `notation`: https://github.com/notaryproject/notation/pull/888 ### Notes - **Junjie** will collaborate with **Pritesh** to release `notation v1.1.1` and `notation v1.2.0-alpha.1` - Security Audit - We are aiming security audit in one shot, the proposed new date is **mid Sep, 2024** - The target release will be Notation v1.3.0, including `notation`, `notation-go`, `notation-core-go` and `tspclient-go` and `specifications` repositories. - Features in the audit scope: Timestamping support, Blog signing, Revocation checking using CRL - We can start security audit once Notation v1.3.0 release candidate is ready ### Recording - https://www.youtube.com/watch?v=EQRW7OkUMVc ## May 30 2024 ### Attendees: - David Dooling (Docker) - Toddy Mladenov (MSFT) - Vani Rao (Amazon) ### Agenda Items: - Announcements (ToddySM) - Archival of the `notary` repository - https://github.com/notaryproject/.github/issues/70 - KubeCon NA 2024 maintainers track - Security audit meeting (Vani) ### Notes: - Archival of `notary` repository - Peter Goodall from Docker and Toddy are working on plan for Docker Content Trust (DCT) and target July 1st 2024 for completing the plan. Will update the community at that time. - KubeCon NA 2024 - By then we should have a good idea about the DCT deprecation - we should plan for that - Also plan for the announcements of new features and plans for upcoming work - Security audit meeting - Do we need to go all three features to have the audit before June 24th? Most probably we won't have timestamp and blob signing and we can add the CRL feature after that. Is there any cost effectiveness. ### Recording: https://www.youtube.com/watch?v=1O2Us9VanM4 ## May 28 2024 ### Attendees: - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) ### Agenda Items: - kick off Notation `v1.1.1` and `v1.2.0-alpha.1` releases, see [details](https://github.com/notaryproject/notation/issues/947#issuecomment-2124182742) - Final call on PRs - https://github.com/notaryproject/notation-go/pull/405 - https://github.com/notaryproject/notation-go/pull/402 (Depends on 405) - https://github.com/notaryproject/notation/pull/834 - https://github.com/notaryproject/notation/pull/933 - Conclude [Timestamping workflows](https://github.com/notaryproject/specifications/issues/301#issuecomment-2132478597) - spec is ready for review https://github.com/notaryproject/specifications/pull/290 - Reminder: 2nd Security audit meeting at 8:00 am on May 30 ### Notes: - In the meeting, we agreed on the release plan for `v1.1.1` and `v1.2.0-alpha.1`. **Jun jie** will collobrate with **Pritesh** on the release PRs. - We agreed on the [summary](https://github.com/notaryproject/specifications/issues/301#issuecomment-2132478597) that **Patrick** added - The specification has been updated by **Patrick** to reflect the recent discussions. **Pritesh** is going to review the [spec PR](https://github.com/notaryproject/specifications/pull/290) this week. ### Recording: https://www.youtube.com/watch?v=krVXz-K6sPI ## May 20 2024 ### Attendees: - Milind Gokarm (Amazon) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Pritesh Bandi (Amazon) - Vani Rao (Amazon) - Yi Zha (Microsoft) ### Agenda Items: - Conclude the [poll](https://github.com/notaryproject/specifications/issues/301) (Pritesh/Yi) - Vote results - Discuss [the toggle to switch between option 1 and option 2](https://github.com/notaryproject/specifications/issues/301#issuecomment-2115536377) - [Proposal for Notation patch release](https://github.com/notaryproject/notation/issues/947) (Yi) ### Notes - Summary of the [vote](https://github.com/notaryproject/specifications/issues/301) - Option2 is the default behavior - **Milind** proposed using the follwing new parameter in trust policy for users to switch between option1 and option2. Participants in the meeting agreed on this proposal. ``` "signatureVerification": { "level" : "strict", “verifyTimestamp” : “afterCertExpiry” | “always” } ``` The default value of`verifyTimestamp` is `always` (option 2 in the vote). if users do not specify this parameter, the signature verification has the same behavior as `verifyTimestamp` set to `always` - **Pritesh** summarized 4 cases: - case1: TrustPolicy contains TSA trust-store and Signature contains timestamp - By default, always verify timestamp irrespective of signing cert is expired or not. If timestamp verification fails, fail signature verification. if users set `verifyTimestamp` to `afterCertExpiry`, the timestamp will be verified if signing certificate expires. - case2: TrustPolicy contains TSA trust-store and Signature doesn't contain timestamp - TBD, need to follow up on the behavior of this case. - case3: TrustPolicy doesn't contains TSA trust-store and Signature contains timestamp - Don't verify timestamp. fail signaure verification if signing certificates expire - case4: TrustPolicy doesn't contains TSA trust-store and Signature doesn't contain timestamp - Don't verify timestamp - Patch release - We did not have much time to discuss it. **Yi** will follow up with **Vani** and **Pritesh** offline. ### Recording - https://youtu.be/RwRwIZ7qdpU ## May 13 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Pritesh Bandi (Amazon) - Sajay Antony (Microsoft) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Yi Zha (Microsoft) ### Agenda Items: - Discuss and summarize of [slack conversation](https://cloud-native.slack.com/archives/CQUH8U287/p1715294129223819) (Yi) - Notation v1.2.0 release status check-in. Proposal to release Notation 1.1.1 patch release and Notation v1.2.0-beta release (Yi) - Signing blob - Timestamping support ### Notes: - The meeting participants discussed the [slack conversation](https://cloud-native.slack.com/archives/CQUH8U287/p1715294129223819), but did not reach consensus. **Pritesh** will create an issue in specification repo and ask for vote on the desired behaviors, the vote will be closed before EOD of May 16 2024 pacific time. - **Yi** shared the plan to release Notation v1.1.1 patch release and Notation v1.2.0-beta release by end of May 2024. **Yi** also mentioned we should speed up PR reviews for v1.2.0 features and with beta release first, we can make progress in an iterative way. The meeting participants agreed on this proposal. **Pritesh** will start resolve comments of his own PR and review tspclient-go PRs. ### Recording: - https://www.youtube.com/watch?v=MYoh8EeDT0o ## May 9 2024 ### Attendees: - James Carnegie (Docker) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - David Dooling (Docker) - Akash Singhal (Microsoft) ### Agenda Items: - Open discussion ### Meeting Notes: - Vani will work with Yi on the 1.2.0 release - James mentioned that it is on their agenda to support TUF metadata in the OCI - Idea: For Notary Project to distribute policies using TUF - Have trusted roots for each of the vendors - James' Document for TUF https://docs.google.com/document/d/1PoZpb8R-kK26MsEGWbSMofCBjbVTUcgTS2eahaqBME4/edit James would like to make more progress on this document. There are still the open questions at what level the snapshot is taken. - James and Toddy discussed Toddy's lineage document (https://docs.google.com/document/d/1l2BLEy9pGPciKNkkss0fAyQQGe6DcYiMrhcRrYOpSjY/edit?usp=sharing) and both agreed that for the purpose of Toddy's scenario there is no need to store the histrory in an OCI artifact (James proposed in-toto attestations that capture the tags at build time). For TUF metadata purpose, there is no need to store the whole stream history but only the latest snapshot. Decision is to not continue work on Toddy's document. ### Recording https://www.youtube.com/live/e1OSQp2Ad0U?si=NEgpBaE5k5Ff4R7g ## May 6 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Pritesh Bandi (Amazon) - Sajay Antony (Microsoft) - Yi Zha (Microsoft) ### Agenda Items: - Continue the discussion of trust policy 2.0 (Patrick) - Add new parameters for Timestamping, see [PR 290](https://github.com/notaryproject/specifications/pull/290/files?short_path=d4d91f8#diff-d4d91f8c71de756a442dba4d5107df61a94955a82a0f1cce75657953fceee12d) - [A new issue](https://github.com/notaryproject/specifications/issues/300) was identified. - Allow the "keyUsage" extension for the TSA root CA certificate without marking it as critical, for compatibility with some existing CAs that are well established in the ecosystem. - Notation v1.2.0 release status check-in (Yi) - Signing arbitrary blob - Timestamping support ### Notes - Before **Pritesh** joined, we discussed the release of Notation v1.2.0 and **Yi** suggested a possible patch release as a backup plan in case of delays. We did not reach any conclusion in the meeting. - Continue the discussion of trust policy 2.0 - **Patrick**, **Pritesh**, **Shiwei** and **Yi** are aligned that the timestamping check depends on whether users set up a trust store of the tsa type or not. If they do, the check is on; if they don't, the check is off. We may add a new option to control this behavior later if users ask for it. - **Shiwei** mentioned a way to make a copy of trust policy file for easily toggling tsa stores especially when users configured many tsa stores. - **Pritesh** suggest keeping using trust policy 1.0 for timestamping support, and consisering introducing different trust store types for trusted identities if there are real use cases in the future. - **Pritesh** will work with Milind on the following items and will update the community soon - The behavior of verification level audit and skip for Authentic timestamp - Whether the trusted identities specified in trustedIdentities are applied to all the trust stores specified in truststores ### Recording - https://www.youtube.com/watch?v=QTn6nPorV34 ## May 2nd 2024 ### Attendees: - Akash Sighai (MSFT) - David Dooling (Docker) - James Carnegie (Docker) - John Kjell (TestifySec) - Toddy Mladenov (MSFT) - Tom Meadows (TestifySec) ### Agenda Items: - Thomas Meadows from TestifySec/in-toto will share his feedback on implementing COSE signatures for in-toto attestations - Postponed from previous meetings - TUF Metadata/tag stream discussion (ToddySM) - https://docs.google.com/document/d/1l2BLEy9pGPciKNkkss0fAyQQGe6DcYiMrhcRrYOpSjY/edit?usp=sharing - Tag signing discussion (ToddySM) - Attestations dicussion (ToddySM) ### Notes: - Tom went over the following: - Witness has the concept of attesters (collectors of metadata) - There are different types of attesters (trying to expand the number of attesters) - Struggle of different ways to unwrap and inspect the predicates; there are differences in the use of envelope types - DSSE is one example way to create envelop (wrap the predicate and attach signature to it); Notary Project supports COSE and JWS - The problem is that verifiers fail if they don't support the envelopes (less of a problem on the signing) but the verifier needs to understand all the envelopes - Feedback on COSE - Struggle is the understanding of encrypted (protected) and unencrypted (unprotected) headers. He wasn't sure whether he was using the library correctly to add the necessary headers. - What is exactly Sign1Message (need very deep knowledge of the COSE spec)? - He also demoed his prototype where he wraps the attestations in a COSE envelope - The appeal from his is to have a common way to sign and verify signatures in different formats (and use dsse image-signer-verifier interface) - (Akash) sees that approach also helpful for Ratify - Useful links - - https://github.com/secure-systems-lab/go-securesystemslib/ (eventually implement all those capabilities in that library) - https://github.com/in-toto/attestation/issues/179 (Resource Descriptor predicate) - Verification Attestor: https://github.com/in-toto/go-witness/pull/55 - Witness CLI COSE Envelope: https://github.com/ChaosInTheCRD/witness/tree/envelope-interface-test - go-witness Enveloper Interface (with COSE): https://github.com/ChaosInTheCRD/go-witness/tree/enveloper-interface ### Recording: [Recording](https://www.youtube.com/live/zU33XqWdq1k?si=y_4jP0vhg2IxOlJ4) ## Apr 29 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Junjie Gao (Microsoft) - Vani Rao (Amazon) - Pritesh Bandi (Amazon) - Sajay Antony (Microsoft) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) ### Agenda Items: - Proposal of trust policy 2.0 (Yi) - Add new parameters for Timestamping, see [PR 290](https://github.com/notaryproject/specifications/pull/290/files?short_path=d4d91f8#diff-d4d91f8c71de756a442dba4d5107df61a94955a82a0f1cce75657953fceee12d) - [A new issue](https://github.com/notaryproject/specifications/issues/300) was identified. - Certificate requirement (Yi) - Allow the "keyUsage" extension for the TSA root CA certificate without marking it as critical, for compatibility with some existing CAs that are well established in the ecosystem. - Request org maintainers to review [Contributor ladder PR](https://github.com/notaryproject/.github/pull/75) (Yi) - Triage issues if time allows. (Yi) ### Notes: - If the signing certificate expires, then Authentic timestamp level will be checked, if it is skipped, need to confirm the current implementation, and we would like to fail signature verification in this case, but need further clarifiation with Milind as he originally designed this. - If we will introduce `timestampVerfication` parameter, @priteshbandi suggested in the community meeting that not configuring any tsa trust store if and only if level to be skip so that we don’t need to introduce the field level. - @pritesh Not having any trust store of type tsa implicitly means verifier doesn’t trust any tsa thus Notation should not evaluate any timestamp signature - @pritesh a list of free tsa: https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710 - @pritesh CA/B forum notes about expiry of timstamping cert validity https://cabforum.org/2022/01/27/2022-01-27-minutes-of-the-code-signing-certificate-working-group/#timestamping-certificate-validity-period, expected Ian's comment. The current practice is TSA cert expiry is not validated. - @pritesh if `expiryRelaxed` is true by default, then maybe we can drop this parameter. Pritesh's opinion that the default value can be true. - We only covered the first bullet of the first topic today, and will continue the discuss next week. ### Recording: https://www.youtube.com/watch?v=TiPoztLJjQw ## Apr 22 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Junjie Gao (Microsoft) - Patrick Zheng (Microsoft) - Vani Rao (Amazon) - Sajay Antony (Microsoft) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) ### Agenda Items: - Demo how the suggested changes for Timestamping support would affect the trust policy. Here is [the PR](https://github.com/notaryproject/specifications/pull/290) with details (Patrick) - Align Notation CLI Error Handling and Message guideline in [PR](https://github.com/notaryproject/notation/pull/834) and resolve corresponding issues in v1.2.0 (Feynman) - Propose to reschedule the Security Audit 2nd meeting to UTC 15:00 May 30 (Feynman) - Reminder: Org maintainers to review [contributor ladder PR](https://github.com/notaryproject/.github/pull/75) - Triage issues if time allows (Yi) ### Notes: - **Yi** requested maintainers to review [contributor ladder PR](https://github.com/notaryproject/.github/pull/75) - **Patrick** to follow up the question from Shiwei on trusted identities for TSA in the trust policy. - **Vani** to ask Pritesh to review the following PRs and confirm the new time for security audit - [the Timestamping sepc PR](https://github.com/notaryproject/specifications/pull/290) - Error message guideline in [PR](https://github.com/notaryproject/notation/pull/834) - New time proposed for security audit on 15:00 May 30 UTC - Skipped triaging issues, will continue once Pritesh is back. ### Recording: https://www.youtube.com/watch?v=qVHMkwv8n3M ## Apr 18 2024 ### Attendees: - Toddy Mladenov (MSFT) - David Dooling (Docker) - Akhash Singhal (MSFT) ### Agenda Items: - TUF Metadata/tag stream discussion (ToddySM) - https://docs.google.com/document/d/1l2BLEy9pGPciKNkkss0fAyQQGe6DcYiMrhcRrYOpSjY/edit?usp=sharing - Tag signing discussion (ToddySM) - Attestations dicussion (ToddySM) ### Notes: - (David) Attestations thoughts - Attestations added at creation The way buildkit does it is preferrable from Docker perspective. Easy signal when the owner and maintainer is clear. Should be able to pull the attestation and figure out what is changed in the tag. Should be in the image index. Generally looking at in-toto. They are layers in the image and that image appears as image index object. It refers to the platform specific image those attestations attest. Example: https://explore.ggcr.dev/?image=rabbitmq%3Alatest - Attestations added after creation. For this one the referrers is more viable as solution. This introduces additional burden for the consumer. ### Recording: [Recording](https://www.youtube.com/live/h2W9ODdAPMY?si=4y03FmFrUAVYdVNn) ## Apr 15 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Junjie Gao (Microsoft) - Patrick Zheng (Microsoft) - Vani Rao (Amazon) - Sajay Antony (Microsoft) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) ### Agenda Items: - Follow up on governance issue (Yi) - Org maintainers update https://github.com/notaryproject/notary/pull/1703 - Next steps on archiving `notary` repo: https://github.com/notaryproject/.github/issues/70 - Next steps on https://github.com/notaryproject/.github/issues/65 - PRs required review - [doc: update contributing guide](https://github.com/notaryproject/.github/pull/25) - [chore: bring clarity to supermajority ](https://github.com/notaryproject/.github/pull/74) - [chore: add contributor ladder](https://github.com/notaryproject/.github/pull/75) - Any blockers for[OCI 1.1 support PR](https://github.com/notaryproject/notation/pull/916) (Yi & Patrick) - [bug: leaf certificate key usage should not forbid ContentCommitment](https://github.com/notaryproject/notation-core-go/issues/201) (Patrick) - Updates on security audit (Yi) - Triage issues if time allows (Yi) ### Notes: - Aligned and merged PR https://github.com/notaryproject/notary/pull/1703 - **Yi** will close issues after comfirm necessary changes were taken - https://github.com/notaryproject/.github/issues/66 - https://github.com/notaryproject/.github/issues/67 - https://github.com/notaryproject/.github/issues/68 - https://github.com/notaryproject/.github/issues/69 - Next steps on [Please replace Org maintainer Justin Cormack with James Carnegie](https://github.com/notaryproject/.github/issues/65) - **Vani** to ping Niaz for comments - **Vani** or **Toddy** can help to discuss it with David and James on this issue if they joined Thursday meeting - It has been 4 months since this issue was created, we can check the status in project health check in Jun. - Next steps on archiving `notary` repo: https://github.com/notaryproject/.github/issues/70 - Need Docker folks to comment on this issue. - **Feynman** will contact `Jonny Stoten` for comments. - PR requested **Pritesh** reviewing - https://github.com/notaryproject/notation/pull/834 - https://github.com/notaryproject/notation/pull/916 - [bug: leaf certificate key usage should not forbid ContentCommitment](https://github.com/notaryproject/notation-core-go/issues/201) - **Vani** brought up the discussion of ensuring resources availabitiy in upcoming months to secure the feature delievery and security audit. We will discuss it in community meeting next week. - We will triage the issues in `Discuss` and `Future` milestones when **Pritesh** joins the meeting properly next week. ### Recording: https://www.youtube.com/watch?v=ElGH2TQkUlM ## Apr 8 2024 ### Attendees: - Pritesh Bandi (Amazon) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Junjie Gao (Microsoft) - Vani Rao (Amaz) - Yi Zha (Microsoft) ### Agenda Items: - Follow up on governance issues (Yi) * https://github.com/notaryproject/tspclient-go/pull/21 * https://github.com/notaryproject/tuf/pull/48 (need anyone) * https://github.com/notaryproject/notary/pull/1673 (can be merged but CI broken) * https://github.com/notaryproject/notary/pull/1703 * James nomination https://github.com/notaryproject/.github/issues/65 - Install Codecov to Notary Project org (Shiwei/Junjie) - Codecov requires token to upload code coverage in `v4` (`v3` stopped working) - Code coverage is not updated since 2 months ago - Issue: https://github.com/notaryproject/.github/issues/72 - PRs to review - [fix(ci): update codecov token](https://github.com/notaryproject/notation/pull/920) for notation - [fix(ci): update codecov token](https://github.com/notaryproject/notation-core-go/pull/199) for notation-core-go - Preparation for Security Audit introductory meeting with OSTIF (Yi) - Repositories: `notation`, `notation-core-go`, `notation-go`, and `tspclient-go` - Releases - v1.2.0: Blob signing, Timestamping support - v1.3.0: Revocation check using CRL (Join the [CRL discussion](https://github.com/notaryproject/notation-core-go/discussions/198)) - Need maintainers to review the PR [Notation CLI Error Handling and Message Guideline](https://github.com/notaryproject/notation/pull/834) again. Error messages in new features are suggested following this guideline after we agree on it (Feynman) - Triage issues if time allows (Yi) ### Notes: - Follow up on governance issues (Yi) * https://github.com/notaryproject/tspclient-go/pull/21 * This PR was merged * https://github.com/notaryproject/tuf/pull/48 * This PR was reviewed and merged * https://github.com/notaryproject/notary/pull/1673 * https://github.com/notaryproject/notary/pull/1703 * Regarding these two PRs, maintainers during the meeting agreed on the follows: * Following up on [archiving `notary` issue](https://github.com/notaryproject/.github/issues/70), if we cannot reach consensus on archiving in one week, then we will review and address [the maintainers update PR](https://github.com/notaryproject/notary/pull/1703). * **Yi** will ask comments from **David** and **James** from Docker in the [issue](https://github.com/notaryproject/.github/issues/65) * James nomination https://github.com/notaryproject/.github/issues/65 * **Yi** will help to create a PR according to Niaz's comment in this [issue](https://github.com/notaryproject/.github/issues/65), and then tag Niaz and other maintainers for reviewing. - Install Codecov to Notary Project org (Shiwei/Junjie) - **Shiwei** explained the reason of doing this. - Maintainers in the meeting aligned on the needs to update CodeCov as described in the topic. - **Shiwei** will create an issue asking for votes in `.github` repo, since CodeCov needs to be installed on the Notary Project organiaztion. The issue was created https://github.com/notaryproject/.github/issues/72 - Preparation for Security Audit introductory meeting with OSTIF (Yi) - **Yi** gave a brief intro about the purpose of this meeting, and confirm the audit scope - Repositories: `notation`, `notation-core-go`, `notation-go`, and `tspclient-go` - Releases - v1.2.0: Blob signing, Timestamping support - v1.3.0: Revocation check using CRL - Other topics were not discussed due to out of time. ### Recording: - https://www.youtube.com/watch?v=gKeufLWmM4c ## Apr 4 2024 ### Attendees: - Beltran Rueda - Bitnami - David Dooling - Docker - Toddy Mladenov - Microsoft - Tomas Pizarro - Bitnami - Vani Rao - AWS ### Agenda Items: - Ad-hoc - Using Notation for in-toto attestations (Beltran and Tomas) - Org Maintainers PRs and issues (ToddySM) - https://github.com/notaryproject/.github/pull/71 - https://github.com/notaryproject/notation-core-go/pull/196 - https://github.com/notaryproject/notation-go/pull/393 (may be OK to merge if CI Passes) - https://github.com/notaryproject/tspclient-go/pull/21 - https://github.com/notaryproject/notation-plugin-framework-go/pull/23 - https://github.com/notaryproject/notaryproject.dev/pull/400 - https://github.com/notaryproject/specifications/pull/299 - https://github.com/notaryproject/meeting-notes/pull/23 - https://github.com/notaryproject/notation-action/pull/57 - https://github.com/notaryproject/roadmap/pull/94 - https://github.com/notaryproject/roadmap/pull/94 - https://github.com/notaryproject/tuf/pull/48 (need anyone) - https://github.com/notaryproject/notary/pull/1673 (can be merged but CI broken) https://github.com/notaryproject/notary/pull/1703 (Justin) - Tag signing discussion (ToddySM) - TUF Metadata/tag stream discussion (ToddySM) - https://docs.google.com/document/d/1l2BLEy9pGPciKNkkss0fAyQQGe6DcYiMrhcRrYOpSjY/edit?usp=sharing ### Notes: - In-toto attestations - Bitnami - they only have SLSA provenance, they also have other artifacts (not wrapped in in-toto yet); in the future they would like to add SBOMs, vulnerability reports and other. - In-toto and DSSE https://docs.google.com/document/d/19mXclYjXjql1h3Yjijvev9tvALlT7cJQvbmJmk7IFCU/edit?usp=sharing - Attestations in CSSC Framework https://docs.google.com/document/d/1S3eWafFbQxlRlwpHWX2Xed6zEK93qnC4SfrZrwTz52c/edit?usp=sharing - We skipped the TUF and tag signing discussion because James was out sick - @vaninrao10 will discuss with @NiazFK about updates to the governance docs so we can process James nomination https://github.com/notaryproject/.github/issues/65 - @All - please approve the PR for org maintainers ### Recording: https://www.youtube.com/watch?v=1404JmvDsEo ## Apr 1 2024 ### Attendees: - Pritesh Bandi (Amazon) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Yi Zha (Microsoft) ### Agenda Items: - [HiPri] Governance items completion (ToddySM) - Steve Lasker stepping down https://github.com/notaryproject/.github/issues/66 - Justin Cormack moved to emeritus https://github.com/notaryproject/.github/issues/68 - Adding James Carnegy as org maintainer https://github.com/notaryproject/.github/issues/65 - Number of maintainers https://github.com/notaryproject/.github/issues/60 - Nominate Yi for Org Maintainer https://github.com/notaryproject/.github/issues/67 - Nominate Vani for Org Maintainer https://github.com/notaryproject/.github/issues/69 - Governance improvements plan https://github.com/notaryproject/.github/issues/51 - Approve PR for hashicorp vault plugin https://github.com/notaryproject/notation-hashicorp-vault/pull/19 - OCI 1.1 support: [Votes for the flag name](https://github.com/notaryproject/notation/pull/916#issuecomment-2026452022) (Yi) - Timestamping support (Yi) - Plan [CRL support](https://github.com/notaryproject/notation-core-go/issues/125) for 1.3.0, and add it to security audit - Security Audit: schedule a meeting for initial discussion - 8:00 am Apr 10 PDT - 11:00 am Apr 10 EDT - 11:00 pm Apr 11 UTC+8 - Improve the security statistics on Climonitor https://clomonitor.io/projects/cncf/notary#notation_security (Feynman) - Continous Triage (if time allows) ### Notes: - [HiPri] Governance items completion (ToddySM) - Steve Lasker stepping down https://github.com/notaryproject/.github/issues/66 - Maintainers in the meeting came to a consensus on moving Steve Lasker to emeritus (also as comments in the issue), and **Toddy** will start creating PRs accordingly in all the repositories. - Justin Cormack moved to emeritus https://github.com/notaryproject/.github/issues/68 - Maintainers in the meeting came to a consensus on moving Justin Cormack to emeritus (also as comments in the issue, and **Toddy** will start creating PRs accordingly in all the repositories. - Adding James Carnegy as org maintainer https://github.com/notaryproject/.github/issues/65 - **Pritsh** and **Vani** to follow it up with **Niaz** [per the comment](https://github.com/notaryproject/.github/issues/65#issuecomment-1921760404). We will target to finalize it by this week. - Number of maintainers https://github.com/notaryproject/.github/issues/60 - Maintainers in the meeting came to a consensus on the number of org maintainers, which is `6` in total. It is recommended to document it in the governance document. - Nominate Yi for Org Maintainer https://github.com/notaryproject/.github/issues/67 - Maintainers in the meeting came to a consensus: as Steve Lasker and Justin Cormack are moved to emeritus, so we reached the super majority of nomination per the comments. **Toddy** will start creating PRs accordingly in all the repositories. - Nominate Vani for Org Maintainer https://github.com/notaryproject/.github/issues/69 - Maintainers in the meeting came to a consensus: as Steve Lasker and Justin Cormack are moved to emeritus, so we reached the super majority of nomination per the comments. **Toddy** will start creating PRs accordingly in all the repositories. - Governance improvements plan https://github.com/notaryproject/.github/issues/51 - We cleaned up staled branches for `notation`, `notion-go` and `specifications` repo - We will discuss the actions of the rest of issues listed in this issue and continuously to discuss them in next Monday community meeting. - Approve PR for hashicorp vault plugin https://github.com/notaryproject/notation-hashicorp-vault/pull/19 - **Shiwei** and **Patrick** to review this PR, so that **Toddy** can create new PRs afterwards. - OCI 1.1 support: [Votes for the flag name](https://github.com/notaryproject/notation/pull/916#issuecomment-2026452022) (Yi) - After discussions, we have two alternatives. One is `--force-tag-schema`, another one is `--force-referrers-tag`. The default value for both flags is `true` for notation `1.x`. **Pritesh** will comment on the issue for his opinion, we will finalize it in [the PR comments](https://github.com/notaryproject/notation/pull/916#issuecomment-2026452022). ### Recording: - https://www.youtube.com/watch?v=Yx4QO5io4j4 ## Mar 28 2024 ### Attendees: - Vani Rao (Amazon) - Toddy Mladenov (Microsoft) - David Dooling (Docker) - James Carnegie (Docker) ### Agenda Items: - None ### Notes: - Following up on the governance issue with Org manintainers to comment. (Vani Rao) - Nominate Vani Rao (@vaninrao10) as a Notary Project Org maintainer (Pritesh and Milind have given thumbs up - **Completed**) (https://github.com/notaryproject/.github/issues/69) - Nominate Yi Zha as a Notary Project Org maintainer (Pritesh and Milind have given thumbs up - **Completed**) (https://github.com/notaryproject/.github/issues/67) ## Mar 25 2024 ### Attendees: - Pritesh Bandi (Amazon) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Vani Rao (Amazon) - Yi Zha (Microsoft) ### Agenda Items: - Dicuss [the comments for Time-stamping spec](https://github.com/notaryproject/specifications/pull/290#discussion_r1527698163) (Yi) - Triage issues (Yi) - [New issues](https://github.com/notaryproject/notation/issues) - [Milestones](https://github.com/notaryproject/notation/milestone/18) ### Notes: - Regarding [the comments for Time-stamping spec](https://github.com/notaryproject/specifications/pull/290#discussion_r1527698163), the meeting participants were aligned that timestamp countersignature will not be checked if the signing scheme is `x509.signingAuthority`. **Pritesh** pinged **Milind** for any comments. - Triaged new issues - https://github.com/notaryproject/notation/issues/910 ==> waiting for user's feedback - https://github.com/notaryproject/notation/issues/909 ==> won't fix, as it is a base requirment per [7.1.2.1 Root CA Certificate](https://cabforum.org/uploads/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v3.7.pdf), and if key usage is not marked as critical, client can ignore key usage field, which means the root CA certificate can be used for different purposes beside codesigning. The use of the same key for two different cryptographic processes may weaken the security provided by one or both of the processes. - Triaged 1.2.0 milestone - Issues related to "Trust policy and store management" will be moved to 1.3.0 milestone ### Recording: - https://www.youtube.com/watch?v=Jrk4bcv0EB4 ## Mar 18 2024 ### Attendees - Pritesh Bandi (Amazon) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Dicussion on Signing blob design - Dicuss [the comments for Time-stamping spec](https://github.com/notaryproject/specifications/pull/290#discussion_r1527698163) - Review issues for [1.2.0 milestones](https://github.com/notaryproject/notation/milestone/18) (Yi) - Some chores: (Yi) - cleaning up stale issues or PRs - https://github.com/notaryproject/notation/pull/841 - https://github.com/notaryproject/notation-core-go/pull/174 - https://github.com/notaryproject/notation-go/pull/365 - Archiving meeting notes for 2023 - https://github.com/notaryproject/meeting-notes/pull/22 ### Notes - **Pritesh**, **Partrick** and **Shiwei** aligned on [the design proposal](https://hackmd.io/_if9-W4mST-k4HAJ-XXuqw?view), option-3 is selected. - **Pritesh** will review the [Time-stamping spec](https://github.com/notaryproject/specifications/pull/290) again. - **Patrick** and **Shiwei** will discuss offline about the [Time-stamping PR comment](https://github.com/notaryproject/specifications/pull/290#discussion_r1527698163) - **Pritesh** will review the PR https://github.com/notaryproject/tspclient-go/pull/18 - We reviewed some issues in [1.2.0 milestone](https://github.com/notaryproject/notation/milestone/18). We will find other timeslot to continue the work or do it async. ### Recording - https://www.youtube.com/watch?v=3lMtg4uV2rQ ## Mar 11 2024 ### Attendees - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Yi Zha (Microsoft) - Feynman Zhou (Microsoft) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - OCI 1.1 support [follow-up](https://github.com/notaryproject/notation/issues/892#issuecomment-1984130603) (Yi) - Noation [v1.2.0 plan](https://github.com/notaryproject/notation/issues/880) (Yi) - Triage [issues](https://github.com/notaryproject/notation) for `notation` repo (Cont.) (Yi) - Info: [Notary Project updates announcement for the upcoming KubeCon EU](https://hackmd.io/zGeA2ie6RJO05NEttgaU9w) (Feynman) - Adopter updates: Docker Hub now supports Notary Project signature. [Bitnami](https://hub.docker.com/u/bitnami) is planning to sign all images with Notation and publish an announcement (Feynman) ### Notes - For OCI 1.1 support, [Shiwei's comment](https://github.com/notaryproject/notation/issues/892#issuecomment-1985090444) was answered. Maintainers in the meeting agreed on the plan as Pritesh [commented](https://github.com/notaryproject/notation/issues/892#issuecomment-1984130603). - For OCI 1.1 support, Notary Project `specification` need to be updated according to OCI image spec v1.1, which is tracked by [issue](https://github.com/notaryproject/specifications/issues/295) - Maintainers in the meeting agree that OCI 1.1 support was added to Notation v1.2.0 release scope. - We discussed the Notation v1.2.0 plan, see comments on [Plan for Notation 1.2.0 release ](https://github.com/notaryproject/notation/issues/880#issuecomment-1989774144) - **Vani** will review the blog post [Notary Project updates announcement for the upcoming KubeCon EU](https://hackmd.io/zGeA2ie6RJO05NEttgaU9w) before mid of March. - **Pritesh** will get back on the availability of the PoC for "signing blog feature", which can be demostrated in KubeCon EU. - Maintainers in the meeting triaged the following issues: - https://github.com/notaryproject/notation/issues/904 - https://github.com/notaryproject/notation/issues/902 - https://github.com/notaryproject/notation/issues/897 ### Recording - https://www.youtube.com/watch?v=_ihI-9mu4aU ## Mar 7 2024 ### Attendees - Toddy Mladenov (Microsoft) - James Carnegie (Docker) - Brandon Mitchell(IBM) - Pritesh Bandi (Amazon) - Vani Rao (Amazon) - David Dooling (Docker) ### Agenda Items - Brandon Mitchel commented on the issue for supporting OCI 1.1 GA spec regarding the `--allow-referrers-api` flag: https://github.com/notaryproject/notation/issues/892#issuecomment-1979336438 Concern is that this will create a split-brain logic and will degrade the experience. ### Notes - Decision to keep issue open and continue discussion there ### Recording - https://www.youtube.com/watch?v=X5TA7uY5Rss ## Mar 4 2024 ### Attendees - Akash Singhal (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Yi Zha (Microsoft) - Feynman Zhou (Microsoft) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - Support OCI 1.1 stable release (Yi) - Triage issues (Yi) - https://github.com/notaryproject/notation/pull/811 - Rakesh ### Notes - **Rakesh** requested **Shiwei** to review this [PR](https://github.com/notaryproject/notation/pull/811) again and **Milind** need to approve this PR as well since he requested changes. - We are aligned on the way forward on OCI 1.1 support, and **Yi** will update [the issue](https://github.com/notaryproject/notation/issues/892) and create work items accordingly - Triaged some issues in `specification` repo, and marked issues for `specification` milestone`1.1.0` ### Recording https://www.youtube.com/watch?v=LKwgl6uvoHE ## Feb 29th 2024 ### Attendees: - Akash Singhal (Microsoft) - David Dooling (Docker) - James Carnegie (Docker) - Milind Gokarn (Amazon) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) ### Agenda Items: - Brainstorming discussion about TUF and in-toto attestations (ToddySM) ### Notes: - It was brainstorming discussion. The topics covered were distributing TUF metadata and policies via OCI registries; distributing root certs with clients; discussing on registry scenarios; touching on attestations briefly. - Next steps: James is working on a document that he would like to share with the Notary Project and TUF communities ### Recording: [Meeting Recording](https://www.youtube.com/live/TgfDruSLIOo?si=yZdIbU_a2xinjVxH) ## Feb 26 2024 ### Attendees - Yi Zha - Feynman Zhou - Akash Singhal - Pritesh Bandi - Sajay Antony - Shiwei Zhang - Toddy Mladenov - Vani Rao - David Dooling - _add yourself_ ### Agenda Items - KubeCon EU 2024 (Mar 19 ~ Mar 22) demos (Yi) - [Implement doc version control](https://github.com/notaryproject/notaryproject.dev/pull/377) (Feynman) - Community governance follow-up - Nomination of new org-maintainers - Archive inactive repositories - Support OCI 1.1 stable release (Yi) ### Notes - Proposed demos for KubeCon EU 2024 - Timestamping support - Signing blob (PoC) - **Feynman** will drive the demo cases with Pritesh - Feynman demoed the proposed version control changes. - If default pointing to main branch, then a banner or note is required to show it is under development or simliar - Maintainers to review this PR https://github.com/notaryproject/notaryproject.dev/pull/377 - Request maintainers to vote for new org maintainers - Create an issue to vote for archiving `notary` repo per the process. ### Recording https://www.youtube.com/watch?v=Iewszbp2Hns ## Feb 19 2024 ### Attendees - Feynman Zhou (MSFT) - Pritesh Bandi (AWS) - Rakesh Gariganti (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Yi Zha (MSFT) ### Agenda Items - Discussion on specification PR https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Yi) - Comments on the [issue](https://github.com/notaryproject/.github/issues/67) to support Yi Zha as Org maintainer - Request review on [PR](https://github.com/notaryproject/meeting-notes/pull/22) to archive meeting notes of 2023 (Yi) - OCI1.1 is GA as of 02/15/2024, discuss and identify any new changes in Notary to support OCI1.1 implicitly by default (Pritesh/Samir). ### Notes - We had a great dicussion on PR https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825, and aligned on the solution and way forward, **Rakesh** to create an issue to track the update on threat model - We will request a security audit for upcoming Notation 1.2.0 release - **Yi** asked for comments on [issue](https://github.com/notaryproject/.github/issues/67) and [PR](https://github.com/notaryproject/meeting-notes/pull/22) - We didnot have time to discuss OCI 1.1 GA. **Yi** created an issue https://github.com/notaryproject/notation/issues/892 for tracking the discusson on OCI 1.1 GA support ### Recording - https://www.youtube.com/watch?v=DmQWQioVw0c ## Feb 15 2024 ### Attendees: - Vani Rao (AWS) - Akash Singhal (MSFT) - David Dooling (Docker) ### Agenda Items: - Comment on the issue to support the nomination of Vani Rao as Org Maintainer - https://github.com/notaryproject/.github/issues/69 (Pritesh) - Need More comments for the nomination. - Pull Request Review/Approval - https://github.com/notaryproject/specifications/pull/283 (Pritesh) - Need one more approval - Pull Request Review/Approval - https://github.com/notaryproject/notation/pull/811 (Pritesh/Rakesh) - No conflicts - Rakesh has summarised the discussions and the specification has 3 approvals and will need one more approval. - Need more approvals based on the Feb 12th Monday meeting. Unblocked for approvals since spec has 3 approvals. - Maintainers to vote on this specification https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Rakesh) - Need one more approval. ### Notes: - Review the specified PR in the Agenda Items which is scheduled for the upcoming release. - Rakesh to summarise the discussions https://github.com/notaryproject/specifications/pull/283#discussion_r1487021680 to finalize the next steps. Maintainers please vote. ### Recording: ## Feb 12 2024 ### Attendees: - Toddy Mladenov (MSFT) - Pritesh Bandi (AWS) - David Dooling (Docker) - Vani Rao (AWS) - Rakesh Gariganti (AWS) - Sajay Antony (MSFT) - Akash Singhal (MSFT) - Rishab Semlani (AWS) ### Agenda Items: - Comment on the issue to support the nomination of Vani Rao as Org Maintainer - https://github.com/notaryproject/.github/issues/69 (Pritesh) - Pull Request Review/Approval - https://github.com/notaryproject/specifications/pull/283 (Pritesh) - Pull Request Review/Approval - https://github.com/notaryproject/notation/pull/811 (Pritesh/Rakesh) - No conflicts - Maintainers to vote on this specification https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Rakesh) ### Notes: - Review the PR's listed in "Agenda Items" section scheduled for the upcoming release. - Rakesh to summarise the discussions https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 to finalize the next steps. ### Recording: ## Feb 8 2024 ### Attendees: - Toddy Mladenov (MSFT) - Ethan Heilman (BastionZero) - Pritesh Bandi (AWS) - Samir Kakkar (AWS) - David Dooling (Docker) - _add yourself_ ### Agenda Items: - Ethan Heilman from Bastion Zero will present OpenPubKey to the community - Ask for reviewing the new release blog (Feynman): https://github.com/notaryproject/notaryproject.dev/pull/383 - Ask for reviewing plugin conventions PR in specifications (Feynman): https://github.com/notaryproject/specifications/pull/292 ### Notes: - _meeting minutes_ ### Recording: [Meeting Recording](https://www.youtube.com/watch?v=zEWBSfEDJ04) ## Feb 5 2024 ### Attendees: - Pritesh Bandi (AWS) - Yi Zha (MSFT) - Toddy Mladenov (MSFT) - Feynman Zhou (MSFT) - Sajay Antony (MSFT) - Patrick Zheng (MSFT) - Rakesh Gariganti (AWS) - Sunil Ravipati - Rishab Semlani (AWS) - Vani Rao (AWS) ### Agenda Items: - Upcoming Spring Festival and resource limitations (Yi) - Propose deferring [Notation v1.2.0 release](https://github.com/notaryproject/notation/issues/880) to `mid May` - Maintainers to drive the community meeting on Feb 12 - [BlobSigning: Using hashing algo of final signing algo to create descriptor](https://github.com/notaryproject/notation-go/pull/379#discussion_r1477696873) (Pritesh) - Align [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) and the release version of specification repo (Feynman) - Confirm the [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation (Feynman) - Org maintainer status follow-up (Yi) - Request comments on issue [Relax minimum subject DN field values for trustedIdentities](https://github.com/notaryproject/specifications/issues/293) (Yi) ### Notes: - Spring Festival will start from Feb 10 to Feb 17. Normally people will take addtional days before or after public holidays. - **Vani** will help to drive the community meeting on Feb 12. - Need to continously discuss the proposal of [BlobSigning: Using hashing algo of final signing algo to create descriptor](https://github.com/notaryproject/notation-go/pull/379#discussion_r1477696873) - Request review on the following PRs and issues, **Vani** and **Pritesh** - Request maintainers to review and comment on [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) - [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) - [Relax minimum subject DN field values for trustedIdentities](https://github.com/notaryproject/specifications/issues/293) - Asked maingainers to comment on "Emeritus" issues and new nominatioin issue. - **Yi** to provide meeting participants info for **Vani** ### Recording: https://www.youtube.com/watch?v=m3a2cBk3kPw ## Feb 1 2024 ### Attendees: - Toddy Mladenov (MSFT) - Justin Cappos (NYU) - Niaz Khan (AWS) - David Dooling (Docker) - Pritesh Bandi (AWS) - Vani Rao (AWS) - _add yourself_ ### Agenda Items: - Overview of TUF and key management (Justin Cappos) ### Notes: - _meeting minutes_ ### Recording: https://www.youtube.com/watch?v=IevD00hDChg ## Jan 29 2024 ### Attendees - Yi Zha (MSFT) - Feynmane Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Pritesh Bandi (AWS) - Rishab Semlani - Shiwei Zhang (MSFT) - Toddy Mladenov (MSFT) - Vani Rao (AWS) - David Dooling (Docker) - Sajay Antony (MSFT) - _add yourself_ ### Agenda Items - Org maintainer status follow-up (Yi) - Things after v1.1.0 release (Feynman) - Notary Project spec release for [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) - Upgrade [Homebrew](https://github.com/Homebrew/homebrew-core/pull/161124) (done) and [Winget](https://github.com/microsoft/winget-pkgs/pull/136924) (WIP) to v1.1.0 - Upgrade [Notation GitHub Actions](https://github.com/notaryproject/notation-action/pull/53) to v1.1.0 (WIP) - Blog post for the release announcement - Documentation for new feature - Align the [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation (Feynman) - Rlease v1 of [notation-plugin-framework-go](https://github.com/notaryproject/notation-plugin-framework-go/issues/15) (Pritesh) - Review the plan for [Notary Project 1.2.0 release](https://github.com/notaryproject/notation/issues/880) (Yi) ### Notes - Pritesh and Feynman will raise issues to nominate new org maintainers - Maintainers to review [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation by this Thursday - Maintainers to review [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) in specifications repo - Maintainers to review the plan for [Notary Project 1.2.0 release](https://github.com/notaryproject/notation/issues/880) - Blog post and feature documentation will be sent out for review this week ### Recording - https://www.youtube.com/watch?v=lP0mN0lyYCY ## Jan 25 2024 ### Attendees: - David Dooling (Docker) - Samir Kakkar (Amazon) - Toddy Mladenov (Microsoft) ### Agenda Items: - Org maintainers action items to follow up on ### Notes: - Samir will follow up on org maintainers action items with Vani, Pritesh and Niaz - We need two new nominations - We need opinion on [Please replace Org maintainer Justin Cormack with James Carnegie](https://github.com/notaryproject/.github/issues/65) - Toddy is working with Justin Cappos and James Carnegie to have overview of TUF and OpenPubKey in the next two Thursday meetings - in-toto may be another one in the upcoming weeks ### Recording: [Meeting Recording](https://www.youtube.com/live/4v7xH5TSwus?si=x3rKU9ylg0RMuCGm) ## Jan 22 2024 ### Attendees: - Yi Zha (MSFT) - Feyname Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zhang (MSFT) - Pritesh Bandi (AWS) - Rishab Semlani (AWS) - Toddy Mladenov (MSFT) - Vani Rao (AWS) - David Dooling (Docker) - _add your name_ ### Agenda Items - Org maintainer status update (Yi) - Comments on issue [Please replace Org maintainer Justin Cormack with James Carnegie](https://github.com/notaryproject/.github/issues/65) - Feedback on nominating 2 new org maintainers from subproject maintainers - Notation v1.1.0 release - ready to kick off releae process (Yi) - [Notary Project Logo updates](https://github.com/notaryproject/.github/issues/43#issuecomment-1905027799) from CNCF (Feynman) - _add your topics_ ### Notes - Regarding Org maintainer status update, **Vani** to follow up the two issues and provide comments by `Jan 25, 2024`. - We are aligned to release `notation` `v1.1.0`, `notation-go` `v1.1.0` and `notation-core-go` `v1.0.2`. - Feynman shared the latest design of Noary Project logo, request comments on [Notary Project Logo updates](https://github.com/notaryproject/.github/issues/43#issuecomment-1905027799) before end of `Jan 25, 2024`. - We may need to release `specification` repo for notation plugin management feature. - **Feynman** will create a PR for the update. - **Pritesh** will create an issue to track the issue of "move plugin-extensibility specification to `notatoin` repo" ### Recording https://www.youtube.com/live/0vNK-kZPVo8?si=yRKXoxfTalBVPa_p ## Jan 18 2024 ### Attendees: - James Carnegie (docker) - Toddy Mladenov (MSFT) - David Dooling (Docker) - _add your name_ ### Agenda Items - Follow-up on Org maintainers (Yi) - Yi commented on issue [Please replace Org maintainer Justin Cormack with James Carnegie ](https://github.com/notaryproject/.github/issues/65), and asking other maintainers to comment and align way forward. - This was discussed in several meetings. Based on the [issue](https://github.com/notaryproject/.github/issues/60), which agreed on a total of `6` Notary Project Org maintainers, I propose nominating two new Org maintainers from sub-project maintainers. Please note that Justin and Steve, who are current Org maintainers, are inactive as per the data in the [issue](https://github.com/notaryproject/.github/issues/54). - [Ad-hoc James] James is intersted in in-toto integration. ### Notes - We can not make progress on the first two agenda items due to lack of quorum. We need more people from the community to weigh in on those proposals. - [James] If there is TUF root delivering the keys that we need to signing attestations, can `notation` sign those attestations. James will file an issue to kick off the discussion on that proposal. ### Recording [Meeting recording](https://www.youtube.com/live/cF-q6qAPTm4?si=oGCBOmCqA6JNE6HF) ## Jan 16 2024 ### Attendees: - _add your name_ - Feynman Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Rishab Semlani (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Toddy Mladenov (MSFT) - Yi Zha (MSFT) - Sajay Antony (MSFT) - Pritesh Bandi (AWS) ### Agenda Items - _add your topics_ - Org Maintainers status update and next step (Yi) - Repo name for implementation of the Time-Stamp Protocol (TSP), see [issue](https://github.com/notaryproject/.github/issues/58). - [Notation v1.1.0 status](https://github.com/orgs/notaryproject/projects/10/views/7) check-in (Yi) - [Error message guidedance and improvement iteration plan](https://github.com/notaryproject/notation/pull/834) (Feynman) - [Test result of installing notation plugin in v1.1.0 and suggestions for plugin vendors](https://github.com/notaryproject/notation/discussions/869) (Feynman) ### Notes - Issue https://github.com/notaryproject/.github/issues/65 - ask is for **org maintainers** and **subproject maintainers** to express opinion on whether they agree with this proposal and how to handle it. - **Vani** to follow up more nominations in order to achieve total 6 org maintainers. - We (Meeting participants) discussed options for new repo name and reached consensus on `tspclient-go` for new repo name and `tspclient` as the package name - There are still two PRs left for notation v1.1.0 release, MSFT team will cut v1.1.0 release after all the PRs are merged and testing is completed by the community - Feynman shared the plan for error message improvements. Ask **Pritesh**, **Vani** and **Samir** to reivew the guidenance PR, the implementation will be planned in patch release. ### Recording https://www.youtube.com/live/L35grZaaIic?si=loONv7kZDZrs5P75 ## Jan 11 2024 ### Attendees: - David Dooling (Docker) - James Carnegie (Docker) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Rishab Semlani (Amazon) ### Agenda Items - _add your topics_ - Vote for repo name for implementation of the Time-Stamp Protocol (TSP), see [issue](https://github.com/notaryproject/.github/issues/58). (Yi) - Do we need to move the meeting on 1/15/2024 (next Monday) to 1/16/2024 since Jan 15 is Martin Luther King Day in US? (Yi) - Org Maintainers discussion (Toddy) - Ad-hoc discussion ### Notes - TS Protocol issue - **David** and **Toddy** will post their thoughts on the issue and the naming. Vani will work with Samir, Niaz, Milind and post their ideas about the name - We should move the Jan 15th meeting to Jan 16th due to the US holiday - **Yi** and **Feynman** to take care - Org Maintainers discussion - Issue https://github.com/notaryproject/.github/issues/65 - ask is for org maintainers and subproject maintainers to express opinion on whether they agree with this proposal and how to handle it - With the above proposal we will still have only 4 org maintainers. We need two more nominations - **Vani** to follow up - Ad-hoc discussion on the roadmap - **Toddy** brought the discussions he had with the in-toto community participants. He will keep the community updated. He also shared a doc that he shared with John from TestifySec (in-toto community) - https://docs.google.com/document/d/1S3eWafFbQxlRlwpHWX2Xed6zEK93qnC4SfrZrwTz52c/edit?usp=sharing - **James** brought DSSE vs COSE and asked whether we should have discussion with other communities on unifying the envelope format - **Toddy** proposed to use the Thursday meetings for more strategic planning and have the Monday meeting for tactical/detailed discussions. Possible topics for upcoming meetings: - in-toto integrations (**Toddy** to facilitate) - DSSE vs COSE (**Toddy** to facilitate) - OpenPubKey discussion (**James** to facilitate) ### Recording https://www.youtube.com/live/k5UsyELI7Xg?si=XtE6q-ylEaPXwPD5 ## Jan 8 2024 ### Attendees: - _add yourself_ - Yi Zha (MSFT) - Rakesh Gariganti (AWS) - Feynman Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Rishab Semlani (AWS) - Sajay Antony (MSFT) - Samir Kakkar (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Toddy Mladenov (MSFT) - David Dooling (Docker) ### Agenda Items: - Notary Project Org maintainer status update (Yi) - [Support plugin as library: bump-up major version of notation-go](https://github.com/notaryproject/notation-go/pull/368#discussion_r1436691392) (Rakesh/Shiwei) - Added by Pritesh but I wount be able attend the meeting. - New repo for timestamp implementation (Yi) https://github.com/notaryproject/.github/issues/58 - Project update video [slide](https://docs.google.com/presentation/d/1zF4bId7ok_zKcXY6RvAcppSjiaSc7k57uhBtBMmUs90/edit?usp=sharing) and [script](https://hackmd.io/_iqwsVLVSly4jla1Ls8j-w) for KubeCon EU 2024 (Feynman), and [project opportunities at KubeCon EU 2024](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/program/project-opportunities) ### Notes: - Org maintainer status update - The participants in the call agreed to follow the PR reviewing process for updating `MAINTAINERS` and `CODEOWNERS` for each repository. - David will created an issue to nominate James Carnegie as a Org maintainer from Docker (The issue was created https://github.com/notaryproject/.github/issues/65) - Support plugin as library: bump-up major version of notation-go - Rakesh will discuss the comments from Shiwei with Pritesh - New repo for timestamp implmentation - Asked for more comments in the issue. - Project update video - Give one week time to review the script and slide deck, and we finalize them by next Monday community meeting. ### Recording https://www.youtube.com/live/-WL9EBxtlq0?si=8nuEB14xzJwKkJ6t ## Jan 4 2024 ### Attendees - David Dooling (Docker) - Niaz Khan (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) ### Agenda Item - Org maintainers election (ToddySM) - https://github.com/notaryproject/.github/issues/60 - https://github.com/notaryproject/.github/issues/61 - https://github.com/notaryproject/.github/issues/62 - https://github.com/notaryproject/.github/issues/57 - https://github.com/notaryproject/.github/issues/56 - https://github.com/notaryproject/.github/issues/55 - Votes for the time stamp implementation repository (ToddySM) https://github.com/notaryproject/.github/issues/58 ### Notes - We decided to move forward with the currently approved nominations - We will need 3 more nominations for org maintainers - David will come back with a name from Docker that we can add to the - Niaz will add the governance updates to the Monday's meeting agenda - ### Recording https://www.youtube.com/live/mafMN6zK_fs?si=6X6P-9WZJlV6bAFG ## Jan 2 2024 ### Attendees - Feynman Zhou (MSFT) - Junjie (MSFT) - Patrick (MSFT) - Rakesh (AWS) - Sajay (MSFT) - Shiwei (MSFT) - Toddy (MSFT) - Vani Rao (AWS) - Yi Zha (MSFT) ### Agenda Item - Notary Project [1.1.0 plan](https://github.com/orgs/notaryproject/projects/10/views/7) (Yi) - Notary Project Org maintainers (Yi) - [Vote](https://github.com/notaryproject/.github/issues/58) for new repo: `timestamp` (Yi) ### Notes - Notation v1.1.0 release: The new target date is 1/16/2024, the feature to be delievered is plugin management, see P0&P1 issues in [1.1.0 plan](https://github.com/orgs/notaryproject/projects/10/views/7). - Notary Project Org maintainers - What is the total number of org maintainers we will have? - Yi to create an issue for discussion and decision, the proposal is to have 6 org maintainers. - What is the agreed upon diversity of maintainers? - Yi to create an issue for discussion and decision on diversity - For the results of the voting, can we have a split: votes from current org maintainers and votes from current sub-project maintainers? - Yi to create an issue for discussion and decision - Proposal: Reach the total number of maintainers before making any other changes in the governance. - Proposal: Set a deadline by when the election should be done. - The proposal is to finalize org maintainers election by Notary Project community meeting on 1/15/2023 - New repo for Time-stamping support - Asked governance maintainers to vote for the new repo and name this week. ### Recording - https://www.youtube.com/watch?v=CMIsVvI_KFY ## Archived meeting notes See https://github.com/notaryproject/meeting-notes for archived meeting notes