# Notary Project Meeting Notes ###### tags: `Notary Project`, `notary` [TUF-notary meeting notes](https://hackmd.io/wii3-L8ZQZ-U3ET0XNY8Gg) **NOTE: Time Change** - Starting May 9 2022, we will hold two meetings a a week to account for folks in the US, Europe and Asia times. Meetings are now: - Mondays 5-6pm pacific time, 8-9pm US Eastern, 8-9am Shanghai (US Summer time) - Mondays 4-5pm pacific time (US Winter time) - Thursdays 9-10am pacific time, 12pm US Eastern, 5pm UK Links - [On GitHub](https://github.com/notaryproject/) - [CNCF Calendar](https://www.cncf.io/community/calendar/) - [Zoom Dial-in link](https://zoom.us/my/cncfnotaryproject) - Passcode: 77777 (5x 7) - [Notary Project Conversations on Slack](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/thread/CEX1W7WMD-1582660575.076600) - [Find your local number](https://zoom.us/u/aLDk4OXTu) - [Notary Project GitHub Projects](https://github.com/notaryproject/) - [YouTube Recordings](https://youtube.com/playlist?list=PL1ykZdgmLkb7SlXax-hJVUgvNHmq4Cyz9) - [Recordings prior to April 9, 2021](https://www.youtube.com/playlist?list=PLj6h78yzYM2O1BOGT3hLdJTJCKz0f-bYq) ### Dial by your location 877 369 0926 US Toll-free 855 880 1246 US Toll-free Meeting ID: 611 593 2621 #### One tap mobile +16465588656,,6115932621# US (New York) +16699006833,,6115932621# US (San Jose) **Note:** See Meeting Notes Template below ``` ## Meeting Notes Template (template for copying) ## Meeting Date ### Attendees: - _add yourself_ ### Agenda Items: - _add your topics_ ### Notes: - _meeting minutes_ ### Recording: _host_add_youtube_link_to_recording_ Agenda items must identify the (owner) of the item ``` ## Meeting chair rotation - Yi Zha - Feynman Zhou - Samir Kakkar - Pritesh Bandi - Toddy Mladenov - David Tesar (emeritus) - Justin Cormack (emeritus) - Steve Lasker (emeritus) ## Mar 4 2024 ### Attendees - Akash Singhal (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Yi Zha (Microsoft) - Feynman Zhou (Microsoft) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) ### Agenda Itmes - Support OCI 1.1 stable release (Yi) - Triage issues (Yi) - https://github.com/notaryproject/notation/pull/811 - Rakesh ### Notes - **Rakesh** requested **Shiwei** to review this [PR](https://github.com/notaryproject/notation/pull/811) again and **Milind** need to approve this PR as well since he requested changes. - We are aligned on the way forward on OCI 1.1 support, and **Yi** will update the issue and create work items accordingly - Triaged some issues in `specification` repo, and marked issues for `1.1.0` ### Recording https://www.youtube.com/watch?v=LKwgl6uvoHE ## Feb 29th 2024 ### Attendees: - Akash Singhal (Microsoft) - David Dooling (Docker) - James Carnegie (Docker) - Milind Gokarn (Amazon) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) ### Agenda Items: - Brainstorming discussion about TUF and in-toto attestations (ToddySM) ### Notes: - It was brainstorming discussion. The topics covered were distributing TUF metadata and policies via OCI registries; distributing root certs with clients; discussing on registry scenarios; touching on attestations briefly. - Next steps: James is working on a document that he would like to share with the Notary Project and TUF communities ### Recording: [Meeting Recording](https://www.youtube.com/live/TgfDruSLIOo?si=yZdIbU_a2xinjVxH) ## Feb 26 2024 ### Attendees - Yi Zha - Feynman Zhou - Akash Singhal - Pritesh Bandi - Sajay Antony - Shiwei Zhang - Toddy Mladenov - Vani Rao - David Dooling - _add yourself_ ### Agenda Items - KubeCon EU 2024 (Mar 19 ~ Mar 22) demos (Yi) - [Implement doc version control](https://github.com/notaryproject/notaryproject.dev/pull/377) (Feynman) - Community governance follow-up - Nomination of new org-maintainers - Archive inactive repositories - Support OCI 1.1 stable release (Yi) ### Notes - Proposed demos for KubeCon EU 2024 - Timestamping support - Signing blob (PoC) - **Feynman** will drive the demo cases with Pritesh - Feynman demoed the proposed version control changes. - If default pointing to main branch, then a banner or note is required to show it is under development or simliar - Maintainers to review this PR https://github.com/notaryproject/notaryproject.dev/pull/377 - Request maintainers to vote for new org maintainers - Create an issue to vote for archiving `notary` repo per the process. ### Recording https://www.youtube.com/watch?v=Iewszbp2Hns ## Feb 19 2024 ### Attendees - Feynman Zhou (MSFT) - Pritesh Bandi (AWS) - Rakesh Gariganti (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Yi Zha (MSFT) ### Agenda Items - Discussion on specification PR https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Yi) - Comments on the [issue](https://github.com/notaryproject/.github/issues/67) to support Yi Zha as Org maintainer - Request review on [PR](https://github.com/notaryproject/meeting-notes/pull/22) to archive meeting notes of 2023 (Yi) - OCI1.1 is GA as of 02/15/2024, discuss and identify any new changes in Notary to support OCI1.1 implicitly by default (Pritesh/Samir). ### Notes - We had a great dicussion on PR https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825, and aligned on the solution and way forward, **Rakesh** to create an issue to track the update on threat model - We will request a security audit for upcoming Notation 1.2.0 release - **Yi** asked for comments on [issue](https://github.com/notaryproject/.github/issues/67) and [PR](https://github.com/notaryproject/meeting-notes/pull/22) - We didnot have time to discuss OCI 1.1 GA. **Yi** created an issue https://github.com/notaryproject/notation/issues/892 for tracking the discusson on OCI 1.1 GA support ### Recording - https://www.youtube.com/watch?v=DmQWQioVw0c ## Feb 15 2024 ### Attendees: - Vani Rao (AWS) - Akash Singhal (MSFT) - David Dooling (Docker) ### Agenda Items: - Comment on the issue to support the nomination of Vani Rao as Org Maintainer - https://github.com/notaryproject/.github/issues/69 (Pritesh) - Need More comments for the nomination. - Pull Request Review/Approval - https://github.com/notaryproject/specifications/pull/283 (Pritesh) - Need one more approval - Pull Request Review/Approval - https://github.com/notaryproject/notation/pull/811 (Pritesh/Rakesh) - No conflicts - Rakesh has summarised the discussions and the specification has 3 approvals and will need one more approval. - Need more approvals based on the Feb 12th Monday meeting. Unblocked for approvals since spec has 3 approvals. - Maintainers to vote on this specification https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Rakesh) - Need one more approval. ### Notes: - Review the specified PR in the Agenda Items which is scheduled for the upcoming release. - Rakesh to summarise the discussions https://github.com/notaryproject/specifications/pull/283#discussion_r1487021680 to finalize the next steps. Maintainers please vote. ### Recording: ## Feb 12 2024 ### Attendees: - Toddy Mladenov (MSFT) - Pritesh Bandi (AWS) - David Dooling (Docker) - Vani Rao (AWS) - Rakesh Gariganti (AWS) - Sajay Antony (MSFT) - Akash Singhal (MSFT) - Rishab Semlani (AWS) ### Agenda Items: - Comment on the issue to support the nomination of Vani Rao as Org Maintainer - https://github.com/notaryproject/.github/issues/69 (Pritesh) - Pull Request Review/Approval - https://github.com/notaryproject/specifications/pull/283 (Pritesh) - Pull Request Review/Approval - https://github.com/notaryproject/notation/pull/811 (Pritesh/Rakesh) - No conflicts - Maintainers to vote on this specification https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Rakesh) ### Notes: - Review the PR's listed in "Agenda Items" section scheduled for the upcoming release. - Rakesh to summarise the discussions https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 to finalize the next steps. ### Recording: ## Feb 8 2024 ### Attendees: - Toddy Mladenov (MSFT) - Ethan Heilman (BastionZero) - Pritesh Bandi (AWS) - Samir Kakkar (AWS) - David Dooling (Docker) - _add yourself_ ### Agenda Items: - Ethan Heilman from Bastion Zero will present OpenPubKey to the community - Ask for reviewing the new release blog (Feynman): https://github.com/notaryproject/notaryproject.dev/pull/383 - Ask for reviewing plugin conventions PR in specifications (Feynman): https://github.com/notaryproject/specifications/pull/292 ### Notes: - _meeting minutes_ ### Recording: [Meeting Recording](https://www.youtube.com/watch?v=zEWBSfEDJ04) ## Feb 5 2024 ### Attendees: - Pritesh Bandi (AWS) - Yi Zha (MSFT) - Toddy Mladenov (MSFT) - Feynman Zhou (MSFT) - Sajay Antony (MSFT) - Patrick Zheng (MSFT) - Rakesh Gariganti (AWS) - Sunil Ravipati - Rishab Semlani (AWS) - Vani Rao (AWS) ### Agenda Items: - Upcoming Spring Festival and resource limitations (Yi) - Propose deferring [Notation v1.2.0 release](https://github.com/notaryproject/notation/issues/880) to `mid May` - Maintainers to drive the community meeting on Feb 12 - [BlobSigning: Using hashing algo of final signing algo to create descriptor](https://github.com/notaryproject/notation-go/pull/379#discussion_r1477696873) (Pritesh) - Align [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) and the release version of specification repo (Feynman) - Confirm the [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation (Feynman) - Org maintainer status follow-up (Yi) - Request comments on issue [Relax minimum subject DN field values for trustedIdentities](https://github.com/notaryproject/specifications/issues/293) (Yi) ### Notes: - Spring Festival will start from Feb 10 to Feb 17. Normally people will take addtional days before or after public holidays. - **Vani** will help to drive the community meeting on Feb 12. - Need to continously discuss the proposal of [BlobSigning: Using hashing algo of final signing algo to create descriptor](https://github.com/notaryproject/notation-go/pull/379#discussion_r1477696873) - Request review on the following PRs and issues, **Vani** and **Pritesh** - Request maintainers to review and comment on [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) - [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) - [Relax minimum subject DN field values for trustedIdentities](https://github.com/notaryproject/specifications/issues/293) - Asked maingainers to comment on "Emeritus" issues and new nominatioin issue. - **Yi** to provide meeting participants info for **Vani** ### Recording: https://www.youtube.com/watch?v=m3a2cBk3kPw ## Feb 1 2024 ### Attendees: - Toddy Mladenov (MSFT) - Justin Cappos (NYU) - Niaz Khan (AWS) - David Dooling (Docker) - Pritesh Bandi (AWS) - Vani Rao (AWS) - _add yourself_ ### Agenda Items: - Overview of TUF and key management (Justin Cappos) ### Notes: - _meeting minutes_ ### Recording: https://www.youtube.com/watch?v=IevD00hDChg ## Jan 29 2024 ### Attendees - Yi Zha (MSFT) - Feynmane Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Pritesh Bandi (AWS) - Rishab Semlani - Shiwei Zhang (MSFT) - Toddy Mladenov (MSFT) - Vani Rao (AWS) - David Dooling (Docker) - Sajay Antony (MSFT) - _add yourself_ ### Agenda Items - Org maintainer status follow-up (Yi) - Things after v1.1.0 release (Feynman) - Notary Project spec release for [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) - Upgrade [Homebrew](https://github.com/Homebrew/homebrew-core/pull/161124) (done) and [Winget](https://github.com/microsoft/winget-pkgs/pull/136924) (WIP) to v1.1.0 - Upgrade [Notation GitHub Actions](https://github.com/notaryproject/notation-action/pull/53) to v1.1.0 (WIP) - Blog post for the release announcement - Documentation for new feature - Align the [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation (Feynman) - Rlease v1 of [notation-plugin-framework-go](https://github.com/notaryproject/notation-plugin-framework-go/issues/15) (Pritesh) - Review the plan for [Notary Project 1.2.0 release](https://github.com/notaryproject/notation/issues/880) (Yi) ### Notes - Pritesh and Feynman will raise issues to nominate new org maintainers - Maintainers to review [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation by this Thursday - Maintainers to review [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) in specifications repo - Maintainers to review the plan for [Notary Project 1.2.0 release](https://github.com/notaryproject/notation/issues/880) - Blog post and feature documentation will be sent out for review this week ### Recording - https://www.youtube.com/watch?v=lP0mN0lyYCY ## Jan 25 2024 ### Attendees: - David Dooling (Docker) - Samir Kakkar (Amazon) - Toddy Mladenov (Microsoft) ### Agenda Items: - Org maintainers action items to follow up on ### Notes: - Samir will follow up on org maintainers action items with Vani, Pritesh and Niaz - We need two new nominations - We need opinion on [Please replace Org maintainer Justin Cormack with James Carnegie](https://github.com/notaryproject/.github/issues/65) - Toddy is working with Justin Cappos and James Carnegie to have overview of TUF and OpenPubKey in the next two Thursday meetings - in-toto may be another one in the upcoming weeks ### Recording: [Meeting Recording](https://www.youtube.com/live/4v7xH5TSwus?si=x3rKU9ylg0RMuCGm) ## Jan 22 2024 ### Attendees: - Yi Zha (MSFT) - Feyname Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zhang (MSFT) - Pritesh Bandi (AWS) - Rishab Semlani (AWS) - Toddy Mladenov (MSFT) - Vani Rao (AWS) - David Dooling (Docker) - _add your name_ ### Agenda Items - Org maintainer status update (Yi) - Comments on issue [Please replace Org maintainer Justin Cormack with James Carnegie](https://github.com/notaryproject/.github/issues/65) - Feedback on nominating 2 new org maintainers from subproject maintainers - Notation v1.1.0 release - ready to kick off releae process (Yi) - [Notary Project Logo updates](https://github.com/notaryproject/.github/issues/43#issuecomment-1905027799) from CNCF (Feynman) - _add your topics_ ### Notes - Regarding Org maintainer status update, **Vani** to follow up the two issues and provide comments by `Jan 25, 2024`. - We are aligned to release `notation` `v1.1.0`, `notation-go` `v1.1.0` and `notation-core-go` `v1.0.2`. - Feynman shared the latest design of Noary Project logo, request comments on [Notary Project Logo updates](https://github.com/notaryproject/.github/issues/43#issuecomment-1905027799) before end of `Jan 25, 2024`. - We may need to release `specification` repo for notation plugin management feature. - **Feynman** will create a PR for the update. - **Pritesh** will create an issue to track the issue of "move plugin-extensibility specification to `notatoin` repo" ### Recording https://www.youtube.com/live/0vNK-kZPVo8?si=yRKXoxfTalBVPa_p ## Jan 18 2024 ### Attendees: - James Carnegie (docker) - Toddy Mladenov (MSFT) - David Dooling (Docker) - _add your name_ ### Agenda Items - Follow-up on Org maintainers (Yi) - Yi commented on issue [Please replace Org maintainer Justin Cormack with James Carnegie ](https://github.com/notaryproject/.github/issues/65), and asking other maintainers to comment and align way forward. - This was discussed in several meetings. Based on the [issue](https://github.com/notaryproject/.github/issues/60), which agreed on a total of `6` Notary Project Org maintainers, I propose nominating two new Org maintainers from sub-project maintainers. Please note that Justin and Steve, who are current Org maintainers, are inactive as per the data in the [issue](https://github.com/notaryproject/.github/issues/54). - [Ad-hoc James] James is intersted in in-toto integration. ### Notes - We can not make progress on the first two agenda items due to lack of quorum. We need more people from the community to weigh in on those proposals. - [James] If there is TUF root delivering the keys that we need to signing attestations, can `notation` sign those attestations. James will file an issue to kick off the discussion on that proposal. ### Recording [Meeting recording](https://www.youtube.com/live/cF-q6qAPTm4?si=oGCBOmCqA6JNE6HF) ## Jan 16 2024 ### Attendees: - _add your name_ - Feynman Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Rishab Semlani (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Toddy Mladenov (MSFT) - Yi Zha (MSFT) - Sajay Antony (MSFT) - Pritesh Bandi (AWS) ### Agenda Items - _add your topics_ - Org Maintainers status update and next step (Yi) - Repo name for implementation of the Time-Stamp Protocol (TSP), see [issue](https://github.com/notaryproject/.github/issues/58). - [Notation v1.1.0 status](https://github.com/orgs/notaryproject/projects/10/views/7) check-in (Yi) - [Error message guidedance and improvement iteration plan](https://github.com/notaryproject/notation/pull/834) (Feynman) - [Test result of installing notation plugin in v1.1.0 and suggestions for plugin vendors](https://github.com/notaryproject/notation/discussions/869) (Feynman) ### Notes - Issue https://github.com/notaryproject/.github/issues/65 - ask is for **org maintainers** and **subproject maintainers** to express opinion on whether they agree with this proposal and how to handle it. - **Vani** to follow up more nominations in order to achieve total 6 org maintainers. - We (Meeting participants) discussed options for new repo name and reached consensus on `tspclient-go` for new repo name and `tspclient` as the package name - There are still two PRs left for notation v1.1.0 release, MSFT team will cut v1.1.0 release after all the PRs are merged and testing is completed by the community - Feynman shared the plan for error message improvements. Ask **Pritesh**, **Vani** and **Samir** to reivew the guidenance PR, the implementation will be planned in patch release. ### Recording https://www.youtube.com/live/L35grZaaIic?si=loONv7kZDZrs5P75 ## Jan 11 2024 ### Attendees: - David Dooling (Docker) - James Carnegie (Docker) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Rishab Semlani (Amazon) ### Agenda Items - _add your topics_ - Vote for repo name for implementation of the Time-Stamp Protocol (TSP), see [issue](https://github.com/notaryproject/.github/issues/58). (Yi) - Do we need to move the meeting on 1/15/2024 (next Monday) to 1/16/2024 since Jan 15 is Martin Luther King Day in US? (Yi) - Org Maintainers discussion (Toddy) - Ad-hoc discussion ### Notes - TS Protocol issue - **David** and **Toddy** will post their thoughts on the issue and the naming. Vani will work with Samir, Niaz, Milind and post their ideas about the name - We should move the Jan 15th meeting to Jan 16th due to the US holiday - **Yi** and **Feynman** to take care - Org Maintainers discussion - Issue https://github.com/notaryproject/.github/issues/65 - ask is for org maintainers and subproject maintainers to express opinion on whether they agree with this proposal and how to handle it - With the above proposal we will still have only 4 org maintainers. We need two more nominations - **Vani** to follow up - Ad-hoc discussion on the roadmap - **Toddy** brought the discussions he had with the in-toto community participants. He will keep the community updated. He also shared a doc that he shared with John from TestifySec (in-toto community) - https://docs.google.com/document/d/1S3eWafFbQxlRlwpHWX2Xed6zEK93qnC4SfrZrwTz52c/edit?usp=sharing - **James** brought DSSE vs COSE and asked whether we should have discussion with other communities on unifying the envelope format - **Toddy** proposed to use the Thursday meetings for more strategic planning and have the Monday meeting for tactical/detailed discussions. Possible topics for upcoming meetings: - in-toto integrations (**Toddy** to facilitate) - DSSE vs COSE (**Toddy** to facilitate) - OpenPubKey discussion (**James** to facilitate) ### Recording https://www.youtube.com/live/k5UsyELI7Xg?si=XtE6q-ylEaPXwPD5 ## Jan 8 2024 ### Attendees: - _add yourself_ - Yi Zha (MSFT) - Rakesh Gariganti (AWS) - Feynman Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Rishab Semlani (AWS) - Sajay Antony (MSFT) - Samir Kakkar (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Toddy Mladenov (MSFT) - David Dooling (Docker) ### Agenda Items: - Notary Project Org maintainer status update (Yi) - [Support plugin as library: bump-up major version of notation-go](https://github.com/notaryproject/notation-go/pull/368#discussion_r1436691392) (Rakesh/Shiwei) - Added by Pritesh but I wount be able attend the meeting. - New repo for timestamp implementation (Yi) https://github.com/notaryproject/.github/issues/58 - Project update video [slide](https://docs.google.com/presentation/d/1zF4bId7ok_zKcXY6RvAcppSjiaSc7k57uhBtBMmUs90/edit?usp=sharing) and [script](https://hackmd.io/_iqwsVLVSly4jla1Ls8j-w) for KubeCon EU 2024 (Feynman), and [project opportunities at KubeCon EU 2024](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/program/project-opportunities) ### Notes: - Org maintainer status update - The participants in the call agreed to follow the PR reviewing process for updating `MAINTAINERS` and `CODEOWNERS` for each repository. - David will created an issue to nominate James Carnegie as a Org maintainer from Docker (The issue was created https://github.com/notaryproject/.github/issues/65) - Support plugin as library: bump-up major version of notation-go - Rakesh will discuss the comments from Shiwei with Pritesh - New repo for timestamp implmentation - Asked for more comments in the issue. - Project update video - Give one week time to review the script and slide deck, and we finalize them by next Monday community meeting. ### Recording https://www.youtube.com/live/-WL9EBxtlq0?si=8nuEB14xzJwKkJ6t ## Jan 4 2024 ### Attendees - David Dooling (Docker) - Niaz Khan (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) ### Agenda Item - Org maintainers election (ToddySM) - https://github.com/notaryproject/.github/issues/60 - https://github.com/notaryproject/.github/issues/61 - https://github.com/notaryproject/.github/issues/62 - https://github.com/notaryproject/.github/issues/57 - https://github.com/notaryproject/.github/issues/56 - https://github.com/notaryproject/.github/issues/55 - Votes for the time stamp implementation repository (ToddySM) https://github.com/notaryproject/.github/issues/58 ### Notes - We decided to move forward with the currently approved nominations - We will need 3 more nominations for org maintainers - David will come back with a name from Docker that we can add to the - Niaz will add the governance updates to the Monday's meeting agenda - ### Recording https://www.youtube.com/live/mafMN6zK_fs?si=6X6P-9WZJlV6bAFG ## Jan 2 2024 ### Attendees - Feynman Zhou (MSFT) - Junjie (MSFT) - Patrick (MSFT) - Rakesh (AWS) - Sajay (MSFT) - Shiwei (MSFT) - Toddy (MSFT) - Vani Rao (AWS) - Yi Zha (MSFT) ### Agenda Item - Notary Project [1.1.0 plan](https://github.com/orgs/notaryproject/projects/10/views/7) (Yi) - Notary Project Org maintainers (Yi) - [Vote](https://github.com/notaryproject/.github/issues/58) for new repo: `timestamp` (Yi) ### Notes - Notation v1.1.0 release: The new target date is 1/16/2024, the feature to be delievered is plugin management, see P0&P1 issues in [1.1.0 plan](https://github.com/orgs/notaryproject/projects/10/views/7). - Notary Project Org maintainers - What is the total number of org maintainers we will have? - Yi to create an issue for discussion and decision, the proposal is to have 6 org maintainers. - What is the agreed upon diversity of maintainers? - Yi to create an issue for discussion and decision on diversity - For the results of the voting, can we have a split: votes from current org maintainers and votes from current sub-project maintainers? - Yi to create an issue for discussion and decision - Proposal: Reach the total number of maintainers before making any other changes in the governance. - Proposal: Set a deadline by when the election should be done. - The proposal is to finalize org maintainers election by Notary Project community meeting on 1/15/2023 - New repo for Time-stamping support - Asked governance maintainers to vote for the new repo and name this week. ### Recording - https://www.youtube.com/watch?v=CMIsVvI_KFY ## Dec 26 2023 Cancelled due to lack of topics and participants ## Dec 18 2023 ### Attendees: - Yi Zha (Microsoft) - Junjie Gao (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Rakesh Gariganti (AWS) - Vani Rao (AWS) - Rishab Semlani (AWS) - Milind Gokarn (AWS) ### Agenda Items: - Revising trust policies for blob signatures (Rakesh) ### Meeting Notes: - The [proposal](https://hackmd.io/@-KPyDkW6QfGA-pldFa13pA/ByuHffALa) of revising trust policies was reviewed. In general, we are aligned to separate the trust policy file for blob and OCI image. We will have further discussion next week. ### Recording - https://www.youtube.com/watch?v=9vHJccK2CJ4 ## Dec 14 2023 ### Attendees: - ToddySM (Microsoft) ### Agenda Items: - Meeting got cancelled due to lack of agenda and attendance ### Meeting Notes: ### Recording: ## Dec 11 2023 ### Attendees: - Yi Zha (Microsoft) - David Dooling (Docker) - Feynman Zhou (Microsoft) - Toddy Mladenov (Microsoft) - Junjie Gao (Microsoft) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) ### Agenda Items: - Notary Project org maintainers - open questions and proposals (ToddySM) - What is the total number of org maintainers we will have? - What is the agreed upon diversity of maintainers? - For the results of the voting, can we have a split: votes from current org maintainers and votes from current sub-project maintainers? - Proposal: Reach the total number of maintainers before making any other changes in the governance. - Proposal: Set a deadline by when the election should be done. - Optional topic: [Notary Project issues and PRs status](https://hackmd.io/LkKAC-5hROeEwMOPNc_D3w) (Yi) ### Meeting Notes - Due to lack of maintainers from different organizations, we did not discuss the topics in the agenda. These topics will be planned for discussion in Jan, 2024. - We discussed Notation v1.1.0 release. Currently no features are ready. @yizha1 will follow it up to see whether we can have v1.1.0 release before end of 2023. ### Recording https://www.youtube.com/watch?v=CJP9Zba3LxM ## Dec 7 2023 ### Attendees: - John Kjell - Toddy Mladenov ### Agenda Items: - Ad-hoc discussion ### Meeting Notes - John was interested in the details of the signatures and the envelopes ### Recording https://www.youtube.com/live/FtsYksy4J-Q?si=_NEDkoK3_iOqwipb ## Dec 4 2023 ### Attendees - David Dooling (Docker) - Feynman Zhou (Microsoft) - Ivan Wallis (Venafi) - Junjie Gao (Microsoft) - Milind Gokarn (AWS) - Niaz Khan (AWS) - Patrick Zheng (Microsoft) - Pritesh (AWS) - Rakesh Gariganti (AWS) - Sajay Antony (Microsoft) - Samir Kakkar (AWS) - Shiwei Zhang (Microsoft) - ToddySM (Microsoft) - Yi Zha (Microsoft) ### Agenda - Notary Project review - Project health check - Adoption status, see [link](https://notaryproject.dev/docs/adopters/) - Maintainer and PR/issue status, see [link](https://hackmd.io/@yizha1/notaryproject-review) - Roadmap (This will be discussed at the community meeting next Monday, 12/11/2023) ### Notes - We shared current adoptors of Notary Project, and one improvement could be done is to add contact information to give more credits. @Feynman will help to create a PR - The community has agreed to add new org maintainers. According to the [governance guide](https://github.com/notaryproject/.github/blob/main/GOVERNANCE.md), subproject maintainers are eligible for org maintainership. @yizha1 will create an issue and list data for all subproject maintainers to kick off the nomination process. Subproject maintainers can nominate themselves or be nominated by other maintainers. As per the governance document and alingment in the meeting, 2 out of 3 approvals from current org maintainers are required for new org maintainers. We will review the subproject maintainers’ status and nominations at the next Monday meeting. - In the meeting, we also discussed some required updates on current governance document and other criterias to measure maintainer activities, @niazfk will create an issue to address updates on governance document. ### Recording - https://www.youtube.com/watch?v=a8DGHuu1Te8 ## Nov 30 2023 ### Attendees - David Dooling - ToddySM ### Agenda - Ad-hoc ### Notes - David and Toddy discussed Docker's plan to re-engage with the project. - David and Toddy discussed the PR for adding Jonny as a maintainer to the `notary` sub-project and the challenges to merge that. - Toddy encouraged David to attend Monday's meeting where the discussion of the Org Maintainers and the Governance will happen. ### Recording https://www.youtube.com/live/pFODfdgJI1o?si=sOfXY2cmxRNKdJ6p ## Nov 26 2023 ### Attendees: - Yi Zha - Feynman - Samir - Pritesh - Toddy - Patrick - Junjie ### Agenda Items: - Notary Project review meeting 12/4/2023 (Yi) - Participants - Proposal of Agenda - Project health check - Adoptions - Metrics for Project/Repos/issues/PRs - Maintainer status review - Roadmap and long term investiments - Clean up issues and PRs (Yi) - https://github.com/orgs/notaryproject/projects/10/views/7 - Info: cooperation with Tanzu Application Catalog on Notation integration (Feynman) ### Notes - Yi will send out a message in slack channel to invite maintainers to join the Notary Project review meeting - Yi will create GitHub actions for `notation`, `notation-go` and `notation-core-go` repo to clean up stale issues and PRs automatcially. - Feynman will document the scenarios of Tanzu integration with Notation, then we can review and plan features if needed ### Recording https://www.youtube.com/watch?v=3xA4aflCGD8 ## Nov 20 2023 ### Attendees: - Yi Zha - Pritesh - Feynman - Shiwei - Junjie - Patrick ### Agenda Items: - Should we continue Thursday's meeting there has been low attendence lately. (Pritesh) - Noatoin v1.1.0 new date (Yi) - Sign arbitrary data - Plugin management - Error message improvements - Sign local container images (document containerd experience) - Improvements on trust store and trust policy management (move to v1.2.0) - Plan for Notary Project retro and outlook meeting (Yi) - Date: 12/4/2024 community meeting - Topics: - Project health check: adoption, maintainer status, governance etc. - Upcoming releases and long term investiment ### Notes: - [5 PRs](https://github.com/notaryproject/notaryproject.dev/pulls?q=is%3Apr+is%3Aopen+label%3Areview) on the website repo need review - Pritesh will create a Poll in discussion of repo `.github` https://github.com/notaryproject/.github/discussions/new?category=polls to discuss whether we should cancel Thursday's meeting or not. - New date for Notation v1.1.0 is 12/20/2023, and we will review the status on 12/11/2023 ### Recording https://www.youtube.com/watch?v=NQObc-C6keA ## Nov 16 2023 ### Attendees: - John Kjell - Toddy Mladenov ### Agenda Items: - Ad-hoc discussion how Notary Project and in-toto collaborate on attestations and signing ### Recording https://www.youtube.com/live/ELHUnkA5k3M?si=0334GTxXDK4mzmxZ ## Nov 13 2023 ### Attendees: - Yi Zha - Feynman Zhou - Shiwei Zhang - Patrick Zheng - Sajay Antony - Pritesh - Rakesh Gariganti - Junjie Gao - Samir Kakkar - _add yourself_ ### Agenda Items: - Status of major feature in Notation v1.1.0 (Yi) - Sign arbitrary data - [Notation PR #811](https://github.com/notaryproject/notation/pull/811) - [Specification](https://github.com/notaryproject/specifications/pull/283) - Notation plugin management [PR #809](https://github.com/notaryproject/notation/pull/809) - Prioritize [Error message improvements](https://github.com/notaryproject/notation/issues/824) over "Simplify trust store and trust policy setup" - Discuss how to effectively gather adopter information from the community based on CNCF TOC's [suggestion](https://github.com/cncf/toc/pull/1187). [Adding an adopter list](https://github.com/notaryproject/notaryproject.dev/pull/124) might be one of the appropriate options (Feynman) - Preparation for Notary Project retrospective meeting (Yi) - Time: Proposal is community meeting on Dec 4 or Dec 11 - Topics: - Project adoption, health, and maintainer satus - One input [Annual review summary and recommendations](https://github.com/cncf/toc/pull/1187) - Project charter and long term investiments ### Notes: - Regarding "Sign arbitrary data" - We aligned on the flag name `--force` for overwritting existing signatures. - The implementation is ready to go, @rakeshgariganti will come back with an ETA - Yi will create an issue to track the CLI guideline - Regarding "plugin management" - We aligned on `plugin install/uninstall` command, for `upgrade` since it requires spec changes and also there are some security concerns, it can be done in the 2nd itegration. - There are comments from Pritesh on install from url/file. @Feynman will drive further discussions to finalize the spec asap. - We didn't have time to discuss other two topics ### Recording https://www.youtube.com/live/nkRu1RGRfBI?si=LFclYA4f4P98KiMO ## Nov 6 2023 ### Attendees - Shiwei Zhang - Feynman Zhou - Patrick Zheng - Yi Zha - _add_yourself_ ### Agenda - [Vote for Notation v1.0.1 release](https://github.com/notaryproject/notation/pull/820) (Yi) - Notation v1.1.0 Feature status - Sign arbitrary data - plugin management - Retrospective meeting (Yi) - Project Adoption and health - Project charter and long term investiments - [Annual review summary and recommendations](https://github.com/cncf/toc/pull/1187) - Governance related: - Governance PRs have been open for long time: - [Contributing guide](https://github.com/notaryproject/.github/pull/25) - [Repo lifecycle](https://github.com/notaryproject/.github/pull/37) - [Notation-go readme](https://github.com/notaryproject/notation-go/pull/343) - [Notation-core-go readme](https://github.com/notaryproject/notation-core-go/pull/158) ### Notes - Notation v1.0.1 release - update website banner and latest version to the installation guide - Update package manager, like Winget, brew - create a new PR to update release_management document for patch release workflow - sign arbitrary data - Notation control the signature file name, for example, the name of the blob file - provide an option for users to specify the signature directory - if users sign the blob for the 2nd time, overwrite the existing signature by asking whether users is ok with it. - consider `cp` behavior for output file path resolution. - Should notation create a fully nested path or not? - If its directory then should we outupt {dir}/{pattern}.{ext} - if not should we output the file to the output path and consider that its a fully qualified filename. - `cp` does not create nested paths so maybe to keep this consistent with other tools and avoid surprises notation could follow the same pattern of not creating nested paths. - Why do need to use the extension? - There are options like BOM, PE but this creates a perf issue - other tools might not interpret these signature files natively since those tools also need the same way to interpret this header https://github.com/microsoft/CoseSignTool - Notation plugin needs review from @samir/Pritesh. - Plugin management - We will not support plugin installers, which could be .exe, .msi binaries. - We can support installing a plugin binary itself - The checksum to verify is sha256 - Preparation for Notary Project retrospective meeting - Time: - Decemember (Samir) - Topics: - Pritesh/Samir to suggest topics for this meeting - Pritsh/Samir to review the governance related PRs ### Recording https://www.youtube.com/watch?v=lcJ56sCTzqA ## Oct 30 2023 ### Attendees - Yi Zha - Feynman - Pritesh - Junjie - Patrick - Rakesh - Pritesh - Sajay - Toddy ### Agenda Items - Notation v1.0.1 patch release (Yi) - `notation-core-go` v1.0.1 was released based on the vote. - Actions: - [Vote for `notation-go`](https://github.com/notaryproject/notation-go/issues/360) - Review and merge [Notation CLI error message PR](https://github.com/notaryproject/notation/pull/810) - Create a new PR to update dependencies for Notation CLI - vote for Notation CLI release - Blob Signing [PR comments](https://github.com/notaryproject/notation/pull/811#discussion_r1375853652) - Rakesh Gariganti - Plan for retrospective meeting - Project Adoption and health - Project charter and long term investiments - [Annual review summary and recommendations](https://github.com/cncf/toc/pull/1187) - Governance basic: retro, contributing guide and so on - Feature updates (Feynman) - Sign images before pushing to remote registries - Improvements on Plugin management - Use dependabot to clean up stale PRs or issues on Notary Project Website. ### Notes - @pritesh will review the noation PR and suggested to create updating deps PR in parallel - @pritesh said maybe we can have a dedicated meeting for retro - @pritesh / @rakeshgariganti will bring the repospective meeting plan to @Samir - Blob signing, the decision is to use the file extension for different signature formats - @rakeshgariganti will update/add the signature specification - For signing local images, it is aligned that we document the new expericence for using experimental feature with containerd, no code changes for Notation 1.1.0 - Request further review on open questions for Notation plugin management ### Recording https://www.youtube.com/watch?v=UEpNeJM--dk ## Oct 26 2023 ### Attendees - Sajay - Samir - Toddy ### Agenda Items - Notation v1.0.1 patch release started, please maintainers click [this link](https://github.com/notaryproject/notation-core-go/issues/168) to Vote for `notation-core-go` v1.0.1 patch release first, later will start the vote for `notation-go`, then `notation` (Yi) - Do we have any further questions on the [Notation plugin management (proposal)](https://hackmd.io/1nQa69DeROyqrO_IB5yGZQ?view)? Feynman will send a PR to update plugin spec this Friday. - Question: will it be good to create a `Feature Design/Prototype Proposal` folder under the Specification repo and archive all proposals in a central place? Now they are under different maintainers' personal hackmd (Feynman) - Info: Notary Project CNCF annual review 2023 has been merged by CNCF TOC. CNCF also provided valuable recommendations to us: https://github.com/cncf/toc/pull/1187. We need to discuss our actions based on their recommendations. (Feynman) - ### Notes - Samir will work with Pritesh and Rakesh to get two more approvals for the patch release. - For the [Notation plugin management (proposal)](https://hackmd.io/1nQa69DeROyqrO_IB5yGZQ?view) - Samir will look at the MD and add comments - Sajay brought up the containerized scenario and the lack of diagnostics in the spec to troubleshoot issues in unattended runs (like in containers that are spawned automatically) - We can move to a PR to make sure that we can comment - Samir, Sajay, Toddy don't have a good suggestion how to handle those. - Docs proposal folder may be a solution for that. For example for the CLI folder, we may have a docs folder and have all those specs there. @Feynman and @toddysm to come up with proposal by mid Nov 2023. - Samir brought up the question about how to enable end users to attest for their usage/how is the end user adoptioin measured. For the next annual review, we should have a better way to report on end-user adoption (not only vendors). - Uber question: How the CNCF evaluate that end users are using the project? @Feynman to follow up with the TOC for suggestions. - Overall discussion about project health - Regular retrospectives was brought up by @toddysm - Bringing up the use cases up front would be helpful - Samir ### Recording https://www.youtube.com/watch?v=pLjb6aJ0qoo ## Oct 23 2023 ### Attendees: - Yi Zha - Feynman - Toddy - Sajay - Rakesh - Pritesh - Shiwei - Junjie - Patrick - Pablo ### Agenda Items: - Request maintainers to review [Notation plugin management (proposal/spec)](https://hackmd.io/1nQa69DeROyqrO_IB5yGZQ?view) (Feynman) - Question: will it be good to create a `Feature Design/Prototype Proposal` folder under the Spec repo and archive all proposals in a central place? Now they are placed in maintainers' personal hackmd (Feynman) - Review the [Notation 1.0.1 patch release plan](https://github.com/notaryproject/notation/issues/804) (Yi) - Status update on the [Notary Project Annual review](https://github.com/cncf/toc/pull/1187#pullrequestreview-1690530333) and next step (Yi) - Sign Arbitrary Data, new flag vs command (Rakesh) - Disambiguate trust policy for oci vs arbitrary data. ### Notes - Regarding reviewing spec of notaiton plugin management, we only covered reviewing the background and major scenarios. Request maintainers to continously offline review the specification. Questions from Toddy: how to upgrade Notation with existing plugins, how to use plugins from a different folder, how to brew install plugins - Yi presented the Notation 1.0.1 patch release plan, and requested maintainers to review the scope and provide more comments by tomorrow. - Rakesh presented the two proposals: - Use separated commands like sign-blob, verify-blob for signing arbirary data - Rakesh will investigate more and get back on whether other notaton commands also need a simliar blob command for example, inspect-blob. - Shiwei has a proposal of using a new command blob with different sub-commands, like notation blob sign,verify - Use a pattern in scope to differenticate oci registry and blob - Shiwei mentioned we should step up the version of trust policy - Notation should be backward compatibility to consume both old and new version of trustpolicies ### Recording https://www.youtube.com/watch?v=pmUAnv1zQ3Q&t=7s ## Oct 19 2023 Cancelled ## Oct 16 2023 ### Attendees - Yi Zha - Feynman - Sajay - Shiwei - Patrick - Junjie - Pablo - Toddy - Pritesh ### Agenda - Review spec for feature [sign images before pushing them to registries](https://hackmd.io/065j6_1HSM6K-lrTJeQyDg?view) (Feynman) - Make contributions to promote Notary Project term and new experience, for example [Notation venafi-csp plugin](https://github.com/Venafi/notation-venafi-csp) (Yi) - [Use notation policy import command to import trust policies](https://github.com/Venafi/notation-venafi-csp/issues/10) - [Remove Notary v2 term used in the doc and code](https://github.com/Venafi/notation-venafi-csp/issues/9) - Versioning of the documentation - proposal by Zach (ToddySM) - Status check-in on the [v1.1.0 release](https://github.com/orgs/notaryproject/projects/10/views/7), if we have time (Yi) ### Notes - Actions on spec for feature [sign images before pushing them to registries](https://hackmd.io/065j6_1HSM6K-lrTJeQyDg?view) - Feynman to update feasible solution based on the discussion during the meeting - The feasible solution has adoption issues since it requires customer to make other changes on build system besides using Notation, this need further discussion. - @Feynman provide Zach the necessary permissions so that Zach can trying out the versioned documentation proposal. ### Recording https://www.youtube.com/watch?v=a4suSC3KmYM ## Oct 12 2023 - Roseline Bassey - Sajay Antony - ToddySM - Zach ### Agenda - @Zach has a PR for a blog post that he wrote and linked the Tanzu - Blog PR https://github.com/notaryproject/notaryproject.dev/pull/356 Asking for approval on this one so we can publish - Discussion for adding information to the docs https://github.com/notaryproject/notaryproject.dev/issues/342 No PR available yet. Zach will start working on PR. We should break down on smaller PRs. - @Zach raising the question about versioning of the docs when we have subsequent release of the Notary Project - Last time the conclusion was to have system releases (that consist of the following versions of the CLI, libraries, tools, etc.) - We have two options - Copy content in a new folder - easier but not so clean approach - Handle the content via branching - all work happens in the main branch and we cut a release branch and we publish version of the site for the release branch; this will require more work on the github and redirection on the site. - We can cut a release for 1.0.0 - We can create redirects - One issue is the blog posts - Zach will investigate how to overcome this one - @Zach will do the investigation by next Thu and we will bring to the Monday meeting after that - @toddysm There is a maintainers meeting to approve the response for the security advisory today evening PT ### Recording https://www.youtube.com/watch?v=NWvi_t2zPHM ## Oct 9 2023 ### Attendees: - Yi Zha - Feynman Zhou - Pritesh - Toddy - Sajay - Shiwei - Patrick - Junjie ### Agenda Items: - Review [Notary Project CNCF annual review document](https://hackmd.io/4TflOq8iSxqApi6Kx4WZjQ?view) (Feynman) - [PR](https://github.com/notaryproject/.github/pull/53) to update term in governance doc - Review [spec](https://hackmd.io/ewbJr2ZnT4a8U1ObDVXcSw?view) of feature signing arbitrary (Pritesh) - Request community to review on updated [v1.1.0 milestone](https://github.com/orgs/notaryproject/projects/10) with priorities, status and assignees. (Yi) - Protect the community meeting against Zoom bombing. Require only signed users participation. (ToddySM) ### Notes - Maintainers to review https://github.com/notaryproject/notaryproject.dev/pull/357 which removed Docker adoption document, and added Harbor adoption - Maintainers to review https://github.com/notaryproject/.github/pull/53, which update term in governance doc before 10/10/2023 - @pritesh and Samir to review the updated [v1.1.0 milestone planning board](https://github.com/orgs/notaryproject/projects/10). - CNCF annual review document, @Feynman to resolve comments - Overall comments on CNCF annual review: rework the background to focus on current Notary Project goals and activities. - Sajay suggested linking to the notary project overview is good enough instead of repeating the background info - Pritesh will add more comments after the meeting. - Spec for signing arbitrary data - We are aligned on signature payload: "digest", "size" and "mediatype" (optional), @pritesh can start writing PR for signature payload spec - @yizha1 to update scenarios to make it clear especially on scenario "users distribute file and signatures via registry" - @pritesh to write PR for CLI spec for command line expereince, based on the discussoin, we perfer adding flags for sign and verify commands. - We discussed a bit of trust policy, and the proposal is to rename "registryScopes" to "Scopes". @yizha1 is good with the proposal, waiting for others' comments. - @pritesh requested further review on the specification. ### Recording https://www.youtube.com/watch?v=Y2dWBjNId7w ## Oct 5 2023 - Meeting is cancelled as there was no else and no agenda items - sajay - Zach ## Oct 2 2023 ### Attendees: - Pablo - Pritesh - Sajay Antony - Samir Kakkar - ToddySM ### Agenda Items: - Notary Project annual review https://github.com/cncf/toc/issues/1018#issuecomment-1682556150 (Toddy) - Security advisory - this should be discussed privately in the Slack channel among maintainers - Shiwei is important to the conversation, we need to wait for his presence - Any blockers for the 1.1.0 relese in November - Signing arbitrary artifacts is running a bit late - Pritesh is targeting to have the spec ready for discussion for next week's (10/9) meeting - List of items is available at https://github.com/orgs/notaryproject/projects/10/views/7 - Items assigned to folks to be confirmed (@Toddysm and @pritesh) - @shizh to follow up with the team if they can take those items - Adding priorities to the items will help with scheduling (@Yi and @Feynman) - Random - @Feynman and @yizha1 can you speak about the adoption of DockerHub on this page https://notaryproject.dev/? - How do we measure adoption (Samir) - We need to define the way we measure adoption (Toddy) - Possible metrics (Samir) - Number of visitors to our web page - Number of visitors to the release page/number of downloads - Doing retrospecives (Toddy) - Somebody to post question before we do the retrospective (Samir) - How often? (Toddy) - After major release (Samir). Proposal is to do it after the 1.1.0 release - At least twice a year (Sajay) - @toddysm can work on a proposal for retros - Looking at the long term investments (Toddy) - We can repurpose one of the Thursday meetings for that (Sajay) - We also need to have somebody write a strategy to be useful (Sajay) - Urge the community to create a wish list (Sajay) - @pritesh and @Samir to eventually styart a list ### Notes: - _meeting minutes_ Agenda items must identify the (owner) of the item ### Recording https://www.youtube.com/watch?v=FzrwC5y1HOQ ## Sept 28 2023 CANCELLED due to no agenda and people unable to attend ## Sept 25 2023 ### Attendees: - Yi Zha - Pritesh - Toddy SM - Shiwei Zhang - Feynman Zhou - Jungie Gao - Patrick Zheng - Pablo - Sajay Antony ### Agenda - Discussion of PRs (Pritesh) - https://github.com/notaryproject/notation/pull/771#issuecomment-1731705600 - https://github.com/notaryproject/notation-go/pull/345 - Review and discuss feature "Sign Arbitrary Data" https://hackmd.io/ewbJr2ZnT4a8U1ObDVXcSw?view (Pritesh) - [KubeCon China](https://www.lfasiallc.com/kubecon-cloudnativecon-open-source-summit-china/) (9/26 - 9/28) - Public holidays in China Mainland (9/29 - 10/6) ### Meeting Notes: - Pritesh can help to create an issue for a optimized verification workflow: https://github.com/notaryproject/notation/issues/790 - Continously discuss the experience of multiple signature verifcation failures, should we print out all the failure by default or leverage the verbose flag @yizha1 - We walked through the comments for "Sign Arbitrary Data" hackmd, Pritesh will update the spec accordingly, we need to continoue the review later. ### Recording https://www.youtube.com/watch?v=S_bXMvI1y4o ## Sept 18 2023 ### Attendees: Yi Zha Feynman Zhou Shiwei Patrick Junjie Pritesh Samir Toddy Sajay ### Agenda Items: - Release Notation GitHub Actions and submit it to GitHub Marketplace (Feynman) - Triage other issues marked in [1.1.0 milestone](https://github.com/notaryproject/notation/milestone/17) (Yi) - INFO: KubeCon China from Sep 26 to Sep 28 - [Kicking Security Chain Attacks to the Curb with Kyverno and Notary Project in GitOps](https://www.lfasiallc.com/kubecon-cloudnativecon-open-source-summit-china/program/schedule/) - Feynman - [Securing Container Supply Chain in CICD with Notary Project, ORAS and Harbor](https://www.lfasiallc.com/kubecon-cloudnativecon-open-source-summit-china/program/schedule/) - Yi wo Harbor maintainer - Additional guidance for difference with TUF based update? ### Notes - We didn't complete all the topics today. - Notation GitHub action will be submitted to GitHub marketplace on 9/20/2023 - We can continiously iterate GitHub actions by adding new enhancements and user guides. - Pritesh will try the actions and provide feedback - We triaged several issues in [1.1.0 milestone](https://github.com/notaryproject/notation/milestone/17), but didn't complete. Suggest reviewing the issues offline first, then we finalize it during the community meeting. ### Recording https://www.youtube.com/watch?v=rrg1_xxQgh0 ## Sept 14 2023 ### Attendees: - Sajay Antony - Samir Kakkar - ToddySM ### Agenda Items: - Ad-hoc agenda today ### Notes: - Samir and Toddy discussed the KubeCon maintainers track - Samir will follow up with Milind on that - Samir completed the PR reviews marked as action items from the last meeting ### Recording https://www.youtube.com/watch?v=rxfqqKw1kcM ## Sep 11, 2023 ### Attendees: - Yi Zha - ToddySM - Sajay Antony - Feynman Zhou - Shiwei Zhang - Patrick Zheng - Junjie Gao - Fan Du - Samir Kakkar _add yourself_ ### Agenda Items: - Follow up actions from previous meeting - Notary Project v1.1.0 release planning - [Feature](https://github.com/notaryproject/notation/issues/768) assginments - Documentation [v1.1.0](https://github.com/notaryproject/notaryproject.dev/milestone/8) - Specification [v1.1.0](https://github.com/notaryproject/specifications/milestone/22) - PR Review - [Release schedule and support policy](https://github.com/notaryproject/notaryproject.dev/pull/348) - [archive process](https://github.com/notaryproject/.github/pull/37) - [contributing guide](https://github.com/notaryproject/.github/pull/25) ### Notes - Request review on [TOC](https://github.com/notaryproject/notaryproject.dev/pull/312), Samir and Zach to review this PR. - Request review on [contributing PR](https://github.com/notaryproject/.github/pull/25), @pritesh and other maintainers - Once we align with the criteria for stale issues or PRs, we can start to practice automation workflow on website repo to clean up stale issues and PRs. - Requet broader review on archiving process, @Toddy, and Samir ### Recording - https://www.youtube.com/watch?v=H96aPvjb7b0 ## Sep 7, 2023 ### Attendees: - Sajay Antony - ToddySM - Zach ### Agenda Items: - Ad-hoc agenda ### Notes: - Discussed documentation items (@Feynman and @yizha1 please work with @Roseline and @Sanjay to complete the important PRs below) - The TOC https://github.com/notaryproject/notaryproject.dev/pull/312 is blocking a lot of other stuff. We need to prioritize this one - @Roseline if you can take action and resolve the conflicts so we can merge - We agreed on closing items that are older than Jan 2023 and ask the submitters to reopen if they deem the update important - Next, let's prioritize the Landing page https://github.com/notaryproject/notaryproject.dev/pull/335 and this will unblock some site-wide issues - Net new content (@Zach) - GitHub Actions documentation - Update the installs with the Brew instructions for MacOS and other updates to the installs - Eventually get some nuggets from the Tanzu podcast https://tanzu.vmware.com/content/videos/enlightning-ensuring-software-authenticity-introduction-to-notary-project - How Notary Project differs from Sigstore - One-page summary of what Notary Project is - Add links to cloud providers and other project and vendors that integrated with Notary Project tooling. Integration partners page. - AWS - Azure - Hashicorp - containerd - Harbor - Kyverno - (@Sajay) We need to have a page describing the release schedule and the support policy for Notary Project tools - @Feynman and @yizha1 to kick off this work - (@Zach) Versioning of the content is becoming important topic. We need to make decisions on the git structure, branching, etc. Issue with proposal to be filed in the documentation repo for documenting, discussion and formal approval. @Zach to file. ### Recording link https://www.youtube.com/live/q1Kx856MXAw?si=oiGo6dgfzcf8HCZ5 ## Sep 5, 2023 ### Attendees - Yi Zha - Sajay Antony - Toddy SM - Pritesh - Patrick Zheng - Feynman Zhou - Fan Du - Shiwei Zhang - _add yourself_ ### Agenda Item: - [Discuss user stories and target date for Notation v1.1](https://github.com/notaryproject/notation/issues/768) (Yi) - [PR Bump apache/skywalking-eyes from 0.4.0 to 0.5.0](https://github.com/notaryproject/notation-core-go/pull/161) (Yi/Shiwei) - We onboarded Notation to Homebrew (for macOS/Linux) and Winget (for Windows). Users can install Notation with just one command. Request maintainers to review the [doc PR](https://github.com/notaryproject/notaryproject.dev/pull/338). (Feynman) - Homebrew: `brew install notation` - Winget: `winget install notation -s winget` ### Notes - We agreed that using date based release approach. We will have at least one release per quarter. It could be patch release, minor release or major rlease. For next release, Nov 15 will be the code freezing date, release date will be Nov 22, given one week after code freezing. The worst case is that we don't have any features ready by target date, but we will still cut a patch release for small enhancements and bug fixing. - Pritesh, Toddy, Sajay to take a look at the proposal of issue https://github.com/notaryproject/notation/issues/777, we can discuss it offline - Feynman/Yi to consult skywalking-eyes/CNCF to find the root cause, like whether Apache license can depend on dependencies with MPL2.0 - https://github.com/apache/skywalking-eyes/blob/main/assets/compatibility/Apache-2.0.yaml - Shiwei will help to create two issues to address the improvements mentioned by him. - `brew`: https://github.com/notaryproject/notation/issues/778 - `winget`: Binary is directly obtained from the github releases. Therefore, no change / issue on this. ### Recording - https://www.youtube.com/watch?v=4W_MXHy9VTw ## Aug 31, 2023 ### Attendees: - _add yourself_ ### Agenda Items: - [Discuss user stories and target date for 1.1](https://github.com/notaryproject/notation/issues/768) (Samir) - Proposal to move meeting on Sep 4 to Sep 5 due to US holidays (Yi) - Action from previous meeting: any feedback from Pritesh on `mediatype` usage in signature payload? Yi is adding a spec to cover non-oci signature payload and storage, ETA Sep 5 for review. (Yi) - Request Pritesh and Samir to re-review governance PRs (Yi) - [Notation-go readme.md](https://github.com/notaryproject/notation-go/pull/343) - [notation-core-go readme.md](https://github.com/notaryproject/notation-core-go/pull/158) - [Achive process](https://github.com/notaryproject/.github/pull/37) - [Contributing guide](https://github.com/notaryproject/.github/pull/25) - We onboarded Notation to Homebrew (for macOS/Linux) and Winget (for Windows). Users can install Notation with just one command. Request maintainers to review the [doc PR](https://github.com/notaryproject/notaryproject.dev/pull/338). (Feynman) - Homebrew: `brew install notation` - Winget: `winget install notation -s winget` ### Notes: - _meeting minutes_ ## Aug 28, 2023 ### Attendees: - Yi Zha - Fyenman Zhou - Pritesh - Patrick Zheng - Shiwei Zhang - Samir Kakkar - ToddySM - Sajay Antony - _add yourself_ ### Agenda Items: - [When is 1.1 release and what to include in it.](https://github.com/notaryproject/notation/issues/768) (Pritesh) - [For siginng non-oci(arbitrary) artifact, Signature Payload format should include mediatype or not.](https://github.com/notaryproject/notation/discussions/767) (Pritesh) - Information sharing on KubeCon China 2023 (Sep 26 ~ Sep 28), and public holidays (Sep 29 ~ Oct 6) (Yi) ### Notes: - Clarify the purpose of Major/Minor/patch release in [Release Management](https://github.com/notaryproject/notation/blob/main/RELEASE_MANAGEMENT.md) - @yizha1 create an issue for tracking - We will differ discussion of supporting n and n-1 major minor release to 1.1 release. - Need continous discussions on release cadence for patch releases and feature releases - @yizha1 Prepare a prioritized feature list and add it in [issue](https://github.com/notaryproject/notation/issues/768) for discussion on Thursday Community Meeting. - We discussed that mediatype is important for declaring the purpose of the content to avoid potential security risk. Sajay suggests using default mediatype `application/octet-stream` for arbitrary content, and users can specific their own mediatype based on the needs. @pritesh will consider these comments and a follow-up discussion is required. ### Recording ## Aug 24, 2023 ### Attendess - Roseline - Samir - ToddySM - Zach ### Agenda - Request PR review (Yi) 1. [Notation v1 blog](https://github.com/notaryproject/notaryproject.dev/pull/300) 2. [Contributing guide](https://github.com/notaryproject/.github/pull/25), which includes the planning improvements discussed in previous meeting. We can start practicing while reviewing this guide. ### Notes - Samir, Toddy, and Pritesh will take a look at the changes in [Notation v1 blog](https://github.com/notaryproject/notaryproject.dev/pull/300) and approve the PR - Homework for the contributors to look at the [Contributor's guide](https://github.com/notaryproject/.github/pull/25) and provide feedback - Open question is whether any subproject specific guidelines will be covered by this guide - We also need to link the guide from each individual subproject README - Ask for @Feynman and @yizha1 - can we update the icon on YouTube channel to remove the V2 part in the lower right corner ![YouTube screenshot](https://hackmd.io/_uploads/r1VCbZH63.png) - @Samir will check with Pritesh and Milind about KubeCon NA 2023 - Appeal to the community is to start planning for next set of features (signing local images, signing arbitrary files, timestamping, plugins, etc.). We should have discussion in the next community meeting - Should we include plugins by default - We should plan for smaller releases instead of bigger ones ### Recording https://www.youtube.com/watch?v=WB8F3595grA ## Aug 20, 2023 ### Attendees - Yi Zha - Toddy SM - Junjie Gao - Pablo - Samir Kakkar - Patrick Zheng - Sajay Antony - Feynman Zhou - Fan Du ### Agenda - [Improvements for Notary Project Planning](https://hackmd.io/efzM7JIeTPCkND5VJKdY7w?view) (Yi) ### Notes - Notary Project maintainers to review the [PR of the system release announcement blog](https://github.com/notaryproject/notaryproject.dev/pull/300) by 8/22/2023. - The decision is to use a hybrid model to triage issues regularly. Samir suggested reserving 15 min in community meeting to triage new issues, especially issues for new features. Bugs can be triaged offline. We can start the practice next week and continoulsy improve the practice over time. - Label `triage` or `question` may not be required for PRs, @yizha1 will consider the comments and update the PR. - Pritesh and Feynman suggested moving the milestone management content to the PR and make the dicision with other maintainers offline, @yizha1 will create a PR to update the milestone management, and send out contributing PR for review. ### Recording https://www.youtube.com/watch?v=dK_C5I0shPg ## Aug 17, 2023 ### Attendees - Samir Kakkar - Sajay Antony - Daniel (CNCF) ### Agenda - Request reviewing the remaining PRs for issue [Proposal for bringing clarity to the Notary Project branding](https://github.com/notaryproject/.github/issues/35). Here is the [prioritized PR list](https://github.com/notaryproject/.github/issues/35#issuecomment-1682016530) (Yi) - Review of the notaryproject.dev open PR - In progress (Samir) ### Notese - Samir to ping reviewers for the open PRs above - Sajay suggestion for https://deploy-preview-312--notarydev.netlify.app/community/ is to get the must have changes now and create seprate tracking items for nits/enhancements. ## Aug 14, 2023 ### Attendees - Yi Zha - Toddy SM - Junjie Gao - Pablo - Feynman Zhou - Samir Kakkar - Shiwei Zhang - Patrick Zheng - Sajay Antony ### Agenda - Notation CLI v1.0.0 release process (Yi) 1. Walk through and finalize [release note](https://hackmd.io/@shizh/rJ6A-zQ32) 2. Release [Notation CLI v1.0.0](https://github.com/notaryproject/notation/issues/749) 3. Slack channel to announce Notation CLI v1.0.0 release - Notation CLI post-v1.0.0 release (Yi) - Review and merge [update website banner](https://github.com/notaryproject/notaryproject.dev/pull/281) - Review and Merge [Notation v1 blog](https://github.com/notaryproject/notaryproject.dev/pull/300) for system release announcement - Merge [release management PR](https://github.com/notaryproject/notation/pull/714) - Review and Merge [Release checklist PR](https://github.com/notaryproject/notation/pull/713) - Review and merge website PRs [update website meta](https://github.com/notaryproject/notaryproject.dev/pull/331), [overview](https://github.com/notaryproject/notaryproject.dev/pull/334), [naming update](https://github.com/notaryproject/notaryproject.dev/pull/327) - Add [Mac](https://github.com/notaryproject/notation/issues/571) and [Windows](https://github.com/notaryproject/notation/issues/570) installer for Notation CLI v1.0.0. ### Notes - @shi to release Notation CLI v1.0.0 after community meeting 8/14/2023 - Announce Notary Project system release - @feynman to update the [blog post](https://github.com/notaryproject/notaryproject.dev/pull/300) for Notary Project system release, and @samir to review it by Aug 15 - Complete the review on other PRs after merging the blog PR - [release management PR](https://github.com/notaryproject/notation/pull/714), merge it after Notation v1 release - [Release checklist PR](https://github.com/notaryproject/notation/pull/713), need @Pritesh or @Milind to review it - Need @samir to review website PRs - [update website banner](https://github.com/notaryproject/notaryproject.dev/pull/281) - [update website meta](https://github.com/notaryproject/notaryproject.dev/pull/331) - [overview](https://github.com/notaryproject/notaryproject.dev/pull/334) - [naming update](https://github.com/notaryproject/notaryproject.dev/pull/327) - Considering using brew for linux installer, @yizha1 to create an issue for tracking it. ### Recording - https://www.youtube.com/watch?v=xktLZjupEow ## Aug 10, 2023 ### Attendees - Roseline Bassey - Sajay Antony - Samir Kakkar - Toddy SM ### Agenda - Notary Project release blockers (TSM) - FAQs for terminology and names https://github.com/notaryproject/notaryproject.dev/pull/328 (major) - Changing references to `notaryproject` repo to `specifications` https://github.com/notaryproject/.github/pull/50 (minor) - Notary Project meta tag https://github.com/notaryproject/notaryproject.dev/pull/331 (minor) - Need @Samir to help review [Notation v1.0.0 release blog](https://github.com/notaryproject/notaryproject.dev/pull/300). Feynman has resolved his suggested changes. It will be submitted to cncf.io after the v1 release (Feynman) ### Notes - Notary Project release blockers - ToddySM, Samir will review https://github.com/notaryproject/notaryproject.dev/pull/328 and approve - Samir, Pritesh to look at the minor PRs and review - (Sajay) Release notes review and communication - (Samir) Notation release announcement are already reviewed - We are talking about the release notes on the GitHub release - Shiwei will share a HackMD with the proposed release notes and we will review - (Roseline) is requesting feedback on her https://github.com/notaryproject/notaryproject.dev/issues/107 - (Roseline) asking for review of the web-site docs structure https://github.com/notaryproject/notaryproject.dev/pull/312 - (Samir) Raised the question that there is no system release annoncement. We have individual Notation and Spec announcement but nothing for the system release. Example: https://github.com/notaryproject/roadmap/tree/main/RELEASENOTES (@FeynmanZhou and @yizha1 can we follow up and prepare those?) ### Recording https://www.youtube.com/watch?v=zDzcuz8xMUA ## Aug 7, 2023 ### Attendees - Feynman Zhou - Shiwei Zhang - ToddySM - Sajay Antony - Pritesh - Samir Kakkar - Miran Kurukulasuriya - Patrick Zheng - Yi Zha ### Agenda - Notation CLI v1 release status check-in (Yi) - [Release Notation CLI v1.0.0](https://github.com/notaryproject/notation/issues/749) - PR for post Notation CLI v1 release (Yi) - Notation v1 release announcement [blog](https://github.com/notaryproject/notaryproject.dev/pull/300) - Documentation updates for website - https://github.com/notaryproject/notaryproject.dev/pull/327 - `README.md` updates for Notary Project Overview - https://github.com/notaryproject/notation-go/pull/343 - https://github.com/notaryproject/notation-core-go/pull/158 - https://github.com/notaryproject/notation-action/pull/18 - https://github.com/notaryproject/notaryproject.dev/pull/295 - https://github.com/notaryproject/notation-hashicorp-vault/pull/9 - https://github.com/notaryproject/tuf/pull/45 - https://github.com/notaryproject/meeting-notes/pull/18 - https://github.com/notaryproject/roadmap/pull/92 - Proposal of archiving process - https://github.com/notaryproject/.github/pull/37 - Vote for `notation v1.0.0` release (Shiwei) - Vote link: https://github.com/notaryproject/notation/pull/748 ### Notes - [x] Regarding [RELEASE CHECKLIST #PR713](https://github.com/notaryproject/notation/pull/713), the decision is to remove [RELEASE CHECKLIST #PR713](https://github.com/notaryproject/notation/pull/713) from the blocking issues of v1 release - It is decided that [FAQ PR](https://github.com/notaryproject/notaryproject.dev/pull/328) need to be completed before Notation CLI v1 release - [ ] Regarding ETA of Notation CLI v1 release, the decision is to finalize all blocking issues and release Notation CLI v1 by Aug 11 - [ ] Notary Project maintainers to review PRs for post v1 as listed in [issue #35](https://github.com/notaryproject/.github/issues/35#issuecomment-1653281321) ### Recording - https://www.youtube.com/watch?v=AGS-S-pMx-A ## Aug 3, 2023 ### Attendees - Roy Williams - Sajay Antony - Samir Kakkar - ToddySM - Zach Rhoads ### Agenda - Info: Repo `notaryproject/notaryproject` was renamed to `notaryproject/specifications` after reaching 2/3 supermajority, and the relevant [issue](https://github.com/notaryproject/.github/issues/38) was closed (Yi) - Call-out: PRs review and merge for Notation v1 releases (Yi) - [specifications#256](https://github.com/notaryproject/specifications/pull/256) - Need Toddy approval, since changes were requested by Toddy - [specifications#263](https://github.com/notaryproject/specifications/pull/263) - Need one more approval from Milind or Pritesh - [.github#32](https://github.com/notaryproject/.github/pull/32) - Need Milind approval, since changes were requested by Milind - Need Toddy to fix the DCO error - [notaryproject.dev#326](https://github.com/notaryproject/notaryproject.dev/pull/326) - Need both Samir and Zach approvals, since changes were requested by them - Release [specifications](https://github.com/notaryproject/specifications) v1.0.0 after above two PRs [specifications#256](https://github.com/notaryproject/specifications/pull/256) and [specifications#263](https://github.com/notaryproject/specifications/pull/263) are merged (Yi) ### Notes - Call-out: PRs review and merge for Notation v1 releases (Yi) - [specifications#256](https://github.com/notaryproject/specifications/pull/256) - Need Toddy approval, since changes were requested by Toddy Samir will ping Pritesh, Milind, and Niaz for approvals. Toddy will review today and approve. - [specifications#263](https://github.com/notaryproject/specifications/pull/263) - Need one more approval from Milind or Pritesh Samir will ping Pritesh, Milind, and Niaz for approvals. Toddy will review today and approve. - [.github#32](https://github.com/notaryproject/.github/pull/32) - Need Milind approval, since changes were requested by Milind - Need Toddy to fix the DCO error Samir will ping Pritesh, Milind, and Niaz for approvals. Toddy will address the DCO errors. - [notaryproject.dev#326](https://github.com/notaryproject/notaryproject.dev/pull/326) - Need both Samir and Zach approvals, since changes were requested by them This should be in the `.github` repo and we should refer to it. This is not blocking for release. We can add after the release. - Specification PR needs approvals https://github.com/notaryproject/specifications/pull/256 by maintainers. This can be done in parallel with the other PRs - [Zach] Discussion related to the following comment https://github.com/notaryproject/notaryproject.dev/pull/312#issuecomment-1661051838. Zach needs feedback from the maintainers and the community - [Samir] Is the "the" important to the branding. Should we capitalize it always or just when it is grammatically required. We decided that "the" is insignificant and it is not part of the brand "Notary Project". - [Samir] Feedback on renaming "notary" repo to "notary-tuf". There was a feedback from two maintainers. We believe that the decision to keep the name is made and we can move on from that proposal. ### Recording https://www.youtube.com/watch?v=FIEkkduYCDA ## July 31, 2023 ### Attendees - Yi Zha - Feynman Zhou - Toddy SM - Shiwei Zhang - Patrick Zheng - Zach - Pritesh - Junjie Gao - Sajay Antony - Pablo Rincon ### Agenda - [New directory structure and version control](https://github.com/notaryproject/notaryproject.dev/pull/312) (Feynman) - [[Arbitary data signing]](https://hackmd.io/QteHaBQTS-6h-AsU04U1cQ?both) [[notation/issues/741]](https://github.com/notaryproject/notation/issues/741): Support signing of already calculated hash. (Pritesh) - Notation v1 release (Yi) - Merge branding related PRs - Rename `notaryproject` to `specifications` - Review v1 blog, and merge it for official announcement - See complete [list](https://cloud-native.slack.com/archives/CQUH8U287/p1690507615334939) - Review Other branding issues in parallel with Notation v1 release, see [Issues and PRs NOT blocking Notation v1.0.0 release:](https://github.com/notaryproject/.github/issues/35#issuecomment-1653281321) (Yi) - Wondering if we want to use "The Notary Project" or "the Notary Project" everywhere in our docs? (Samir) ### Notes - Keep current documentation structure for Notation v1 release, and further discussion on versioning and structures are required for future releases. - Need further discussion on [notation/issues/741](https://github.com/notaryproject/notation/issues/741) - Agreed on [complete the list of PRs and issues](https://cloud-native.slack.com/archives/CQUH8U287/p1690507615334939) for Notation v1 release by mid of this week, and decision on Thursday community call for Notation v1 release. - The last topic "Wondering if we want to use "The Notary Project" or "the Notary Project" everywhere in our docs?" was not discussed, @yizha1 posted this qustion [here](https://github.com/notaryproject/.github/issues/35#issuecomment-1659443419) for further discussion ### Recording https://youtu.be/7_pORhoAMzM ## Jul 27, 2023 ### Attendees - Sajay Antony - Pritesh Bandi - Sanjay - Roseline ### Agenda - Call-out: Review branding related issues and PRs (~`20` in total), see [complete list under .github issues#35](https://github.com/notaryproject/.github/issues/35#issuecomment-1653281321) - Review v1 blog https://github.com/notaryproject/notaryproject.dev/pull/300 - Review of the new landing page UI for the Notary Project website https://github.com/notaryproject/notaryproject.dev/pull/320 ### Notes - Discussed the issues to unblock notation relase. - Pritesh will follow up with Milind and Niaz. - Doc PRs require help from Zach for Rosaline and Sanjay. How can we proceed with the restructing? ## July 24, 2023 ### Attendees - ToddySM - Feynman Zhou - Yi Zha - Pritesh - Shiwei Zhang - Patrick Zheng - Junjie Gao - Sajay Antony ### Agenda - Follow-up on [naming proposals](https://github.com/notaryproject/.github/issues/35) (Yi) - Archiving process https://github.com/notaryproject/.github/pull/37 - Update readme to align with TUF https://github.com/notaryproject/notary/pull/1685 - Proposal for the creation of a specifications repository https://github.com/notaryproject/.github/issues/38 - Notation CLI and libraries v1 release status (Yi) - [Notation Core Go Library](https://github.com/notaryproject/notation-core-go) v1.0.0 was approved and [released](https://github.com/notaryproject/notation-core-go/releases/tag/v1.0.0)! - Track for [releasing `notation` v1.0.0](https://github.com/notaryproject/notation/issues/749) - [vote: A new repository for creating framework for notation plugin ](https://github.com/notaryproject/.github/issues/45) (Pritesh) ### Meeting Notes - @pritesh to nominate Samir as maintainers for ``.github` repo and emeritus of Vani - @yizha1 to create an issue to define a clear criteria for "supermajority" in the governance guide. In general, two-thirds supermajority means the criteria. - Regarding renaming `notaryproject/notaryproject` repo as described in [issue 38](https://github.com/notaryproject/.github/issues/38), we need to get super-majority approval from Notary Project maintainers. - @pritesh to comment on [issue 749](https://github.com/notaryproject/notation/issues/749). The decision is to cut the Notation CLI v1.0.0 and announce it after fixing the naming issue. --done - @yizha1 to comment on [PR 1685](https://github.com/notaryproject/notary/pull/1685) with the conclusion that the decision is to merge this PR and bypass the CI checks - Notary Project maintainers to finish the naming issues and send out PRs for review before July 27. We will use the Thursday's meeting as a check point - @toddysm to resolve the comments and finalize [PR 32](https://github.com/notaryproject/.github/pull/32) by July 27 ### Recording https://www.youtube.com/live/a1f47VX-ssk ## July 20, 2023 ### Attendees: - Miran Kurukulasuriya - Naga - Roseline Bassey - Sajay - Samir Kakkar - ToddySM - Zach ### Agenda - Governance items (Samir) - Notary Project logo update - FAQ work item - Work item for nominating Samir - Documentation items (Zach) - Get arpprovals for the PR from Roseline https://github.com/notaryproject/notaryproject.dev/pull/312 - Versioning of the docs - Sign arbitrary file (Miran) - Kick off release discussion for notation-go notation-core-go and notation ### Notes - Governance - For the logo @Feynman will create a ticket to request designer and work with them to update the logo. Work item is created by Feynman https://github.com/notaryproject/.github/issues/43 - New work item will be created by Toddy and linked to the common work item https://github.com/notaryproject/.github/issues/35 - @pritesh will create work item to nominate Samir as maintainer (and replace Vani) - Documentation - As of today we have capability to publish the CLI auto-generated documentation but we don't have ability to publish API documentation and we don't have any other bespoke developer content except the secure development one - We need the following audiences: End users, Developers of plugins, Developers who use the spec, Developers who use the libraries for their tools and we need to address all their needs in the documentation - Evenrgreen content will be at the top level, spec related content will be under the Developer level - Discussion will continue offline - Sign Arbitrary Files - Miran's scenario. He wants to sign installer file and publishe it as GitHub package (as GitHub release). If Notation can sign GitHub release it will make sense. The signature will be part of the release (as a signature file) but can be in some other way. He is interested to understand how to distribute the trust policy. - We will document scenarios in https://github.com/notaryproject/notation/issues/741 - Kick off release - Starting the release of the three components - Notation-Core-Go, Notation-Go, Notation CLI. Agreed to start the process and queue everything. ### Recording https://www.youtube.com/live/6GYEQEGcmqw?feature=share ## July 17, 2023 ### Attendees: - ToddySM - Sajay - Shiwei Zhang - Yi Zha - Feynman Zhou - Samir Kakkar - Pritesh - Patrick Zheng - Junjie Gao ### Agenda Items: - [Notation to sign and veify arbitrary data #741](https://github.com/notaryproject/notation/issues/741) (Pritesh) - [Support go library based plugins](https://github.com/notaryproject/notation-go/issues/336) (Pritesh) - Follow up action points from previous meeting (Yi) - [Governance improvement plan](https://github.com/notaryproject/.github/discussions/42) (Feynman) - PR still no update from maintainer on 'TUF notary CLI' https://github.com/notaryproject/notary/pull/1685 - Call for PR reviews: dependabot PRs ### Notes: - Millind will provide updates on naming issue on Jul 18. - Toddy will resolve the comments in the PR for notation-action repo govenernance today (Jun 17) - Millind will work with Toddy on the podcast. - Toddy submitted the document with Pritesh, Samir, Justin as co-speakers, we can decide the co-speaker in Aug. - Notaiton issue #741 will be planned for Notation post-v1 release. Patrick will find the document related to this feature and share it to Pritesh for further discussion. - Patrick will create two issues in notation-go repo: - Let signer.NewFromPlugin take a more relaxed plugin.SignPlugin instead of plugin.Plugin, targeting v1 release - Adding plugin examples for notation-go library - Sajay will tag org maintainers on the PR https://github.com/notaryproject/notary/pull/1685 - Feynman will tranform the [discussion](https://github.com/notaryproject/.github/discussions/42) to issue and share the link in the slack channel to ask maintainers for review. ### Recording see https://youtu.be/sbTL1AwZScA ## July 13, 2023 - Zach - Pritesh - Sanjay ### Agenda Items - Sanjay wants feedback on redesign of website ### Notes - Sanjay to share [ux design](https://www.figma.com/file/rj5BvQDNPon4mipgajOlr5/Notary-website-landing-page-(Redesign)?type=design&node-id=0-1&mode=design) on slack channel to solicit feedback from comunity. ## July 10, 2023 ### Attendees - Fan Du - Feynman Zhou - Junjie Gao - Miran Kurukulasuriya - Patrick Zheng - Pritesh - Shiwei Zhang - ToddySM - Yi Zha ### Agenda Items - Decision and next step on the [Notary Project naming/branding issue](https://github.com/notaryproject/.github/issues/35) - Confirm Notation v1.0.0 release ETA - Proposal to update MAINTAINERS and CODEOWNERS with the following: - Link org maintainers from .github repo - Considering active maintainers for CODEOWNERS. Active maintainers are maintainers who commit contributing or reviewing PRs timely for specific repo - Notary Project at Enlightning podcast (see https://cloud-native.slack.com/archives/CQUH8U287/p1688733359614519) (ToddySM) - Maintainer Track and/or Contribfest session for KubeCon + CloudNativeCon North America 2023 deadline is July 16th (ToddySM) ### Notes - Decision and next step on the [Notary Project naming/branding issue](https://github.com/notaryproject/.github/issues/35) - Discussion between Milind, Niaz, Toddy agreed to resolve the naming/branding issue by end of this week - On Thursday's meeting hopefully we will have the issue unblocked - Confirm Notation v1.0.0 release ETA - This is blocked on the first bullet point. Targeting three weeks from now (July 27th) - Proposal to update MAINTAINERS and CODEOWNERS with the following: - Action on Toddy: use GitHub team name instead of listing all the org maintainers in CODEOWNERS file. Starting with notation-action repo to see whether it works as expected. - Action on Toddy: add a comment in MAINTAINERS that Org Maintainers are also considered repo owners and link to the Org Maintainers file in .github repo. - Notary Project at Enlightning podcast (see https://cloud-native.slack.com/archives/CQUH8U287/p1688733359614519) (ToddySM) - Toddy will check with Whitney on the time changes to 2nd half of Aug - Pritesh will check with Niaz on the guideline to join the podcast event by Wed Jul 12. - Maintainer Track and/or Contribfest session for KubeCon + CloudNativeCon North America 2023 2deadline is July 16th (ToddySM) - Pritesh will get back to Toddy on this joint activity by Wednesday Jul 12. - Notation security audit report will be published at 8AM GMT, July 11th - Feynman will merge two PRs [302](https://github.com/notaryproject/notaryproject.dev/pull/302) and [303](https://github.com/notaryproject/notaryproject.dev/pull/303) by 8am GMT, July 11th - Timestamping https://github.com/notaryproject/roadmap/issues/59 - Shiwei will comment on this issue by Jul 12 ### Recording https://www.youtube.com/watch?v=QN5Ysoxb6_o ## July 6, 2023 ### Attendees - Ivan Wallis - Sajay Antony - ToddySM - Zach Rhoads ### Agenda Items - Notary Project maintainers to review and merge PRs for publishing the Notation security audit report and blog post on July 6 - Security page: https://github.com/notaryproject/notaryproject.dev/pull/302/ - Security audit report: https://github.com/notaryproject/notaryproject/pull/268 - Blog post: https://github.com/notaryproject/notaryproject.dev/pull/303 - Secure deployment guide: https://github.com/notaryproject/notaryproject.dev/pull/228 - Ivan questions about plugin development - Zach's proposal for Notation section in the documentation (based on Roselin's proposal) - https://deploy-preview-304--notarydev.netlify.app/docs/ - How to move Sajay's PR forward https://github.com/notaryproject/notary/pull/1685 - Agree on the name for the GHA repo https://github.com/notaryproject/.github/issues/30 ### Notes - Ivan questions about plugin development - RFC 3161 timestamping - Planned but we need to have in a milestone (most probably in 1.1.0) - Technical question about plugin - Pass in vendor specific attributes - this should be supported - Add documentation how to implement those (@Zach) - Ivan will open issues in https://github.com/notaryproject/notaryproject.dev to keep track on those items - Zach's proposal for Notation section in the documentation (based on Roselin's proposal) - https://deploy-preview-304--notarydev.netlify.app/docs/ - Ivan had feedback on the spec and the implementation - it will be good to have Implementation Best Practices for Developers - not only about plugins but about signature types etc. - He is looking for references - He is refering to the spec - Example (any language) implementation of a plugin will be helpful - Zach's nomination https://github.com/notaryproject/.github/issues/34 - Toddy to create a PR in the `notaryproject.dev` repo for the maintainers and codeowners file - Zach asked whether he can generate CLI reference and prep the docs for 1.0.0 release - We are in agreement that he can start with that - Toddy will go ahead and create `notation-action` repository as Shiwei proposed in https://github.com/notaryproject/.github/issues/30 - How to move Sajay's PR forward https://github.com/notaryproject/notary/pull/1685 - Maintainers are not active on this PR. Toddy tagged maintainers from Docker ## July 3, 2023 ### Attendees - Shiwei Zhang - Patrick Zheng - Junjie Gao - Feynman Zhou - Samir Kakkar - Viktor Lu - Pritesh ### Agenda Items - Notation v1.0.0 status check-in - Confirm the release date of the security audit report and blog post status - Confirm the repository naming of notation github actions ### Notes - The security audit report will be released on June 6. @Feynman will work with Samir to finish the blog post of the security audit announcement on July 5 - PRs need to be reviewed and merged by Notary Project maintainers before releasing Notation v1.0.0 - https://github.com/notaryproject/notaryproject.dev/pull/228 - https://github.com/notaryproject/notaryproject.dev/pull/300 - https://github.com/notaryproject/notation/pull/730 - @toddysm to resolve the comments from Niaz in the [Notation branding issue](https://github.com/notaryproject/.github/issues/35#issuecomment-1613362300) - Considering a general repository name since the Notation GitHub Actions might be evolved from a single action (setup) into multiple actions (setup, sign, verify) in the future ### Recording https://www.youtube.com/live/k6O5ecaoBnA?feature=share ## Archived meeting notes See https://github.com/notaryproject/meeting-notes for archived meeting notes