# Notary Project Meeting Notes ###### tags: `Notary Project`, `notary` [TUF-notary meeting notes](https://hackmd.io/wii3-L8ZQZ-U3ET0XNY8Gg) **NOTE: Time Change** - Starting May 9 2022, we will hold two meetings a a week to account for folks in the US, Europe and Asia times. Meetings are now: - Mondays 5-6pm pacific time, 8-9pm US Eastern, 8-9am Shanghai (US Summer time) - Mondays 4-5pm pacific time (US Winter time) - Thursdays 9-10am pacific time, 12pm US Eastern, 5pm UK Links - [On GitHub](https://github.com/notaryproject/) - [CNCF Calendar](https://www.cncf.io/community/calendar/) - [Zoom Dial-in link](https://zoom.us/my/cncfnotaryproject) - Passcode: 77777 (5x 7) - [Notary Project Conversations on Slack](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/thread/CEX1W7WMD-1582660575.076600) - [Find your local number](https://zoom.us/u/aLDk4OXTu) - [Notary Project GitHub Projects](https://github.com/notaryproject/) - [YouTube Recordings](https://youtube.com/playlist?list=PL1ykZdgmLkb7SlXax-hJVUgvNHmq4Cyz9) - [Recordings prior to April 9, 2021](https://www.youtube.com/playlist?list=PLj6h78yzYM2O1BOGT3hLdJTJCKz0f-bYq) ### Dial by your location 877 369 0926 US Toll-free 855 880 1246 US Toll-free Meeting ID: 611 593 2621 #### One tap mobile +16465588656,,6115932621# US (New York) +16699006833,,6115932621# US (San Jose) **Note:** See Meeting Notes Template below ``` ## Meeting Notes Template (template for copying) ## Meeting Date ### Attendees: - _add yourself_ ### Agenda Items: - _add your topics_ ### Notes: - _meeting minutes_ ### Recording: _recording_url_ Agenda items must identify the (owner) of the item ``` ## Meeting chair rotation - Yi Zha - Feynman Zhou - Samir Kakkar - Pritesh Bandi - Toddy Mladenov - David Tesar (emeritus) - Justin Cormack (emeritus) - Steve Lasker (emeritus) ## Apr 18 2024 ### Attendees: - Toddy Mladenov (MSFT) - David Dooling (Docker) - Akhash Singhal (MSFT) ### Agenda Items: - TUF Metadata/tag stream discussion (ToddySM) - https://docs.google.com/document/d/1l2BLEy9pGPciKNkkss0fAyQQGe6DcYiMrhcRrYOpSjY/edit?usp=sharing - Tag signing discussion (ToddySM) - Attestations dicussion (ToddySM) ### Notes: - (David) Attestations thoughts - Attestations added at creation The way buildkit does it is preferrable from Docker perspective. Easy signal when the owner and maintainer is clear. Should be able to pull the attestation and figure out what is changed in the tag. Should be in the image index. Generally looking at in-toto. They are layers in the image and that image appears as image index object. It refers to the platform specific image those attestations attest. Example: https://explore.ggcr.dev/?image=rabbitmq%3Alatest - Attestations added after creation. For this one the referrers is more viable as solution. This introduces additional burden for the consumer. ### Recording: [Recording](https://www.youtube.com/live/h2W9ODdAPMY?si=4y03FmFrUAVYdVNn) ## Apr 15 2024 ### Attendees: - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Junjie Gao (Microsoft) - Patrick Zheng (Microsoft) - Vani Rao (Amazon) - Sajay Antony (Microsoft) - Toddy Mladenov (Microsoft) - Yi Zha (Microsoft) ### Agenda Items: - Follow up on governance issue (Yi) - Org maintainers update https://github.com/notaryproject/notary/pull/1703 - Next steps on archiving `notary` repo: https://github.com/notaryproject/.github/issues/70 - Next steps on https://github.com/notaryproject/.github/issues/65 - PRs required review - [doc: update contributing guide](https://github.com/notaryproject/.github/pull/25) - [chore: bring clarity to supermajority ](https://github.com/notaryproject/.github/pull/74) - [chore: add contributor ladder](https://github.com/notaryproject/.github/pull/75) - Any blockers for[OCI 1.1 support PR](https://github.com/notaryproject/notation/pull/916) (Yi & Patrick) - [bug: leaf certificate key usage should not forbid ContentCommitment](https://github.com/notaryproject/notation-core-go/issues/201) (Patrick) - Updates on security audit (Yi) - Triage issues if time allows (Yi) ### Notes: - Aligned and merged PR https://github.com/notaryproject/notary/pull/1703 - **Yi** will close issues after comfirm necessary changes were taken - https://github.com/notaryproject/.github/issues/66 - https://github.com/notaryproject/.github/issues/67 - https://github.com/notaryproject/.github/issues/68 - https://github.com/notaryproject/.github/issues/69 - Next steps on [Please replace Org maintainer Justin Cormack with James Carnegie](https://github.com/notaryproject/.github/issues/65) - **Vani** to ping Niaz for comments - **Vani** or **Toddy** can help to discuss it with David and James on this issue if they joined Thursday meeting - It has been 4 months since this issue was created, we can check the status in project health check in Jun. - Next steps on archiving `notary` repo: https://github.com/notaryproject/.github/issues/70 - Need Docker folks to comment on this issue. - **Feynman** will contact `Jonny Stoten` for comments. - PR requested **Pritesh** reviewing - https://github.com/notaryproject/notation/pull/834 - https://github.com/notaryproject/notation/pull/916 - [bug: leaf certificate key usage should not forbid ContentCommitment](https://github.com/notaryproject/notation-core-go/issues/201) - **Vani** brought up the discussion of ensuring resources availabitiy in upcoming months to secure the feature delievery and security audit. We will discuss it in community meeting next week. - We will triage the issues in `Discuss` and `Future` milestones when **Pritesh** joins the meeting properly next week. ### Recording: https://www.youtube.com/watch?v=ElGH2TQkUlM ## Apr 8 2024 ### Attendees: - Pritesh Bandi (Amazon) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Junjie Gao (Microsoft) - Vani Rao (Amaz) - Yi Zha (Microsoft) ### Agenda Items: - Follow up on governance issues (Yi) * https://github.com/notaryproject/tspclient-go/pull/21 * https://github.com/notaryproject/tuf/pull/48 (need anyone) * https://github.com/notaryproject/notary/pull/1673 (can be merged but CI broken) * https://github.com/notaryproject/notary/pull/1703 * James nomination https://github.com/notaryproject/.github/issues/65 - Install Codecov to Notary Project org (Shiwei/Junjie) - Codecov requires token to upload code coverage in `v4` (`v3` stopped working) - Code coverage is not updated since 2 months ago - Issue: https://github.com/notaryproject/.github/issues/72 - PRs to review - [fix(ci): update codecov token](https://github.com/notaryproject/notation/pull/920) for notation - [fix(ci): update codecov token](https://github.com/notaryproject/notation-core-go/pull/199) for notation-core-go - Preparation for Security Audit introductory meeting with OSTIF (Yi) - Repositories: `notation`, `notation-core-go`, `notation-go`, and `tspclient-go` - Releases - v1.2.0: Blob signing, Timestamping support - v1.3.0: Revocation check using CRL (Join the [CRL discussion](https://github.com/notaryproject/notation-core-go/discussions/198)) - Need maintainers to review the PR [Notation CLI Error Handling and Message Guideline](https://github.com/notaryproject/notation/pull/834) again. Error messages in new features are suggested following this guideline after we agree on it (Feynman) - Triage issues if time allows (Yi) ### Notes: - Follow up on governance issues (Yi) * https://github.com/notaryproject/tspclient-go/pull/21 * This PR was merged * https://github.com/notaryproject/tuf/pull/48 * This PR was reviewed and merged * https://github.com/notaryproject/notary/pull/1673 * https://github.com/notaryproject/notary/pull/1703 * Regarding these two PRs, maintainers during the meeting agreed on the follows: * Following up on [archiving `notary` issue](https://github.com/notaryproject/.github/issues/70), if we cannot reach consensus on archiving in one week, then we will review and address [the maintainers update PR](https://github.com/notaryproject/notary/pull/1703). * **Yi** will ask comments from **David** and **James** from Docker in the [issue](https://github.com/notaryproject/.github/issues/65) * James nomination https://github.com/notaryproject/.github/issues/65 * **Yi** will help to create a PR according to Niaz's comment in this [issue](https://github.com/notaryproject/.github/issues/65), and then tag Niaz and other maintainers for reviewing. - Install Codecov to Notary Project org (Shiwei/Junjie) - **Shiwei** explained the reason of doing this. - Maintainers in the meeting aligned on the needs to update CodeCov as described in the topic. - **Shiwei** will create an issue asking for votes in `.github` repo, since CodeCov needs to be installed on the Notary Project organiaztion. The issue was created https://github.com/notaryproject/.github/issues/72 - Preparation for Security Audit introductory meeting with OSTIF (Yi) - **Yi** gave a brief intro about the purpose of this meeting, and confirm the audit scope - Repositories: `notation`, `notation-core-go`, `notation-go`, and `tspclient-go` - Releases - v1.2.0: Blob signing, Timestamping support - v1.3.0: Revocation check using CRL - Other topics were not discussed due to out of time. ### Recording: - https://www.youtube.com/watch?v=gKeufLWmM4c ## Apr 4 2024 ### Attendees: - Beltran Rueda - Bitnami - David Dooling - Docker - Toddy Mladenov - Microsoft - Tomas Pizarro - Bitnami - Vani Rao - AWS ### Agenda Items: - Ad-hoc - Using Notation for in-toto attestations (Beltran and Tomas) - Org Maintainers PRs and issues (ToddySM) - https://github.com/notaryproject/.github/pull/71 - https://github.com/notaryproject/notation-core-go/pull/196 - https://github.com/notaryproject/notation-go/pull/393 (may be OK to merge if CI Passes) - https://github.com/notaryproject/tspclient-go/pull/21 - https://github.com/notaryproject/notation-plugin-framework-go/pull/23 - https://github.com/notaryproject/notaryproject.dev/pull/400 - https://github.com/notaryproject/specifications/pull/299 - https://github.com/notaryproject/meeting-notes/pull/23 - https://github.com/notaryproject/notation-action/pull/57 - https://github.com/notaryproject/roadmap/pull/94 - https://github.com/notaryproject/roadmap/pull/94 - https://github.com/notaryproject/tuf/pull/48 (need anyone) - https://github.com/notaryproject/notary/pull/1673 (can be merged but CI broken) https://github.com/notaryproject/notary/pull/1703 (Justin) - Tag signing discussion (ToddySM) - TUF Metadata/tag stream discussion (ToddySM) - https://docs.google.com/document/d/1l2BLEy9pGPciKNkkss0fAyQQGe6DcYiMrhcRrYOpSjY/edit?usp=sharing ### Notes: - In-toto attestations - Bitnami - they only have SLSA provenance, they also have other artifacts (not wrapped in in-toto yet); in the future they would like to add SBOMs, vulnerability reports and other. - In-toto and DSSE https://docs.google.com/document/d/19mXclYjXjql1h3Yjijvev9tvALlT7cJQvbmJmk7IFCU/edit?usp=sharing - Attestations in CSSC Framework https://docs.google.com/document/d/1S3eWafFbQxlRlwpHWX2Xed6zEK93qnC4SfrZrwTz52c/edit?usp=sharing - We skipped the TUF and tag signing discussion because James was out sick - @vaninrao10 will discuss with @NiazFK about updates to the governance docs so we can process James nomination https://github.com/notaryproject/.github/issues/65 - @All - please approve the PR for org maintainers ### Recording: https://www.youtube.com/watch?v=1404JmvDsEo ## Apr 1 2024 ### Attendees: - Pritesh Bandi (Amazon) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Yi Zha (Microsoft) ### Agenda Items: - [HiPri] Governance items completion (ToddySM) - Steve Lasker stepping down https://github.com/notaryproject/.github/issues/66 - Justin Cormack moved to emeritus https://github.com/notaryproject/.github/issues/68 - Adding James Carnegy as org maintainer https://github.com/notaryproject/.github/issues/65 - Number of maintainers https://github.com/notaryproject/.github/issues/60 - Nominate Yi for Org Maintainer https://github.com/notaryproject/.github/issues/67 - Nominate Vani for Org Maintainer https://github.com/notaryproject/.github/issues/69 - Governance improvements plan https://github.com/notaryproject/.github/issues/51 - Approve PR for hashicorp vault plugin https://github.com/notaryproject/notation-hashicorp-vault/pull/19 - OCI 1.1 support: [Votes for the flag name](https://github.com/notaryproject/notation/pull/916#issuecomment-2026452022) (Yi) - Timestamping support (Yi) - Plan [CRL support](https://github.com/notaryproject/notation-core-go/issues/125) for 1.3.0, and add it to security audit - Security Audit: schedule a meeting for initial discussion - 8:00 am Apr 10 PDT - 11:00 am Apr 10 EDT - 11:00 pm Apr 11 UTC+8 - Improve the security statistics on Climonitor https://clomonitor.io/projects/cncf/notary#notation_security (Feynman) - Continous Triage (if time allows) ### Notes: - [HiPri] Governance items completion (ToddySM) - Steve Lasker stepping down https://github.com/notaryproject/.github/issues/66 - Maintainers in the meeting came to a consensus on moving Steve Lasker to emeritus (also as comments in the issue), and **Toddy** will start creating PRs accordingly in all the repositories. - Justin Cormack moved to emeritus https://github.com/notaryproject/.github/issues/68 - Maintainers in the meeting came to a consensus on moving Justin Cormack to emeritus (also as comments in the issue, and **Toddy** will start creating PRs accordingly in all the repositories. - Adding James Carnegy as org maintainer https://github.com/notaryproject/.github/issues/65 - **Pritsh** and **Vani** to follow it up with **Niaz** [per the comment](https://github.com/notaryproject/.github/issues/65#issuecomment-1921760404). We will target to finalize it by this week. - Number of maintainers https://github.com/notaryproject/.github/issues/60 - Maintainers in the meeting came to a consensus on the number of org maintainers, which is `6` in total. It is recommended to document it in the governance document. - Nominate Yi for Org Maintainer https://github.com/notaryproject/.github/issues/67 - Maintainers in the meeting came to a consensus: as Steve Lasker and Justin Cormack are moved to emeritus, so we reached the super majority of nomination per the comments. **Toddy** will start creating PRs accordingly in all the repositories. - Nominate Vani for Org Maintainer https://github.com/notaryproject/.github/issues/69 - Maintainers in the meeting came to a consensus: as Steve Lasker and Justin Cormack are moved to emeritus, so we reached the super majority of nomination per the comments. **Toddy** will start creating PRs accordingly in all the repositories. - Governance improvements plan https://github.com/notaryproject/.github/issues/51 - We cleaned up staled branches for `notation`, `notion-go` and `specifications` repo - We will discuss the actions of the rest of issues listed in this issue and continuously to discuss them in next Monday community meeting. - Approve PR for hashicorp vault plugin https://github.com/notaryproject/notation-hashicorp-vault/pull/19 - **Shiwei** and **Patrick** to review this PR, so that **Toddy** can create new PRs afterwards. - OCI 1.1 support: [Votes for the flag name](https://github.com/notaryproject/notation/pull/916#issuecomment-2026452022) (Yi) - After discussions, we have two alternatives. One is `--force-tag-schema`, another one is `--force-referrers-tag`. The default value for both flags is `true` for notation `1.x`. **Pritesh** will comment on the issue for his opinion, we will finalize it in [the PR comments](https://github.com/notaryproject/notation/pull/916#issuecomment-2026452022). ### Recording: - https://www.youtube.com/watch?v=Yx4QO5io4j4 ## Mar 28 2024 ### Attendees: - Vani Rao (Amazon) - Toddy Mladenov (Microsoft) - David Dooling (Docker) - James Carnegie (Docker) ### Agenda Items: - None ### Notes: - Following up on the governance issue with Org manintainers to comment. (Vani Rao) - Nominate Vani Rao (@vaninrao10) as a Notary Project Org maintainer (Pritesh and Milind have given thumbs up - **Completed**) (https://github.com/notaryproject/.github/issues/69) - Nominate Yi Zha as a Notary Project Org maintainer (Pritesh and Milind have given thumbs up - **Completed**) (https://github.com/notaryproject/.github/issues/67) ## Mar 25 2024 ### Attendees: - Pritesh Bandi (Amazon) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Junjie Gao (Microsoft) - Vani Rao (Amazon) - Yi Zha (Microsoft) ### Agenda Items: - Dicuss [the comments for Time-stamping spec](https://github.com/notaryproject/specifications/pull/290#discussion_r1527698163) (Yi) - Triage issues (Yi) - [New issues](https://github.com/notaryproject/notation/issues) - [Milestones](https://github.com/notaryproject/notation/milestone/18) ### Notes: - Regarding [the comments for Time-stamping spec](https://github.com/notaryproject/specifications/pull/290#discussion_r1527698163), the meeting participants were aligned that timestamp countersignature will not be checked if the signing scheme is `x509.signingAuthority`. **Pritesh** pinged **Milind** for any comments. - Triaged new issues - https://github.com/notaryproject/notation/issues/910 ==> waiting for user's feedback - https://github.com/notaryproject/notation/issues/909 ==> won't fix, as it is a base requirment per [7.1.2.1 Root CA Certificate](https://cabforum.org/uploads/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v3.7.pdf), and if key usage is not marked as critical, client can ignore key usage field, which means the root CA certificate can be used for different purposes beside codesigning. The use of the same key for two different cryptographic processes may weaken the security provided by one or both of the processes. - Triaged 1.2.0 milestone - Issues related to "Trust policy and store management" will be moved to 1.3.0 milestone ### Recording: - https://www.youtube.com/watch?v=Jrk4bcv0EB4 ## Mar 18 2024 ### Attendees - Pritesh Bandi (Amazon) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Dicussion on Signing blob design - Dicuss [the comments for Time-stamping spec](https://github.com/notaryproject/specifications/pull/290#discussion_r1527698163) - Review issues for [1.2.0 milestones](https://github.com/notaryproject/notation/milestone/18) (Yi) - Some chores: (Yi) - cleaning up stale issues or PRs - https://github.com/notaryproject/notation/pull/841 - https://github.com/notaryproject/notation-core-go/pull/174 - https://github.com/notaryproject/notation-go/pull/365 - Archiving meeting notes for 2023 - https://github.com/notaryproject/meeting-notes/pull/22 ### Notes - **Pritesh**, **Partrick** and **Shiwei** aligned on [the design proposal](https://hackmd.io/_if9-W4mST-k4HAJ-XXuqw?view), option-3 is selected. - **Pritesh** will review the [Time-stamping spec](https://github.com/notaryproject/specifications/pull/290) again. - **Patrick** and **Shiwei** will discuss offline about the [Time-stamping PR comment](https://github.com/notaryproject/specifications/pull/290#discussion_r1527698163) - **Pritesh** will review the PR https://github.com/notaryproject/tspclient-go/pull/18 - We reviewed some issues in [1.2.0 milestone](https://github.com/notaryproject/notation/milestone/18). We will find other timeslot to continue the work or do it async. ### Recording - https://www.youtube.com/watch?v=3lMtg4uV2rQ ## Mar 11 2024 ### Attendees - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Yi Zha (Microsoft) - Feynman Zhou (Microsoft) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - OCI 1.1 support [follow-up](https://github.com/notaryproject/notation/issues/892#issuecomment-1984130603) (Yi) - Noation [v1.2.0 plan](https://github.com/notaryproject/notation/issues/880) (Yi) - Triage [issues](https://github.com/notaryproject/notation) for `notation` repo (Cont.) (Yi) - Info: [Notary Project updates announcement for the upcoming KubeCon EU](https://hackmd.io/zGeA2ie6RJO05NEttgaU9w) (Feynman) - Adopter updates: Docker Hub now supports Notary Project signature. [Bitnami](https://hub.docker.com/u/bitnami) is planning to sign all images with Notation and publish an announcement (Feynman) ### Notes - For OCI 1.1 support, [Shiwei's comment](https://github.com/notaryproject/notation/issues/892#issuecomment-1985090444) was answered. Maintainers in the meeting agreed on the plan as Pritesh [commented](https://github.com/notaryproject/notation/issues/892#issuecomment-1984130603). - For OCI 1.1 support, Notary Project `specification` need to be updated according to OCI image spec v1.1, which is tracked by [issue](https://github.com/notaryproject/specifications/issues/295) - Maintainers in the meeting agree that OCI 1.1 support was added to Notation v1.2.0 release scope. - We discussed the Notation v1.2.0 plan, see comments on [Plan for Notation 1.2.0 release ](https://github.com/notaryproject/notation/issues/880#issuecomment-1989774144) - **Vani** will review the blog post [Notary Project updates announcement for the upcoming KubeCon EU](https://hackmd.io/zGeA2ie6RJO05NEttgaU9w) before mid of March. - **Pritesh** will get back on the availability of the PoC for "signing blog feature", which can be demostrated in KubeCon EU. - Maintainers in the meeting triaged the following issues: - https://github.com/notaryproject/notation/issues/904 - https://github.com/notaryproject/notation/issues/902 - https://github.com/notaryproject/notation/issues/897 ### Recording - https://www.youtube.com/watch?v=_ihI-9mu4aU ## Mar 7 2024 ### Attendees - Toddy Mladenov (Microsoft) - James Carnegie (Docker) - Brandon Mitchell(IBM) - Pritesh Bandi (Amazon) - Vani Rao (Amazon) - David Dooling (Docker) ### Agenda Items - Brandon Mitchel commented on the issue for supporting OCI 1.1 GA spec regarding the `--allow-referrers-api` flag: https://github.com/notaryproject/notation/issues/892#issuecomment-1979336438 Concern is that this will create a split-brain logic and will degrade the experience. ### Notes - Decision to keep issue open and continue discussion there ### Recording - https://www.youtube.com/watch?v=X5TA7uY5Rss ## Mar 4 2024 ### Attendees - Akash Singhal (Microsoft) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Yi Zha (Microsoft) - Feynman Zhou (Microsoft) - Shiwei Zhang (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - Support OCI 1.1 stable release (Yi) - Triage issues (Yi) - https://github.com/notaryproject/notation/pull/811 - Rakesh ### Notes - **Rakesh** requested **Shiwei** to review this [PR](https://github.com/notaryproject/notation/pull/811) again and **Milind** need to approve this PR as well since he requested changes. - We are aligned on the way forward on OCI 1.1 support, and **Yi** will update [the issue](https://github.com/notaryproject/notation/issues/892) and create work items accordingly - Triaged some issues in `specification` repo, and marked issues for `specification` milestone`1.1.0` ### Recording https://www.youtube.com/watch?v=LKwgl6uvoHE ## Feb 29th 2024 ### Attendees: - Akash Singhal (Microsoft) - David Dooling (Docker) - James Carnegie (Docker) - Milind Gokarn (Amazon) - Pritesh Bandi (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) ### Agenda Items: - Brainstorming discussion about TUF and in-toto attestations (ToddySM) ### Notes: - It was brainstorming discussion. The topics covered were distributing TUF metadata and policies via OCI registries; distributing root certs with clients; discussing on registry scenarios; touching on attestations briefly. - Next steps: James is working on a document that he would like to share with the Notary Project and TUF communities ### Recording: [Meeting Recording](https://www.youtube.com/live/TgfDruSLIOo?si=yZdIbU_a2xinjVxH) ## Feb 26 2024 ### Attendees - Yi Zha - Feynman Zhou - Akash Singhal - Pritesh Bandi - Sajay Antony - Shiwei Zhang - Toddy Mladenov - Vani Rao - David Dooling - _add yourself_ ### Agenda Items - KubeCon EU 2024 (Mar 19 ~ Mar 22) demos (Yi) - [Implement doc version control](https://github.com/notaryproject/notaryproject.dev/pull/377) (Feynman) - Community governance follow-up - Nomination of new org-maintainers - Archive inactive repositories - Support OCI 1.1 stable release (Yi) ### Notes - Proposed demos for KubeCon EU 2024 - Timestamping support - Signing blob (PoC) - **Feynman** will drive the demo cases with Pritesh - Feynman demoed the proposed version control changes. - If default pointing to main branch, then a banner or note is required to show it is under development or simliar - Maintainers to review this PR https://github.com/notaryproject/notaryproject.dev/pull/377 - Request maintainers to vote for new org maintainers - Create an issue to vote for archiving `notary` repo per the process. ### Recording https://www.youtube.com/watch?v=Iewszbp2Hns ## Feb 19 2024 ### Attendees - Feynman Zhou (MSFT) - Pritesh Bandi (AWS) - Rakesh Gariganti (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Yi Zha (MSFT) ### Agenda Items - Discussion on specification PR https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Yi) - Comments on the [issue](https://github.com/notaryproject/.github/issues/67) to support Yi Zha as Org maintainer - Request review on [PR](https://github.com/notaryproject/meeting-notes/pull/22) to archive meeting notes of 2023 (Yi) - OCI1.1 is GA as of 02/15/2024, discuss and identify any new changes in Notary to support OCI1.1 implicitly by default (Pritesh/Samir). ### Notes - We had a great dicussion on PR https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825, and aligned on the solution and way forward, **Rakesh** to create an issue to track the update on threat model - We will request a security audit for upcoming Notation 1.2.0 release - **Yi** asked for comments on [issue](https://github.com/notaryproject/.github/issues/67) and [PR](https://github.com/notaryproject/meeting-notes/pull/22) - We didnot have time to discuss OCI 1.1 GA. **Yi** created an issue https://github.com/notaryproject/notation/issues/892 for tracking the discusson on OCI 1.1 GA support ### Recording - https://www.youtube.com/watch?v=DmQWQioVw0c ## Feb 15 2024 ### Attendees: - Vani Rao (AWS) - Akash Singhal (MSFT) - David Dooling (Docker) ### Agenda Items: - Comment on the issue to support the nomination of Vani Rao as Org Maintainer - https://github.com/notaryproject/.github/issues/69 (Pritesh) - Need More comments for the nomination. - Pull Request Review/Approval - https://github.com/notaryproject/specifications/pull/283 (Pritesh) - Need one more approval - Pull Request Review/Approval - https://github.com/notaryproject/notation/pull/811 (Pritesh/Rakesh) - No conflicts - Rakesh has summarised the discussions and the specification has 3 approvals and will need one more approval. - Need more approvals based on the Feb 12th Monday meeting. Unblocked for approvals since spec has 3 approvals. - Maintainers to vote on this specification https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Rakesh) - Need one more approval. ### Notes: - Review the specified PR in the Agenda Items which is scheduled for the upcoming release. - Rakesh to summarise the discussions https://github.com/notaryproject/specifications/pull/283#discussion_r1487021680 to finalize the next steps. Maintainers please vote. ### Recording: ## Feb 12 2024 ### Attendees: - Toddy Mladenov (MSFT) - Pritesh Bandi (AWS) - David Dooling (Docker) - Vani Rao (AWS) - Rakesh Gariganti (AWS) - Sajay Antony (MSFT) - Akash Singhal (MSFT) - Rishab Semlani (AWS) ### Agenda Items: - Comment on the issue to support the nomination of Vani Rao as Org Maintainer - https://github.com/notaryproject/.github/issues/69 (Pritesh) - Pull Request Review/Approval - https://github.com/notaryproject/specifications/pull/283 (Pritesh) - Pull Request Review/Approval - https://github.com/notaryproject/notation/pull/811 (Pritesh/Rakesh) - No conflicts - Maintainers to vote on this specification https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 (Rakesh) ### Notes: - Review the PR's listed in "Agenda Items" section scheduled for the upcoming release. - Rakesh to summarise the discussions https://github.com/notaryproject/specifications/pull/283#discussion_r1479399825 to finalize the next steps. ### Recording: ## Feb 8 2024 ### Attendees: - Toddy Mladenov (MSFT) - Ethan Heilman (BastionZero) - Pritesh Bandi (AWS) - Samir Kakkar (AWS) - David Dooling (Docker) - _add yourself_ ### Agenda Items: - Ethan Heilman from Bastion Zero will present OpenPubKey to the community - Ask for reviewing the new release blog (Feynman): https://github.com/notaryproject/notaryproject.dev/pull/383 - Ask for reviewing plugin conventions PR in specifications (Feynman): https://github.com/notaryproject/specifications/pull/292 ### Notes: - _meeting minutes_ ### Recording: [Meeting Recording](https://www.youtube.com/watch?v=zEWBSfEDJ04) ## Feb 5 2024 ### Attendees: - Pritesh Bandi (AWS) - Yi Zha (MSFT) - Toddy Mladenov (MSFT) - Feynman Zhou (MSFT) - Sajay Antony (MSFT) - Patrick Zheng (MSFT) - Rakesh Gariganti (AWS) - Sunil Ravipati - Rishab Semlani (AWS) - Vani Rao (AWS) ### Agenda Items: - Upcoming Spring Festival and resource limitations (Yi) - Propose deferring [Notation v1.2.0 release](https://github.com/notaryproject/notation/issues/880) to `mid May` - Maintainers to drive the community meeting on Feb 12 - [BlobSigning: Using hashing algo of final signing algo to create descriptor](https://github.com/notaryproject/notation-go/pull/379#discussion_r1477696873) (Pritesh) - Align [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) and the release version of specification repo (Feynman) - Confirm the [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation (Feynman) - Org maintainer status follow-up (Yi) - Request comments on issue [Relax minimum subject DN field values for trustedIdentities](https://github.com/notaryproject/specifications/issues/293) (Yi) ### Notes: - Spring Festival will start from Feb 10 to Feb 17. Normally people will take addtional days before or after public holidays. - **Vani** will help to drive the community meeting on Feb 12. - Need to continously discuss the proposal of [BlobSigning: Using hashing algo of final signing algo to create descriptor](https://github.com/notaryproject/notation-go/pull/379#discussion_r1477696873) - Request review on the following PRs and issues, **Vani** and **Pritesh** - Request maintainers to review and comment on [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) - [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) - [Relax minimum subject DN field values for trustedIdentities](https://github.com/notaryproject/specifications/issues/293) - Asked maingainers to comment on "Emeritus" issues and new nominatioin issue. - **Yi** to provide meeting participants info for **Vani** ### Recording: https://www.youtube.com/watch?v=m3a2cBk3kPw ## Feb 1 2024 ### Attendees: - Toddy Mladenov (MSFT) - Justin Cappos (NYU) - Niaz Khan (AWS) - David Dooling (Docker) - Pritesh Bandi (AWS) - Vani Rao (AWS) - _add yourself_ ### Agenda Items: - Overview of TUF and key management (Justin Cappos) ### Notes: - _meeting minutes_ ### Recording: https://www.youtube.com/watch?v=IevD00hDChg ## Jan 29 2024 ### Attendees - Yi Zha (MSFT) - Feynmane Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Pritesh Bandi (AWS) - Rishab Semlani - Shiwei Zhang (MSFT) - Toddy Mladenov (MSFT) - Vani Rao (AWS) - David Dooling (Docker) - Sajay Antony (MSFT) - _add yourself_ ### Agenda Items - Org maintainer status follow-up (Yi) - Things after v1.1.0 release (Feynman) - Notary Project spec release for [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) - Upgrade [Homebrew](https://github.com/Homebrew/homebrew-core/pull/161124) (done) and [Winget](https://github.com/microsoft/winget-pkgs/pull/136924) (WIP) to v1.1.0 - Upgrade [Notation GitHub Actions](https://github.com/notaryproject/notation-action/pull/53) to v1.1.0 (WIP) - Blog post for the release announcement - Documentation for new feature - Align the [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation (Feynman) - Rlease v1 of [notation-plugin-framework-go](https://github.com/notaryproject/notation-plugin-framework-go/issues/15) (Pritesh) - Review the plan for [Notary Project 1.2.0 release](https://github.com/notaryproject/notation/issues/880) (Yi) ### Notes - Pritesh and Feynman will raise issues to nominate new org maintainers - Maintainers to review [versioning strategy](https://github.com/notaryproject/notaryproject.dev/issues/350#issuecomment-1910459505) of Notary Project website and documentation by this Thursday - Maintainers to review [plugin management conventions](https://github.com/notaryproject/specifications/pull/292) in specifications repo - Maintainers to review the plan for [Notary Project 1.2.0 release](https://github.com/notaryproject/notation/issues/880) - Blog post and feature documentation will be sent out for review this week ### Recording - https://www.youtube.com/watch?v=lP0mN0lyYCY ## Jan 25 2024 ### Attendees: - David Dooling (Docker) - Samir Kakkar (Amazon) - Toddy Mladenov (Microsoft) ### Agenda Items: - Org maintainers action items to follow up on ### Notes: - Samir will follow up on org maintainers action items with Vani, Pritesh and Niaz - We need two new nominations - We need opinion on [Please replace Org maintainer Justin Cormack with James Carnegie](https://github.com/notaryproject/.github/issues/65) - Toddy is working with Justin Cappos and James Carnegie to have overview of TUF and OpenPubKey in the next two Thursday meetings - in-toto may be another one in the upcoming weeks ### Recording: [Meeting Recording](https://www.youtube.com/live/4v7xH5TSwus?si=x3rKU9ylg0RMuCGm) ## Jan 22 2024 ### Attendees: - Yi Zha (MSFT) - Feyname Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zhang (MSFT) - Pritesh Bandi (AWS) - Rishab Semlani (AWS) - Toddy Mladenov (MSFT) - Vani Rao (AWS) - David Dooling (Docker) - _add your name_ ### Agenda Items - Org maintainer status update (Yi) - Comments on issue [Please replace Org maintainer Justin Cormack with James Carnegie](https://github.com/notaryproject/.github/issues/65) - Feedback on nominating 2 new org maintainers from subproject maintainers - Notation v1.1.0 release - ready to kick off releae process (Yi) - [Notary Project Logo updates](https://github.com/notaryproject/.github/issues/43#issuecomment-1905027799) from CNCF (Feynman) - _add your topics_ ### Notes - Regarding Org maintainer status update, **Vani** to follow up the two issues and provide comments by `Jan 25, 2024`. - We are aligned to release `notation` `v1.1.0`, `notation-go` `v1.1.0` and `notation-core-go` `v1.0.2`. - Feynman shared the latest design of Noary Project logo, request comments on [Notary Project Logo updates](https://github.com/notaryproject/.github/issues/43#issuecomment-1905027799) before end of `Jan 25, 2024`. - We may need to release `specification` repo for notation plugin management feature. - **Feynman** will create a PR for the update. - **Pritesh** will create an issue to track the issue of "move plugin-extensibility specification to `notatoin` repo" ### Recording https://www.youtube.com/live/0vNK-kZPVo8?si=yRKXoxfTalBVPa_p ## Jan 18 2024 ### Attendees: - James Carnegie (docker) - Toddy Mladenov (MSFT) - David Dooling (Docker) - _add your name_ ### Agenda Items - Follow-up on Org maintainers (Yi) - Yi commented on issue [Please replace Org maintainer Justin Cormack with James Carnegie ](https://github.com/notaryproject/.github/issues/65), and asking other maintainers to comment and align way forward. - This was discussed in several meetings. Based on the [issue](https://github.com/notaryproject/.github/issues/60), which agreed on a total of `6` Notary Project Org maintainers, I propose nominating two new Org maintainers from sub-project maintainers. Please note that Justin and Steve, who are current Org maintainers, are inactive as per the data in the [issue](https://github.com/notaryproject/.github/issues/54). - [Ad-hoc James] James is intersted in in-toto integration. ### Notes - We can not make progress on the first two agenda items due to lack of quorum. We need more people from the community to weigh in on those proposals. - [James] If there is TUF root delivering the keys that we need to signing attestations, can `notation` sign those attestations. James will file an issue to kick off the discussion on that proposal. ### Recording [Meeting recording](https://www.youtube.com/live/cF-q6qAPTm4?si=oGCBOmCqA6JNE6HF) ## Jan 16 2024 ### Attendees: - _add your name_ - Feynman Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Rishab Semlani (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Toddy Mladenov (MSFT) - Yi Zha (MSFT) - Sajay Antony (MSFT) - Pritesh Bandi (AWS) ### Agenda Items - _add your topics_ - Org Maintainers status update and next step (Yi) - Repo name for implementation of the Time-Stamp Protocol (TSP), see [issue](https://github.com/notaryproject/.github/issues/58). - [Notation v1.1.0 status](https://github.com/orgs/notaryproject/projects/10/views/7) check-in (Yi) - [Error message guidedance and improvement iteration plan](https://github.com/notaryproject/notation/pull/834) (Feynman) - [Test result of installing notation plugin in v1.1.0 and suggestions for plugin vendors](https://github.com/notaryproject/notation/discussions/869) (Feynman) ### Notes - Issue https://github.com/notaryproject/.github/issues/65 - ask is for **org maintainers** and **subproject maintainers** to express opinion on whether they agree with this proposal and how to handle it. - **Vani** to follow up more nominations in order to achieve total 6 org maintainers. - We (Meeting participants) discussed options for new repo name and reached consensus on `tspclient-go` for new repo name and `tspclient` as the package name - There are still two PRs left for notation v1.1.0 release, MSFT team will cut v1.1.0 release after all the PRs are merged and testing is completed by the community - Feynman shared the plan for error message improvements. Ask **Pritesh**, **Vani** and **Samir** to reivew the guidenance PR, the implementation will be planned in patch release. ### Recording https://www.youtube.com/live/L35grZaaIic?si=loONv7kZDZrs5P75 ## Jan 11 2024 ### Attendees: - David Dooling (Docker) - James Carnegie (Docker) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) - Rishab Semlani (Amazon) ### Agenda Items - _add your topics_ - Vote for repo name for implementation of the Time-Stamp Protocol (TSP), see [issue](https://github.com/notaryproject/.github/issues/58). (Yi) - Do we need to move the meeting on 1/15/2024 (next Monday) to 1/16/2024 since Jan 15 is Martin Luther King Day in US? (Yi) - Org Maintainers discussion (Toddy) - Ad-hoc discussion ### Notes - TS Protocol issue - **David** and **Toddy** will post their thoughts on the issue and the naming. Vani will work with Samir, Niaz, Milind and post their ideas about the name - We should move the Jan 15th meeting to Jan 16th due to the US holiday - **Yi** and **Feynman** to take care - Org Maintainers discussion - Issue https://github.com/notaryproject/.github/issues/65 - ask is for org maintainers and subproject maintainers to express opinion on whether they agree with this proposal and how to handle it - With the above proposal we will still have only 4 org maintainers. We need two more nominations - **Vani** to follow up - Ad-hoc discussion on the roadmap - **Toddy** brought the discussions he had with the in-toto community participants. He will keep the community updated. He also shared a doc that he shared with John from TestifySec (in-toto community) - https://docs.google.com/document/d/1S3eWafFbQxlRlwpHWX2Xed6zEK93qnC4SfrZrwTz52c/edit?usp=sharing - **James** brought DSSE vs COSE and asked whether we should have discussion with other communities on unifying the envelope format - **Toddy** proposed to use the Thursday meetings for more strategic planning and have the Monday meeting for tactical/detailed discussions. Possible topics for upcoming meetings: - in-toto integrations (**Toddy** to facilitate) - DSSE vs COSE (**Toddy** to facilitate) - OpenPubKey discussion (**James** to facilitate) ### Recording https://www.youtube.com/live/k5UsyELI7Xg?si=XtE6q-ylEaPXwPD5 ## Jan 8 2024 ### Attendees: - _add yourself_ - Yi Zha (MSFT) - Rakesh Gariganti (AWS) - Feynman Zhou (MSFT) - Junjie Gao (MSFT) - Patrick Zheng (MSFT) - Rishab Semlani (AWS) - Sajay Antony (MSFT) - Samir Kakkar (AWS) - Shiwei Zhang (MSFT) - Vani Rao (AWS) - Toddy Mladenov (MSFT) - David Dooling (Docker) ### Agenda Items: - Notary Project Org maintainer status update (Yi) - [Support plugin as library: bump-up major version of notation-go](https://github.com/notaryproject/notation-go/pull/368#discussion_r1436691392) (Rakesh/Shiwei) - Added by Pritesh but I wount be able attend the meeting. - New repo for timestamp implementation (Yi) https://github.com/notaryproject/.github/issues/58 - Project update video [slide](https://docs.google.com/presentation/d/1zF4bId7ok_zKcXY6RvAcppSjiaSc7k57uhBtBMmUs90/edit?usp=sharing) and [script](https://hackmd.io/_iqwsVLVSly4jla1Ls8j-w) for KubeCon EU 2024 (Feynman), and [project opportunities at KubeCon EU 2024](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/program/project-opportunities) ### Notes: - Org maintainer status update - The participants in the call agreed to follow the PR reviewing process for updating `MAINTAINERS` and `CODEOWNERS` for each repository. - David will created an issue to nominate James Carnegie as a Org maintainer from Docker (The issue was created https://github.com/notaryproject/.github/issues/65) - Support plugin as library: bump-up major version of notation-go - Rakesh will discuss the comments from Shiwei with Pritesh - New repo for timestamp implmentation - Asked for more comments in the issue. - Project update video - Give one week time to review the script and slide deck, and we finalize them by next Monday community meeting. ### Recording https://www.youtube.com/live/-WL9EBxtlq0?si=8nuEB14xzJwKkJ6t ## Jan 4 2024 ### Attendees - David Dooling (Docker) - Niaz Khan (Amazon) - Toddy Mladenov (Microsoft) - Vani Rao (Amazon) ### Agenda Item - Org maintainers election (ToddySM) - https://github.com/notaryproject/.github/issues/60 - https://github.com/notaryproject/.github/issues/61 - https://github.com/notaryproject/.github/issues/62 - https://github.com/notaryproject/.github/issues/57 - https://github.com/notaryproject/.github/issues/56 - https://github.com/notaryproject/.github/issues/55 - Votes for the time stamp implementation repository (ToddySM) https://github.com/notaryproject/.github/issues/58 ### Notes - We decided to move forward with the currently approved nominations - We will need 3 more nominations for org maintainers - David will come back with a name from Docker that we can add to the - Niaz will add the governance updates to the Monday's meeting agenda - ### Recording https://www.youtube.com/live/mafMN6zK_fs?si=6X6P-9WZJlV6bAFG ## Jan 2 2024 ### Attendees - Feynman Zhou (MSFT) - Junjie (MSFT) - Patrick (MSFT) - Rakesh (AWS) - Sajay (MSFT) - Shiwei (MSFT) - Toddy (MSFT) - Vani Rao (AWS) - Yi Zha (MSFT) ### Agenda Item - Notary Project [1.1.0 plan](https://github.com/orgs/notaryproject/projects/10/views/7) (Yi) - Notary Project Org maintainers (Yi) - [Vote](https://github.com/notaryproject/.github/issues/58) for new repo: `timestamp` (Yi) ### Notes - Notation v1.1.0 release: The new target date is 1/16/2024, the feature to be delievered is plugin management, see P0&P1 issues in [1.1.0 plan](https://github.com/orgs/notaryproject/projects/10/views/7). - Notary Project Org maintainers - What is the total number of org maintainers we will have? - Yi to create an issue for discussion and decision, the proposal is to have 6 org maintainers. - What is the agreed upon diversity of maintainers? - Yi to create an issue for discussion and decision on diversity - For the results of the voting, can we have a split: votes from current org maintainers and votes from current sub-project maintainers? - Yi to create an issue for discussion and decision - Proposal: Reach the total number of maintainers before making any other changes in the governance. - Proposal: Set a deadline by when the election should be done. - The proposal is to finalize org maintainers election by Notary Project community meeting on 1/15/2023 - New repo for Time-stamping support - Asked governance maintainers to vote for the new repo and name this week. ### Recording - https://www.youtube.com/watch?v=CMIsVvI_KFY ## Archived meeting notes See https://github.com/notaryproject/meeting-notes for archived meeting notes
Last changed by  
Steve Lasker
18637

Read more

Veraison go-cose Community Meeting Notes

Bi-weekly on Fridays 8:00-9:00 pacific timeSee below for the next scheduled meeting and proposed agenda

3/8/2024
IETF 118 SCITT Hackathon

oras push https://ghcr.io/stevelasker/artifact:v1 –artifact-type application/vnd.acme.rocket.config artifact.txt:text/plain

11/4/2023
SCITT: Artifact Versioning and Feeds

To support the SCITT Use Cases, the follow examples are illustrated.

9/25/2023
SCITT Feed Structure

Statements of Artifacts must support a narrowed scope.For each platform/architecture a series of compatible versions are released.For each version, a series of statements are made.Statements for a specific platform/architecture and version would not apply to another platform/architecture and version.Each variant MUST be treated uniquely.

8/14/2023
Read more from Steve Lasker
Published on HackMD