# Notary Project Meeting Notes (archived) > **Note: Meeting notes has been moved to the project account's Hackmd https://hackmd.io/@EG2api1FTUudGEK6PMjvuQ/rk30ceMAyl** ###### tags: `Notary Project`, `notary` [TUF-notary meeting notes](https://hackmd.io/wii3-L8ZQZ-U3ET0XNY8Gg) **NOTE: Time Change** - Starting May 9 2022, we will hold two meetings a a week to account for folks in the US, Europe and Asia times. Meetings are now: - Mondays 5-6pm pacific time, 8-9pm US Eastern, 8-9am Shanghai (US Summer time) - Mondays 4-5pm pacific time (US Winter time) - Thursdays 9-10am pacific time, 12pm US Eastern, 5pm UK Links - [On GitHub](https://github.com/notaryproject/) - [CNCF Calendar](https://www.cncf.io/community/calendar/) - [Zoom Dial-in link](https://zoom.us/my/cncfnotaryproject) - Passcode: 77777 (5x 7) - [Notary Project Conversations on Slack](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/thread/CEX1W7WMD-1582660575.076600) - [Find your local number](https://zoom.us/u/aLDk4OXTu) - [Notary Project GitHub Projects](https://github.com/notaryproject/) - [YouTube Recordings](https://youtube.com/playlist?list=PL1ykZdgmLkb7SlXax-hJVUgvNHmq4Cyz9) - [Recordings prior to April 9, 2021](https://www.youtube.com/playlist?list=PLj6h78yzYM2O1BOGT3hLdJTJCKz0f-bYq) ### Dial by your location 877 369 0926 US Toll-free 855 880 1246 US Toll-free Meeting ID: 611 593 2621 #### One tap mobile +16465588656,,6115932621# US (New York) +16699006833,,6115932621# US (San Jose) **Note:** See Meeting Notes Template below ``` ## Meeting Notes Template (template for copying) ## Meeting Date ### Attendees: - _add yourself_ ### Agenda Items: - _add your topics_ ### Notes: - _meeting minutes_ ### Recording: _recording_url_ Agenda items must identify the (owner) of the item ``` ## Meeting chair rotation - Yi Zha - Feynman Zhou - Samir Kakkar - Pritesh Bandi - Toddy Mladenov - Vani Rao - David Tesar (emeritus) - Justin Cormack (emeritus) - Steve Lasker (emeritus) ## Apr 7, 2025 ### Attendees - Josh Polkinghorn (Amazon) - Victor Lu (Individual) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Sajay Anthony (Microsoft) ### Agenda Items - [Community meeting schedule poll result](https://github.com/notaryproject/.github/issues/80) - [CVE-2025-30204: update golang-jwt](https://github.com/notaryproject/notation/pull/1249) from a user - should we consider a new v1.3.2 release as a security patch? - [spec: add "artifactType" to signature spec](https://github.com/notaryproject/specifications/pull/325) - An user's [test summary](https://github.com/notaryproject/notation/issues/1222#issuecomment-2784046901) on GAR's implementation on OCI v1.1 - Should we consider planning a new release v1.4.0 as considering forward compability? ### Notes - Shared by Victor Lu: - https://openssf.org/blog/2025/04/04/launch-of-model-signing-v1-0-openssf-ai-ml-working-group-secures-the-machine-learning-supply-chain/ - https://www.nics.uma.es/pub/papers/moyano2012trustbus.pdf - https://www.cylab.cmu.edu/news/2023/03/06-zero-trust.html - Maintainers to review the pull request for dependency bump up in notation-cli and identify an ETA for cutting a patch release for notation v1.3 - Maintainers to review the pull request introducing a new field "artifact type" to Notary Project's signature spec. - Community members to share their opinions on the proposal to change meeting cadence in the related issue. Josh to vote on the US-friendly meeting poll to help finalize the meeting schedule ### Recording https://youtube.com/live/ojplqi3k0S4 ## Mar 31, 2025 ### Attendees - Byron Chien (Amazon) - Josh Polkinghorn (Amazon) - Victor Lu (Individual) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) ### Agenda Items - Add an "artifactType" property to signature spec https://github.com/notaryproject/specifications/pull/325 - How can we make sure the downstream integrations compatibility with the latest Notary Project release? One of the issues raised from a user in https://github.com/notaryproject/notation/issues/1222#issuecomment-2765375268 - Improve the diagnostics experience of `notation` https://github.com/notaryproject/notation/issues/1247 - Notary Project's Role in AI Governance ### Notes Actionable itmes from the discussion: * @patrickzheng Patrick to create an issue for resolving compatibility issues with registries that still use OCI 1.0. * Victor and Feynman to continue offline discussions about integrating Notary Project into CKS exam and training materials. * Notary Project maintainers to review and comment on the issue regarding improvement of diagnostics experience for notation CLI: https://github.com/notaryproject/notation/issues/1247 * Notary Project maintainers and community folks to vote on the meeting schedule polls and provide feedback on the proposed meeting cadence change: https://github.com/notaryproject/.github/issues/80 * Notary Project maintainers to review the pull request for the signature manifest change and provide suggestions if any https://github.com/notaryproject/specifications/pull/325 ### Recording https://youtube.com/live/TB-wRbcnYJ4 ## Mar 24, 2025 ### Attendees - Byron Chien (Amazon) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Review milestone v2.0.0-beta.1 and triage new issues (Feynman) ### Notes - Patrick to update the issue description for the blob command UX revisit to focus on the shorthand enhancement for flags. - Yi to create separate issues related to UX improvements for notation. - Maintainers to vote on two community meeting poll within one week. - Feynman to ping Vani and other US-based contributors to vote on the US-friendly community meeting poll. - Feynman to update the community meeting polls to remove the cadence information and focus only on identifying comfortable meeting times. - Maintainers to discuss and make decisions on the community meeting cadence in a separate issue https://github.com/notaryproject/.github/issues/80. ### Recording https://youtube.com/live/CQU-tcrkG2E ## Mar 17, 2025 ### Attendees - Byron Chien (Amazon) - Josh Polkinghorn (Amazon) - Victor Lu (Individual) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Announcement of release [notation v2.0.0-alpha.1](https://github.com/notaryproject/notation/releases/tag/v2.0.0-alpha.1) (Feynman/Patrick) - Meeting schedule poll and cadence discussion (Feynman) - Considering changing the cadence from weekly to bi-weekly and providing two series to accomodate people from different regions - [Notary Project community meeting (US-friendly) poll](https://github.com/notaryproject/.github/discussions/78) - [Notary Project community meeting (APAC-friendly) poll](https://github.com/notaryproject/.github/discussions/79) - Brainstorming on the [Formatted Output of Notation CLI](https://github.com/notaryproject/notation/issues/1228) (Feynman) - Info: [good-first issue list](https://github.com/notaryproject/notation/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22good%20first%20issue%22) and [help-wanted issue list](https://github.com/notaryproject/notation/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22help%20wanted%22) for new contributors - Triage issue https://github.com/notaryproject/notation/issues/1226 (Yi) - ### Notes **Quick recap** The Notary Project maintainers discussed the release of 2.0.0-alpha.1, proposed changes to meeting schedules, and explored the implementation of formatted output for the Notation CLI. They addressed the need for automatic output support, prioritizing stable commands and focusing on JSON format initially. Maintainers also shared issue lists for new contributors and discussed supporting the cozy hash envelope for blob code signature. - Next steps - [x] Feynman to create an issue to discuss lowering the meeting cadence from weekly to bi-weekly. - [ ] Feynman to create a general guidance document for formatted output support in Notation CLI. - [ ] Feynman to update the project website and README with links to the "Good First Issues" and "Help Wanted" issue lists. - [ ] Patrick and Yi to discuss and work on the implementation of COSE hash envelope support for blob policy signatures (Issue #1226). - [ ] Patrick and Yi to update the Notary Project specification for COSE hash envelope support. ### Recording https://youtube.com/live/n6saG6HIFQY ## Mar 10, 2025 ### Attendees - Dhseeh (Individual) - Byron Chien (Amazon) - Josh Polkinghorn (Amazon) - Victor Lu (Individual) - Sunil Ravipati (Individual) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Yi Zha (Microsoft) ### Agenda Items - Triage GitHub issues in v2.0.0-alpha milestone (Feynman Zhou) - v1.4.0-alpha release for blob signing (Yi) ### Notes - Notary Project maintainers triaged all opening GitHub issues in the [v2.0.0-alpha.1 milestone](https://github.com/notaryproject/notation/milestone/23). Maintainers will re-visit the release timeline by EoW. - Notary Project maintainers will cut v2.0.0-alpha.1 first and decide whether we need v1.4.0-alpha.1 later on. ### Recording https://www.youtube.com/live/5fkp91A2IWU?si=v6vyuxd-z8wWm5ba ## Mar 3, 2025 Skipped due to no agenda ## Feb 24, 2025 ### Attendees - Yi Zha (Microsoft) - Josh Polkinghorn (Amazon) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) - Toddy Mladenov (Microsoft) ### Agenda Items - Discussion of the [Blob signing proposal](https://github.com/notaryproject/notation/pull/1180) and release plan (Yi) - v1.4.0 alpha --> beta --> stable - The scope of alpha - Scenario 1 in the proposal - [Proposal for archiving the roadmap repository](https://github.com/notaryproject/.github/issues/77) (Feynman) - [Notation Enhancement Proposal Template](https://github.com/notaryproject/notation/pull/1174#discussion_r1962848354) (Feynman) - Vote on the community meeting schedules (Feynman) ### Notes - Notary Project maintainers agreed to plan a v1.4.0 release. This release might be backed port from v2.0.0-alpha. This release will focus on the [Scenario 1: Blob signing and verification with file-based distribution](https://github.com/notaryproject/notation/pull/1180/files#diff-ef897069f6e2e10247637c806502298c0869276cea184bb89b5eae6af6ad2c40R15). The [Scenario 2: Blob signing and verification with registry-based distribution](https://github.com/notaryproject/notation/pull/1180/files#diff-ef897069f6e2e10247637c806502298c0869276cea184bb89b5eae6af6ad2c40R21) will be re-visited and designed in the next iteration. [Proposal for archiving the roadmap repository](https://github.com/notaryproject/.github/issues/77) - Notary Project governance maintainers and org maintainers are supposed to vote on it - Notary Project maintainers agreed to move the [Notation Enhancement Proposal Template](https://github.com/notaryproject/notation/pull/1174) to .github repository. It should be a part of the contribution process and applicable to all sub-projects of Notary Project. - Feynman will create a Doodle Poll to request community folks to vote on the community meeting schedules ### Recording https://www.youtube.com/live/pB7ylytsB3g?si=4puhF5PAvRRuXo52 ## Feb 10, 2025 ### Attendees: - Josh Polkinghorn (Amazon) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Patrick Zheng (Microsoft) ### Agenda Items: - Discuss the scope and release plan of Notation v1.4.0 and Notation v2.0.0 - [PoC of blob signing and verification](https://github.com/Two-Hearts/notation/releases/tag/v2.0.0-blobregistry) - What's difference between a blob file in OCI registry and an OCI artifact? Why do we propose `--reference` in `notation blob verify`? - Should we consider `notation push` to enable push/attach a signature to the registry? - Potential UX enhancement - Explore and brainstorming OSS signing scenario - https://github.com/notaryproject/notation/discussions/1161 - https://staging.augmentedmind.de/2025/02/08/docker-image-signing-with-notation/ ### Notes: - Notary Project triaged issues in [v2.0.0-alpha milestone](https://github.com/notaryproject/notation/milestone/23). The major enhancements will be blob signing & verification, OCI Spec v1.1 support, formatted output support, and diagnostic experience enhancement. - Notary Project maintainers agreed to release Notation v2.0.0-alpha.1 by end of March, 2025. It is planned to be demonstrated at KubeCon EU in early April. - Another two topics will be moved to the next community meeting. Notary Project maintainers will demonstrate the PoC of blob signing & verification ### Recording: https://youtube.com/live/hvfXzpw0wi4 ## Jan 13, 2025 ### Attendees: - Pritesh Bandi (Amazon) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Josh (Amazon) - Yi Zha (Microsoft) - Toddy Mladenov (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items: - Timeline of publishing the security audit report and blog post - Release v1.3.0 check-in - Review and determine the scope of the [v1.4.0 milestone](https://github.com/notaryproject/notation/milestone/25) ### Notes: - Pritesh proposed to adjust the PR merging criteria by removing the rule of requiring at least 2 approvals from different orgs - Welcome Josh from AWS joinning the community - The security audit report and blog post are planned to be published by Jan 17, 2025. @yizha1 will work with audit team to get them published this week - Notary Project maintainers aligned to release v1.3.0 within around a week since it will include the security vulnerability fixes from the security audit report. - Notary Project maintainers agreed to focus on blog signing and Detal CRL support in the [v1.4.0 milestone].(https://github.com/notaryproject/notation/milestone/25). Other issues have been moved to v2.0 due to limited resource. ### Recording: https://www.youtube.com/live/O_ZvfqfOQ6g?si=sqo5j3mDnGVDaHXl ## Jan 6, 2025 ### Attendees - Pritesh Bandi (Amazon) - Patrick Zheng (Microsoft) - Shiwei Zhang (Microsoft) - Feynman Zhou (Microsoft) - Vani Rao (AWS) - Yi Zha (Microsoft) - Toddy Mladenov (Microsoft) - Sajay Antony (Microsoft) ### Agenda Items - Security Audit and Notation v1.3.0 status check-in (Yi) - KubeCon updates (Yi) - Triage issues ### Notes - Security Audit report will be published next week. We will need to publish two security advisories this week ASAP. @pritesh - Give one addtional week (this week) for testing as last week is still within holiday season - Notary Project maintainer tracker session was accepted for KubeCon EU 2024 - Yi shared the start of engagement with in-toto community. - Need to create an issue to track how to make the commit signing guideline more visible, especially provide a guideline for users in the PR once they fail to sign their commits. ### Recording - https://www.youtube.com/watch?v=Bp6BNbWmK9U ## Archived meeting notes See https://github.com/notaryproject/meeting-notes for archived meeting notes