owned this note
owned this note
Published
Linked with GitHub
# Notary Project Meeting Notes
###### tags: `notary`
[TUF-notary meeting notes](https://hackmd.io/wii3-L8ZQZ-U3ET0XNY8Gg)
**NOTE: Time Change** - Starting May 9 2022, we will hold two meetings a a week to account for folks in the US, Europe and Asia times.
Meetings are now:
- Mondays 5-6pm pacific time, 8-9pm US Eastern, 8-9am Shanghai (US Summer time)
- Mondays 4-5pm pacific time (US Winter time)
- Thursdays 9-10am pacific time, 12pm US Eastern, 5pm UK
Links
- [On GitHub](https://github.com/notaryproject/)
- [CNCF Calendar](https://www.cncf.io/community/calendar/)
- [Zoom Dial-in link](https://zoom.us/my/cncfnotaryproject)
- Passcode: 77777 (5x 7)
- [Notary Project Conversations on Slack](https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/thread/CEX1W7WMD-1582660575.076600)
- [Find your local number](https://zoom.us/u/aLDk4OXTu)
- [Notary Project GitHub Projects](https://github.com/notaryproject/)
- [YouTube Recordings](https://youtube.com/playlist?list=PL1ykZdgmLkb7SlXax-hJVUgvNHmq4Cyz9)
- [Recordings prior to April 9, 2021](https://www.youtube.com/playlist?list=PLj6h78yzYM2O1BOGT3hLdJTJCKz0f-bYq)
### Dial by your location
877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 611 593 2621
#### One tap mobile
+16465588656,,6115932621# US (New York)
+16699006833,,6115932621# US (San Jose)
**Note:** Template for copying at the bottom of the note.
- Agenda items must identify the (owner) of the item
## Meeting chair rotation
- Vani Rao (New)
- Yi Zha (New)
- Feynman Zhou (New)
- Samir Kakkar
- David Tesar (emeritus)
- Justin Cormack (emeritus)
- Steve Lasker (emeritus)
## Mar 27, 2023
### Attendees
### Agenda Items
- Open discussion: Two-factor auth for everyone in the Notary project org
### Meeting notes
## Mar 20, 2023
### Attendees
- Yi Zha
- Feynman Zhou
- Pritesh
- Samir Kakkar
- Patrick Zheng
- Shiwei Zhang
- Sajay Antony
### Agenda Items
- Governance issues (Yi)
- Governance doc: https://github.com/notaryproject/.github/issues/7
- GitHub teams: https://github.com/notaryproject/.github/issues/14
- CNCF maintainers list: https://github.com/notaryproject/.github/issues/3
- Fix Notary v2 references: https://github.com/notaryproject/roadmap/issues/89
- Recommended changes to Adam and Feynman on the [Fuzz Security Audit Blog](https://github.com/notaryproject/notaryproject.dev/pull/152) (Vani)
- Healthcheck on the RC-4 release milestone (Vani)
- Request review on the [Notary doc and blog PRs](https://github.com/notaryproject/notaryproject.dev/pulls?q=is%3Apr+is%3Aopen+label%3Adocumentation) (Feynman)
### Meeting Notes
- Governance doc: https://github.com/notaryproject/.github/issues/7
- We reached consensus on [comment](https://github.com/notaryproject/.github/issues/7#issuecomment-1476143560), and the next steps:
- Create a PR to copy governance docs from `notary` repo to `.github` repo
- Create another PR to amend the governance doc based on the needs if any
- Align with `notary` repo maintainers about removing those gov docs in `notary` repo
- GitHub teams
- We reached consensus on [comment](https://github.com/notaryproject/.github/issues/14#issuecomment-1473032128), and the next step is to take actions accordingly
- CNCF maintainers list
- We reached consensus on [comment](https://github.com/notaryproject/.github/issues/3#issuecomment-1477138473), and the next step is to take actions accordingly
- Fix Notary v2 references
- We reached consensus as [comment](https://github.com/notaryproject/roadmap/issues/89#issuecomment-1477157871), we will start working on the following issues first:
- notation#586, notation-go#287, notation-core-go#127, meeting-notes#15
- Fuzz Security Audit Blog
- Follow up with Vani when she is online
- Update RC-4 release status
- Features in the scope are still WIP.
- Call-out for the review of Notary doc and blog PRs, the fuzz security audit blog need to be reviewed ASAP.
## Mar 13, 2023
### Attendees:
- Yi Zha
- Feynman Zhou
- Toddy SM
- Patrick Zheng
- Shiwei Zhang
- Vani Rao
- Pritesh
- Sajay Antony
### Agenda Items:
- CNCF Annual Review
https://github.com/cncf/toc/issues/1018 (Toddy)
- Update references from Notary v2 to Notation, see aggregated issues https://github.com/notaryproject/roadmap/issues/89 (Yi)
- Timing for the Notary meeting after the time change as of 03/12/2023 (Vani)
- Before investing too much time, approve the PR https://github.com/notaryproject/notation-core-go/pull/128 to ensure we agree on the approach (Vani)
- Heads-up: 3 weeks left for notation RC-4 releases, see [RC-4 board](https://github.com/orgs/notaryproject/projects/10/views/29) (Yi)
- Notary fuzzing test blog and report are in reviewing and will be released this Thursday (Feynman)
- Governance work items (Toddy)
- https://github.com/notaryproject/.github/issues/3
- https://github.com/notaryproject/.github/pull/5
- https://github.com/notaryproject/roadmap/pull/85
- Branch naming conventions
### Meeting Notes:
- CNCF Annual Review
- Feynman will help to drive the content preparation
- Lachie will help to confirm the timeline.
- The notary meeting Monday series start from 5 pm to 6 pm pacific time since Mar 12
- Yi shared there will be more issues to be submitted to address other governance issues including project review cadence, branch strategies and etc.
- The license of https://pkg.go.dev/github.com/cloudflare/cfssl/revoke is good per
foundation/allowed-third-party-license-policy.md at main · cncf/foundation (github.com)
- Lachie will help to follow up the go-cose license. We may need to file an exception
https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2019-11-01.json
- Fuzzing testing Report and blog
- Review the reports and blogs
- Recommend to store the reports under Notary project repo with this folder structure: `security/reports/fuzzing-test`
- Still waiting for comments from current org maintainers, suggest waiting until Mar 16, and then take actions on https://github.com/notaryproject/.github/issues/3 on Thursday.
- Agreed to merge PR with enough approvals and no unresolved comments: https://github.com/notaryproject/.github/pull/5
## Mar 6, 2023
### Attendees:
- ToddySM
- Vani Rao
- Yi Zha
- Feynman Zhow
- Agam Dua
- Byron Chien
- Pritesh Bandi
- Patrick Zheng
### Agenda Items:
- CNCF TOC Issues (ToddySM)
- https://github.com/notaryproject/notaryproject/issues/245
- https://github.com/notaryproject/notaryproject/issues/244
- Vote for [Notation CLI v1.0.0-rc.3 release](https://github.com/notaryproject/notation/issues/582) (Yi)
- Not recommended new releases for `notation-go` and `notation-core-go`, since the recent changes were trivial.
- Feature demo: sign and verify local artifacts (Patrick Zhang)
- See [demo steps and asking for feedback](https://github.com/notaryproject/notation/discussions/581)
### Meeting Notes:
- Open discussion on CNCF TOC Issues (ToddySM)
- https://github.com/notaryproject/notaryproject/issues/245
- https://github.com/notaryproject/notaryproject/issues/244
- Agreed on only releasing Notation CLI v1.0.0-rc.3, and try the best including [PR579](https://github.com/notaryproject/notation/pull/579)
- Hot discussions on the demo, some notes taken, we will continue working on the scenarios, and polishing the solution
- The output message need to be improved to show useful information to users, and also considering JSON output that can be parsed easily
- How to ceate OCI layout?
- If the image was already built using `docker build` locally, can user sign it directly? Probably not, because it's not possilbe to get the descriptor. OCI layout is a standard format.
- Consider using `docker buildx --metadata-file` as input
- Local verification is not important for K8S
- Fuzzing test blog post includes report is started and will be available next week (Feynman)## Mar 2, 2023
### Attendees:
### Agenda Items:
### Meeting Notes:
## Feb 27, 2023
### Attendees:
- ToddySM
- Vani Rao
- Yi Zha
- Feynman Zhow
- Agam Dua
- Byron
- Derek McGowan
- Junjie Gao
- Lachlan Evenson
- Manas Sivakumar
- Patrick Zheng
- Pritesh
- Samir Kakkar
- Shiwei Zhang
- Sajay Antony
### Agenda Items:
- Walk through rc-3 work items based on proposal https://hackmd.io/WVFhrhvYSFutJpnY6JTDuQ?view, any clarifications or blockers. (Vani)
- Revocation Spec review between Pritesh and Shiwei, if any pending work needed. (Vani)
- Will existing tools/mechanisms that customers use today to move images from development-> Staging -> Production repositories. What are our thoughts from Notation community ? (Vani/Samir)
- OCI changes on standardazing on Image Manfiest to support artifact scnearios [Yi]
- [manifest: provide guidance on SCRATCH config descriptor](https://github.com/opencontainers/image-spec/pull/1023)
- [manifest: clarify that layers is technically OPTIONAL](https://github.com/opencontainers/image-spec/pull/1016)
- [Remove artifact manifest](https://github.com/opencontainers/image-spec/pull/999)
- Finalize the RC.2 release notes [PR](https://github.com/notaryproject/roadmap/pull/87) and announcement blog [PR](https://github.com/notaryproject/notaryproject.dev/pull/141) (Feynman)
- Homebrew installation for macOS will be deferred to v1.0.0, see [#431](https://github.com/notaryproject/notation/issues/431), [#571](https://github.com/notaryproject/notation/issues/571) (Feynman)
### Meeting Notes:
- Welcome Manas joining the meeting
- Certificate Revocation
- AP: Pritesh to provide an update version for review on Mar 14
- AP: Prtiesh to create issues for implementation (Pritesh: [issues](https://github.com/notaryproject/roadmap/issues/60#issuecomment-1447369802))
- Left works for governance work
- Branch policies
- GitHub Teams
- Security policy: create one under .github, and referred by other sub-repos
- AP on Feynman to create the issue for submitting Maintainers to CNCF maintainer list
- Discussed the tools used for move images and associated signatures between registries.
- oras is the tool to copy images across registries, oras also support recursive copy that signatures associated with images can be copied at the same time.
- Discussed signature deletion
- ORAS can be used to delete signatures. ORAS also provides option that when deleting images, the artifacts subject to images can be deleted at the same time.
- Should Notation support deleting signatures without asking users to use ORAS?
- AP on Samir to clarify the scenarios for signature deletion and image copy, create issues in ORAS project if needed.
- Discussed signature filtering, need to clarify what filtering is about
- Pritesh: we also talked about filtering artifact in oras move command.
- Agree on changing the default behavior to use image manifest storing signatures, AP on Yi to create an issue for it
- Need to re-visit the release goal for rc.3, AP on Vani and Yi
- Discussed Mac OS installation experience
## Feb 20, 2023
### Attendees:
- Yi Zha (MSFT)
- Feynman Zhou (MSFT)
- Agam Dua (containerd)
- Junjie Gao (MSFT)
- Patrick Zheng (MSFT)
- Pritesh Bandi (AWS)
- Vani Rao (AWS)
- Byron Chien (AWS)
- Shiwei Zhang (MSFT)
### Agenda Items:
- Gratitude: BIG THANK to all of you for the contribution to RC-2 Release (Yi)
- Kick off RC-3 development (Yi)
- Chore: Clean up the project board
- Missing issues or some issues requires break-down
- Apply for approvals on merging the [new website PR](https://github.com/notaryproject/notaryproject.dev/pull/110) and push it to production, see [preview](https://deploy-preview-110--notarydev.netlify.app/) (Feynman)
### Meeting Notes:
- Welcome and show gratitude on rc-2 release
- Walk through rc-3 work items based on [proposal](https://hackmd.io/WVFhrhvYSFutJpnY6JTDuQ?both#RC-3-Release-Items---April-10th-2023-Can-be-called-GA-----Gives-5-weeks-after-rc-2-release), ACTIONS required for below items and reflecting them in project board.
- missing issues for what to be done in rc.3
- Improve Error Message for Notation CLI
- Support TSA (TimeStamp Authority) trust stores in trust policy
- Removing unwanted signature from signed images
- configuration improvement
- installation improvement
- Sign/verify offline artifacts
- issues need to break-down to fit into rc.3 timeline
- Security (besides security poliy, more issues could come up after security audit)
- [Multiple Signature verification](https://github.com/notaryproject/roadmap/issues/22)
- More issues to be added
- [Improve Notation authentication experience](https://github.com/notaryproject/notation/issues/503)
- Documentation work, see [board](https://github.com/orgs/notaryproject/projects/10/views/30)
- Could reference CLI spec, but missing document for E2E user guides
- Showed a [preview](https://deploy-preview-110--notarydev.netlify.app/) of new website, confirmed the logo and looking for LGTM to [website PR](https://github.com/notaryproject/notaryproject.dev/pull/110)
## Feb 16, 2023
### Attendees:
### Agenda Items:
- Conclude if RC-2 is a good release to consider for Notation GA and decide on RC.3 release items status check. (Vani)
- Refer to the following link - https://hackmd.io/WVFhrhvYSFutJpnY6JTDuQ?both
- Yi to provide what is the progress on the draft version of Threat model and start the review process.(Vani)
- Feynman to see if any open item for Security Audit Introductory Meeting (Yi)
## Feb 13, 2023
### Attendees:
- Samir Kakkar
- Vani Rao
### Agenda Items:
- RC.2 release status check-in. (Vani)
- Status of the request for the Notary website. (Vani)
- Feynman to share the latest status on the potential issues when integrating to Docker Hub and Ratify.(Vani)
### Meeting Notes:
- Website: requests final review on Notary website, Vani mentioned the logo of AWS is approved conditionally based on the verbiage used above the logo.
- rc.2: rc.2 release will be announced as of 02.16.
- rc.2: Pritesh/Vani shared test results for notation rc.2 dev build. There are potential issues when itegrating to Docker Hub and Ratify, need to follow it up.
## Feb 13, 2023
### Attendees:
- Yi Zha
- Vani Rao
- Agam Dua
- Pritesh
- Derek McGowan
- Patrik Zheng
- Shiwei Zhang
- Lachlan Evenson
- Feynman Zhou
- Junjie Gao
- Ziwen Ning
- Ramkumar Chinchani
- Sajay Antony
### Agenda Items:
- RC.2 release status check-in
- Fuzz testing: This kind of issue (issue [#276](https://github.com/notaryproject/notation-go/issues/276)) and fix (PR [#275](https://github.com/notaryproject/notation-go/pull/275) and [PR#550](https://github.com/notaryproject/notation/pull/550)) should go through the [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories) feature (Shiwei)
- Define impact scope
- Give credit to the reporters
- Discuss, fix, and publish **privately**
- Examples:
- oras-project/oras: [Tarballs with links can escape working directory upon extraction ("zip slip")](https://github.com/oras-project/oras/security/advisories/GHSA-g5v4-5x39-vwhx)
- moby/moby (a.k.a. docker/docker): [Ambiguous OCI manifest parsing](https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42)
- Looking for explicit approval or LGTM (Yi)
- Maintainers PRs, see [list](https://cloud-native.slack.com/archives/CQUH8U287/p1675899029597369)
- Branch policies issues, see [list](https://cloud-native.slack.com/archives/CQUH8U287/p1675900129338429)
- Info: Work items organizaztion and clean-up by Vani and Yi (Yi)
- Track status easily in project board
- Use Roadmap repo for roadmap features and breakdown in the individual repositories accordingly
- A draft version of Threat model is under preparation using the tool [OWASP Threat Dragon](https://threatdragon.github.io/home). Any comments? Suggest to create a directory named `threatmodels` under notaryproject folder to store related files.(json files for models, and pdf for report) (Yi)
- Final review on the new [Notary website](https://) and confirm the release
- Collaborating on Notation v1.0.0-RC.2 blog post
- Short introduction to the CNCF LFX mentoring program
- OCI changes on standardazing on Image Manfiest to support artifact scnearios [@sajay]
- [manifest: provide guidance on SCRATCH config descriptor](https://github.com/opencontainers/image-spec/pull/1023)
- [manifest: clarify that layers is technically OPTIONAL](https://github.com/opencontainers/image-spec/pull/1016)
- [Remove artifact manifest](https://github.com/opencontainers/image-spec/pull/999)
### Meeting Notes:
- Welcome new participant Ziwen Ning
- JSON output: Need to create spec for JSON output. Pritesh to create a PR to remove misaligned code for merged PR
- Document: To create user guides for new notation commands
- rc.2: Feynman shared test results for notation rc.2 dev build. There are potential issues when itegrating to Docker Hub and Ratify, need to follow it up.
- rc.2: Based on current PR status, rc.2 will be delayed to 2/15/2023.
- Fuzzing test: fix the bugs in rc.2 and document on both notary website and Github. The security policy will be fixed after maintainer goverance issues are taken cared of.
- Goverance: We are ready to merge once we have 2/3 of the Notary org maintainer +1
- threatmodel: Yi is working on a draft version of threat model for review and further discussion.
- Security Audit: Feynman to update the security aduit meeting since next Monday is holiday in US.
- Website: requests final review on Notary website, Vani mentioned the logo of AWS is wrong, which should be fixed.
- OCI changes: move this topic to 2/27/2023
## Feb 9, 2023
### Attendees:
- Agam Dua (containerd)
- Derek McGowan (containerd)
- Toddy Mladenov (msft)
- Vani Rao (aws)
### Agenda Items:
- GitHub Action for Notary (ToddySM)
- Maintainers PRs (ToddySM)
- Branch policies work items (ToddySM)
- rc.2 release status (VaniRao)
- Merge and close all the open PRs by EOD.
- Do the basic sign and verify functions prior to the release.
- Release date to be moved from 02/09 to 02/13.
- Need to plan to cut a DEV build by EOD on 02/09 or latest by 02/10 morning. (VaniRao)
### Meeting Notes:
- RC.2 there are some PRs remaining to be closed today but we agreed to move the RC.2 release to 2/13/2023 (Monday)
- Get DEV build by EOD today 2/9 to give to Jimmy for Ratify
- Agreed to move the RC.2 release to 2/13
- As a result of this we may need to shuffle some of the RC.3/release items. Targeted RC.3 April 3rd 2023
- Need to cleanup the RC.2 board
- For the release milestone we should only do security fixes
- For the GitHub Action for Notation the proposal is to create a separate repository and give Joshua access to it. Will need to go over the process for adding CODEOWNERS and MAINTAINES. Toddy to comment on the issue https://github.com/notaryproject/notation/issues/544 with the proposal and tag Joshua.
- ContainerD may be interested in using the Notation CLI. They are trying to learn about Notary
- Ask from Toddy - organize and clean up the work items and use the roadmap one for uber-items and breakdown in the individual repositories. Else it is hard to find items
## Feb 6, 2023
### Attendees:
- Vani Rao (AWS)
- Pritesh Bandi(AWS)
- Toddy Mladenov (Microsoft)
- Patrick Zheng (Microsoft)
- Feynman Zhou (Microsoft)
- Shiwei Zhang (Microsoft)
- Yi Zha (Microsoft)
- Byron Chien (AWS)
- Junjie Gao (Microsoft)
- Derek McGowan (ContainerD)
- Agam Dua (ContainerD)
### Agenda Items:
- rc.2 release status check-in, see [summary](https://github.com/notaryproject/notaryproject/discussions/238) (Yi)
- Finalize rc.3 [scope](https://hackmd.io/WVFhrhvYSFutJpnY6JTDuQ#RC-3-Release-Items---MAR-13th-2023-Call-be-called-GA---Gives-5-weeks-after-rc-2-release) (Yi)
- New work items: Fuzzing test and security audit support
- `.github` repo PRs and work (ToddySM)
- https://github.com/notaryproject/.github/pull/1
- https://github.com/notaryproject/.github/issues/2
- Repo maintainers PRs (ToddySM)
- Submitted a [ticket](https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1580) on CNCF Service Desk for requesting a Security Audit (Feynman)
- Idea for improving the Notation KMS plugin ecosystem and experience (Feynman)
### Meeting Notes:
- Notation rc.2 release will be delayed to Feb 9, 2023
- It is decided to use flag name `--signature-manifest` with two options WRT to flag name for support OCI image manifest
Current votes for maintainers:
As of 3:30 PM Feb 6th, 2023
• https://github.com/notaryproject/notation
○ Jinjie Gao (MSFT) - 5 approvals (1 AWS, 1 Independent, 3 MSFT)
○ Patrick Zheng (MSFT) - 6 approvals (1AWS, 1 independent, 4 MSFT)
○ Shiwei Zhang (MSFT) - 7 approvals (2 AWS, 1 independent, 4 MSFT)
○ Pritesh Bandi (AWS) - 8 approvals (1 independent, 7 MSFT)
○ Milind Gokarn (AWS) - 8 approvals (1 AWS, 1 independent, 6 MSFT)
○ Rakesh Gariganti (AWS) - 8 approvals (1 AWS, 1 independent, 6 MSFT)
○ Yi Zha (MSFT) - 9 approvals (2 AWS, 1 independent, 6 MSFT)
Not balanced 4 MSFT, 3 AWS
• https://github.com/notaryproject/notation-core-go
○ Jinjie Gao (MSFT) - 4 approvals (1 AWS, 3 MSFT)
○ Patrick Zheng (MSFT) - 4 approvals (1 AWS, 3 MSFT)
○ Shiwei Zhang (MSFT) - 6 approvals (2 AWS, 4 MSFT)
○ Pritesh Bandi (AWS) - 5 approvals (5 MSFT)
○ Milind Gokarn (AWS) - 5 approvals (5 MSFT)
○ Rakesh Gariganti (AWS) - 5 approvals (5 MSFT)
• https://github.com/notaryproject/notation-go
○ Jinjie Gao (MSFT) - 4 approvals (1 AWS, 3 MSFT)
○ Patrick Zheng (MSFT) - 5 approvals (1 AWS, 4 MSFT)
○ Shiwei Zhang (MSFT) - 6 approvals (2 AWS, 4 MSFT)
○ Rakesh Gariganti (AWS) - 8 approvals (2AWS, 6 MSFT)
○ Milind Gokarn (AWS) - 9 approvals (2 AWS, 7 MSFT)
○ Pritesh Bandi (AWS) - 7 approvals (1 AWS, 6 MSFT)
• https://github.com/notaryproject/notaryproject
○ Yi Zha (MSFT) - 0 approvals
○ Toddy Mladenov (MSFT) - 0 approvals
○ Feynman Zhou (MSFT) - 4 approvals (2AWS, 1 independent, 1 MSFT)
○ Shiwei Zhang (MSFT) - 4 approvals (1 AWS, 1 independent, 2 MSFT)
○ Vani Rao (AWS) - 5 approvals (1 AWS, 1 independent, 3 MSFT)
○ Milind Gokarn (AWS) - 6 approvals (2 AWS, 1 independent, 3 MSFT)
○ Pritesh Bandi (AWS) - 4 approvals (1 AWS, 1 independent, 2 MSFT)
Not balanced 4 MSFT, 3 AWS
• https://github.com/notaryproject/notaryproject.dev
○ Yi Zha (MSFT) - 0 approvals
○ Toddy Mladenov (MSFT) - 0 approvals
○ Feynman Zhou (MSFT) - 1 approvals (1 MSFT)
○ Vani Rao (AWS) - 3 approvals (1 AWS, 2 MSFT)
○ Samir Kakkar (AWS) - 3 approvals (1 AWS, 2 MSFT)
○ Pritesh Bandi (AWS) - 2 approvals (2 MSFT)
• https://github.com/notaryproject/roadmap
○ Yi Zha (MSFT) - 0 approvals
○ Toddy Mladenov (MSFT) - 1 approvals (1 MSFT)
○ Feynman Zhou (MSFT) - 1 approvals (1 MSFT)
○ Vani Rao (AWS) - 2 approvals (2 MSFT)
○ Samir Kakkar (AWS) - 2 approvals (2 MSFT)
○ Pritesh Bandi (AWS) - 2 approvals (2 MSFT)
• https://github.com/notaryproject/meeting-notes
○ Yi Zha (MSFT) - 0 approvals
○ Toddy Mladenov (MSFT) - 0 approvals
○ Feynman Zhou (MSFT) - 1 approvals (1 MSFT)
○ Vani Rao (AWS) - 3 approvals (1 AWS, 2 MSFT)
○ Samir Kakkar (AWS) - 3 approvals (1AWS, 2 MSFT)
○ Pritesh Bandi (AWS) - 2 approvals (2 MSFT)
## Jan 30, 2023
### Attendees:
- Vani Rao (AWS)
- Byron Chien (AWS)
- Samir Kakkar ( AWS)
- Pritesh Bandi(AWS)
- Sajay Antony (Microsoft)
- Toddy Mladenov (Microsoft)
- Patrick Zheng (Microsoft)
- Feynman Zhou (Microsoft)
- Junjie Gao (Microsoft)
- Shiwei Zhang (Microsoft)
### Agenda Items:
- Confirm the RC.3 scope based on available engineering resources and [implementation cost](https://github.com/notaryproject/notaryproject/discussions/218#discussioncomment-4820383) - Feynman
- Sync up the development status of the new Notary website landing page, see [PR](https://github.com/notaryproject/notaryproject.dev/pull/110) and [preview link](https://deploy-preview-110--notarydev.netlify.app/). Jesse will help us to create a demo video - Feynman
- Gather project proposals for [CNCF LFX Mentorship program](https://github.com/cncf/mentoring/tree/main/lfx-mentorship/2023/01-Mar-May). Potential proposals include but not limited to HashiCopr Vault plugin, Notary Documentation - Feynman
- RC.2 status check-in
- Governance work items - Toddy
- Creation of `.github` repo
- CODEOWNERS and MAINTAINERS files
- Branch policies
- Streaming the recordings to YouTube - Toddy
- PRs pending review
- [fix: Appends annotations returned by plugin to signature manifest's annotations #253](https://github.com/notaryproject/notation-go/pull/253)
- [Adds example of remote key in signingkeys.json & Rewords verify notation checksum section #126](https://github.com/notaryproject/notaryproject.dev/pull/126)
- [Adds signingkeys.json validation check #246](https://github.com/notaryproject/notation-go/pull/246)
- [ chore: improve warning message when signing or verifying with tag #497 ](https://github.com/notaryproject/notation/pull/497) (Good to have)
### Meeting notes
- Confirmed Feb 1 as the date for code freezing and cut a dev build release for testing
- Walked through the RC.3 scope at [Vanin's proposal](https://hackmd.io/WVFhrhvYSFutJpnY6JTDuQ#RC-3-Release-Items---MAR-13th-2023-Call-be-called-GA---Gives-5-weeks-after-rc-2-release)
- Samir will discuss the [Multiple signature verification](https://github.com/notaryproject/roadmap/issues/22)
- Sajay will check the Ratify RC.1 status
- Toddy will create `.github` repo and migrate the governance guide to a central place
- Feynman and Patrick will review the RC.2 PRs
## Jan 26, 2023
### Attendees:
- Vani Rao (AWS)
- Toddy Mladenov (Microsoft)
### Agenda Items:
- Release goals
- Governance items (may need to move to next meeting if not enough quorum)
- Creation of `.github` repo
https://github.com/notaryproject/roadmap/issues/77
- Updating CODEOWNERS and MAINTAINERS files in each repo
https://github.com/notaryproject/notation/issues/514
https://github.com/notaryproject/notaryproject.dev/issues/127
https://github.com/notaryproject/notation-core-go/issues/106
https://github.com/notaryproject/notation-go/issues/249
https://github.com/notaryproject/notaryproject/issues/224
https://github.com/notaryproject/notary/issues/1665
https://github.com/notaryproject/roadmap/issues/78
https://github.com/notaryproject/tuf/issues/34
https://github.com/notaryproject/meeting-notes/issues/5
### Notes:
- We need to have a build on 1/31 so we can give to Jimmy to do the testing for Ratify.
- We want to make sure that there are no surprises for the fallback
- We need to start the PR reviews ASAP so that we can
- For the release goals
- By March first week we need to have V1 to have the release to get feedback from customer
## Jan 23, 2023
### Attendees:
- Vani Rao (AWS)
- Pritesh Bandi (AWS)
- Toddy Mladenov (Microsoft)
- Sajay Antony (Microsoft)
- Feynman Zhou (Microsoft)
### Agenda Items:
- Followup governance improvements (https://hackmd.io/@toddysm/S19ygj2qs)
- Where are we? can we have something for short term like restrict permissions and provision for security issue?
- Notation roadmap review
- https://github.com/notaryproject/notaryproject/discussions/218
- https://hackmd.io/WVFhrhvYSFutJpnY6JTDuQ
- Notation release manager and meeting chair rotation
- Notation documentation delivery plan
### Notes:
- Followup governance improvements agreement is to:
- Start with PRs for the governance documents and make them more visible - @toddysm and @pritesh to collaborate on those and tag the maintainers
- We need to create a security policy to describe the process for filing and handling the security issues with the project - @toddysm to drive that
- We need to file issues for nominating the maintainers. The process we will follow is: 1. File issues with nominations 2. Community votes on the nominations/discusses the nominations 3. Current maintainers need to vote on the nominations 4. Nominations are accepted by super majority vote from the maintainers (as per current governance)
- RC.2 readiness
- Reviews of the PRs will happen after folks in China come back from vacation. Once those are reviewed, we are ready for RC.2 release
- Also working with Ratify on testing Ratify with the latest RC.2 release
- Ratify question: What is the impact on Ratify if Notation supports using OCI image manifest to store signatures in registries that partially implement the OCI Image specification v1.1. Notation Sign command will have a new flag --image-spec v1.1-image to force Notation to store the signatures using OCI image manifest.
- If there is a impact for Ratify what is the plan to make the changes and how are we going to prioritize that in Ratify community. Can it be ready by Feb 6th ?
- Notation release schedule
- To be able to do the prioritization we agreed that we need to confirm the available engineering resources for RC.3 and have a high-level (T-shirt sizing) for each item in the RC.3 items (https://hackmd.io/WVFhrhvYSFutJpnY6JTDuQ)
- We need to add Security Review in the list of items before release (RC.3, RC.4, or GA)
- We should align the goals for RC.3 before selecting the RC.3 items
## Jan 17, 2023
### Attendees
- Vani Rao (AWS)
- Samir Kakkar ( AWS)
- Pritesh Bandi(AWS)
- Jesse Butler (AWS)
- Sajay Antony (Microsoft)
- Toddy Mladenov (Microsoft)
- Patrick Zheng (Microsoft)
- Feynman Zhou (Microsoft)
- Junjie Gao (Microsoft)
### Agenda Items
- Go through the Notation automatic fallback solution
- Notation RC.2 status check-in, see [first section](https://github.com/notaryproject/notaryproject/discussions/218) and confirm an ETA date
- Notation roadmap review
- https://github.com/notaryproject/notaryproject/discussions/218
- https://hackmd.io/WVFhrhvYSFutJpnY6JTDuQ
- Notation release manager and meeting chair rotation
- Notation documentation delivery plan
### Meeting notes
- Based on the development and PR review status, RC.2 will be deferred to Feb 6. Vani and Samir will drive this release
- "OCI manifest fallback solution" will be split into two phases:
- Using a flag to specify the manifest pushing behavior. It will not support the "hybrid situation" like Docker Hub. It requires to change the CLI spec to define the CLI UX (RC.2)
- Using manual configuration file per registry, need to raise an issue to track and design the configuration options (RC.3)
- Opened issue based on discussion
- [[RC2] Fallback updates for Sign operation](https://github.com/notaryproject/notaryproject/issues/219)
- [[RC2] Fallback updates for Verify operation](https://github.com/notaryproject/notaryproject/issues/220)
- [Define scenarios for movement/replication of signatures between registries](https://github.com/notaryproject/notaryproject/issues/221)
## Jan 12, 2023
### Attendees
- Ivan Wallis (Venafi)
- Pritesh (AWS)
- Sajay Antony (Microsoft)
- Toddy Mladenov (Microsoft) - chairing
### Ageda Items
- Notary project governance improvements (proposal pre-read https://hackmd.io/@toddysm/S19ygj2qs)
- Discussed comments from Pritesh (Toddy to add clarifications)
- Need more feedback from the community (Toddy to solicit feedback offline and bring agian for discussion in a week)
- Release timelines
- Postponed to next week's meeting due to the lack of quorum
- Ivan wanted feedback on https://github.com/notaryproject/notation-go/issues/220
- Pritesh provided some suggestions. Please add suggestions to the issue
## Jan 9, 2023
### Attendees
- Toddy Mladenov
- Yi Zha
- Shiwei Zhang
- Patrick Zheng
- Pritesh
- Feynman Zhou
- Vani Rao
- Junjie Gao
- Nima Talebi
- Sajay Antony
- Samir Kakkar
- Byron
### Agenda Items
- Notation v1.0.0-rc.2 release status check-in (Yi)
- OCI image support
- Notation inspect
- Metadata support
- sematic versioning
- E2E testing (framework+sign/verify+TP) -- PR reviewing
- debug logs for all CLI commands -- done
- spec for CLI to manage trust policy
- Automatic fallback support logic in ORAS CLI to be considered in Notation CLI (why and why not) (Vani)
- Notation Inspect
- Can Inspect inspect a specific signature. No as of now (Vani)
- Any use case scenario for executing the LIST command and retriveing one of the signature to perform the Inspect ? (Vani)
- Here are 3 options so far for inspect output to decide on: (Vani)
- -o, --output json
- `--display {tree, json) by default tree
- --json (an example in https://clig.dev/#output)
- notation inspect prints a tree view by default, which usually requires a wide screen. The screen size of a typical TTY is 80 x 24. How can the tree view fit the width of 80? (Vani)
- In inspect to describe the "media type", "digest" and "size", do we need to use the term 'payload' or 'target artifact' ? (Vani)
- Revisit the date for rc-2 based on the discussion / changes and status today considering the rc-2 items. (Vani)
### Meeting Notes
- Vani and Samir will drive the solution of "Backward Compatibility" for Notation and will submit a doc for review
- Vani will create an issue to track the `notation inspect` to inspect a single signature.
- Use `--output` for `notation inspect` output
- The implementation of `notation inspect` will be moved to post-rc.2 release
## Jan 3, 2022
### Attendees
- Toddy Mladenov
- Yi Zha
- Shiwei Zhang
- Patrick Zheng
- Pritesh
- Feynman Zhou
- Vani Rao
- Junjie Gao
- Nima Talebi
- Sajay Antony
- Byron
### Agenda Items
- Project status sync-up, see [project board](https://github.com/orgs/notaryproject/projects/10/views/22) (Yi)
- Status review for rc-2 dated for Jan 16th (Vani Rao)
- To do task list for the Fallback Support (Nima)
- client-side code for setting the relationship between the artifact and the subject. That’s handled by the oras-go library already.
- All notary needs to do is
- a) on failure after trying to push an artifact, to then try again, but this time create the manifest equivalent of the artifact manifest. And
- b) comprehend that the referrers API is a thing, and then fall back to querying for the image manifest list/index instead.
- Update notation sign and verify spec for metadata - [notation/pull/498](https://github.com/notaryproject/notation/pull/498) (Byron)
- Collaborate on the Notary new year blog (Feynman)
### Meeting Notes
- Nima and Pritesh will update Notary v2 spec to support fallback solution and CLI spec
- We have less resources on the documentation. Vanin will confirm if she can find one maintainer for Notary documentation
- `Notation Inspect` is risky in RC.2. We need to review the status next Monday and determine if we could imlement it in RC.2
- Feynman will draft new year blog for Notary, the content structure will be similar to [this one](https://github.com/oras-project/oras-www/pull/75/files)
- Review a PR from Byron: Update notation sign and verify spec for metadata - [notation/pull/498](https://github.com/notaryproject/notation/pull/498)
## Dec 22, 2022
### Attendees:
- Toddy Mladenov
- Vani Rao
### Agenda Items:
- Manifest Fallback Support
- Vani is working with Nima
- Toddy is investigating the behavious of various registries
- Extracting the descriptor from the signature in `notation inspect`
- We can investigate what would it take to add this capability
- We should at least cover how to do that using JWS- and COSE-specific parsers in the documentation
## Dec 19, 2022
### Attendees:
- Toddy Mladenov
- Yi Zha
- Shiwei Zhang
- Patrick Zheng
- Feynman Zhou
- Samir Kakkar
- Vani Rao
- Junjie Gao
- Nima Talebi
- _add yourself_
### Agenda Items:
- Planning for the Manifest Fallback Support (Vani/Nima)
- Notation inspect command review/discussion (Samir/Vani)
- Do we need docker client running on machine for registry creds in notation? (Pritesh)
- For PRs created by dependabot like the follows, do we still need approvals from different orgs?(Yi)
- [build(deps): bump oras.land/oras-go/v2 from 2.0.0-rc.5 to 2.0.0-rc.6](https://github.com/notaryproject/notation/pull/488)
### Notes:
- Implementation planning for Manifest Fallback support to be shared next week.
- Oras CLI fallback feature test results to be shared.
- PRs created by dependabot will still need approvals from different orgs, collectively it will be priortized from both orgs to get merged quickly.
## Dec 15, 2o22
### Attendees:
- Toddy Mladenov
- Vani Rao
- Samir Kakkar
### Agenda Items:
- Review the roadmap items and see if anything needs to be brought in for RC-2 ( Samir)
- The purpose of the roadmap repo (Samir)
### Notes:
- _meeting minutes
# # Dec 12, 2022
### Attendees:
- Toddy Mladenov
- Vani Rao
- Samir Kakkar
- Yi Zha
- Patrick Zheng
### Agenda Items
- Fallback Support Priority. Any further updates from the other community ? (Vani)
- RC.2 release items priority from customers perspective (Vani)
- Semantic Versioning https://github.com/orgs/notaryproject/projects/10/views/22
- Notation inspect signature iteratively will be a good feature for rc.2 from customers perspective https://github.com/orgs/notaryproject/projects/10/views/22
- Include Metadata at the time of signing (Attestations) which is also iterative and additional feature for customers https://github.com/notaryproject/roadmap/issues/67
- E2E Testing and Debug logging can be moved to rc.3 because we already have a version of it in rc.1, since both are incremental, this can be moved. Any opinions (Vani)
### Notes
# # Dec 8, 2022
### Agenda Items
- Fallback Support Priority/resourcing
- Release date Dec 5, 2022 for rc.1 release, see [summary](https://github.com/notaryproject/notaryproject/discussions/205#discussioncomment-4253480). (Yi)
- rc.2 plan, see [discussion](https://github.com/notaryproject/notaryproject/discussions/206#discussioncomment-4253559). (Yi)
- New Notary website [prototype preview](https://www.figma.com/file/sV3L1CedpMhuO6qXyaipbV/Notary-website-landing-page?node-id=0%3A1&t=Qk8mLGjaTLSOJkqA-1) and ask for feedback (Feynman)
### Notes
- Fallback support
- https://github.com/oras-project/oras-go/issues/362
- https://github.com/notaryproject/notation/issues/444
- Notary compatibility
- We discussed prioritzing the following:
1. Stabilizing the signature format so content signed with RC1 can be consumed by all subsequent releases. The APIs may have additive or breaking changes
2. Stability the APIs so users can pull newer versions, or use older versions of the notation cli or the notation-go library without concerns of breaking changes
3. Adding capabiliites that are still backwards compatible, but older versions aren't necessarilty compatible. This could be in signature content, or apis. The user would need to update their clients to support the new capability. This is to avoid a frozen state of the project.
## Dec 05 2022
### Attendees:
- Vani Rao
- Samir Kakkar
- Toddy Mladenov
- Pritesh Bandi
- Yi Zha
- Patrick Zheng
- Sajay Antony
- Feynman Zhou
- Shiwei Zhang
- Steve Lasker
### Agenda Items:
- rc.1 release readiness Dec 5, 2023 - Resolve the usage of "notation remove" vs "Notation delete" https://github.com/notaryproject/notation/pull/466 (Vani)
- Release notation v1.0.0-rc.1 (Yi)
- rc.2 scope and timeline, see [latest proposal](https://github.com/notaryproject/notaryproject/discussions/206#discussioncomment-4279018) (Yi)
- rc.2 plan and new proposed date, see [latest scope proposal](https://github.com/notaryproject/notaryproject/discussions/206#discussioncomment-4253559) (Vani)
- Restrict permissions on repos (Pritesh)
- Discuss the roadmap items and move things in the "roadmap" repo accordingly (Samir)
### Notes:
- _meeting minutes_
- Need to clarify the behavior for registry backwards compat, when the registry doesn't support OCI Artifact Manifest: TODO: Open an issue/PR on [Signature Specification](https://github.com/notaryproject/notaryproject/blob/main/specs/signature-specification.md)
- Related issues:
- [oras-go to automatically support uplevel artifact manifest and downlevel registries #362](https://github.com/oras-project/oras-go/issues/362)
- [[Fallback Support]Notation uses OCI image manifest to store the signature in the repository. #444](https://github.com/notaryproject/notation/issues/444)
- [OCI & ORAS Artifact, Registry Interop](https://hackmd.io/Xq6HSDt5QZ-TMYnGk2jlGQ)
## Nov 28, 2022
### Attendees
- Vani Rao
- Samir Kakkar
- Toddy Mladenov
- Pritesh Bandi
- Yi Zha
- Patrick Zheng
- Sajay Antony
- Feynman Zhou
- Shiwei Zhang
### Agenda Items
- Release date Dec 5, 2022 for rc.1 release, see [summary](https://github.com/notaryproject/notaryproject/discussions/205#discussioncomment-4253480). (Yi)
- rc.2 plan, see [discussion](https://github.com/notaryproject/notaryproject/discussions/206#discussioncomment-4253559). (Yi)
- New Notary website [prototype preview](https://www.figma.com/file/sV3L1CedpMhuO6qXyaipbV/Notary-website-landing-page?node-id=0%3A1&t=Qk8mLGjaTLSOJkqA-1) and ask for feedback (Feynman)
### Notes
## Nov 21, 2022
### Attendees
- Yi Zha
- Patrick Zheng
- Vani Rao
- Pritesh Bandi
- Samir Kakkar
### Agenda Items
- Code freeze targeted EOD of Wed Pacific time, E2E Testing will start Thursday and Friday. Status [check-in](https://github.com/notaryproject/notaryproject/discussions/205).
- Confirm fallback to image manifest is not in rc.1, see [illustration](https://github.com/notaryproject/notation/issues/444).
- Discuss any special documentations or blogs required for rc.1, since it is a major milestone.
- Rc.2 scope [discussion](https://github.com/notaryproject/notaryproject/discussions/206#discussioncomment-4192529) (if we have time).
### Notes
-
## Nov 17, 2022
### Attendees
Vani Rao
Samir Kakkar
Toddy Mladenov
Pritesh
Roy Williams
### Agenda Items
- Rc.1 release status update, see discussion https://github.com/notaryproject/notaryproject/discussions/205 (Yi)
- Suggest to scope out more issues and set code freeze date on Nov 23.
- rc.2 scope discussion kick-off, see discussion https://github.com/notaryproject/notaryproject/discussions/206, please add your comments there. (Yi)
- Suggest plan regular releases per monthly cadence
- Suggest plan on-demand releases for critical issues.
### Notes
- Unblock of Ratify is done. Ratify dates will not be delayed.
- Notation-Go refactoring have two PRs (#200 and #207) left for review. #207 is waiting for rebase. There is not too much left to do on that.
- Notation CLI should be fine. We need to update the CLI after the refactoring of Notation-Go
- Notation using OCI artifacts to store signatures is done in the library.
- For the timeout we should have a write up for the behavior as part of RC.1 but implementation is not blocking for RC.1.
- Tag to SHA translation - spec is in review right now. Improving the documentation and the output from the CLI implementation will be post RC.1.
## Nov 14, 2022
### Attendees:
- Pritesh
- Toddy M
- Vani
- Patrick Zheng
- Feynman
- Sajay
- Yi Zha
### Agenda Items:
- Changed the meeting timing for Monday based on the daylight time saving. Send the latest invite for 4:00 PM PST timeframe.
- Approve and merge #186, with following issues to be addressed after refactoring (Yi) -- This will unblock Ratify since the API interfaces are reviewed and aligned
- https://github.com/notaryproject/notation-go/issues/201
- https://github.com/notaryproject/notation-go/issues/197
- [Fallback support](https://cloud-native.slack.com/archives/CQUH8U287/p1668100458892709): Should we support artifact manifest fallback if its not an OCI image / distribution spec? Also, how will manifest fallback work? If notation is not able to push artifact manifest, notation will try to push oci manifest? If so are there any sharp edges? (Pritesh)
```
- Update the signature manifest spec to accept both the OCI Artifact manifest and the OCI image manifest.
- Update the signature manifest spec to accept both the OCI Artifact manifest and the OCI image manifest.
- The client SHOULD generate and push OCI Artifact manifest to the remote registry.
- The client SHOULD NOT generate and push OCI Image manifest to the remote registry.
- The spec MUST NOT define anything related on the manifest fallback but accepts two manifest types.
- For the OCI image manifest, the spec SHOULD define how the config blob is generated and processed.
- Update notation-go implementation and documentation.
- On push, it pushes OCI image manifest if the attempt of OCI artifact manifest fails due to not being supported by the remote registry.
- On pull, it accepts both manifest type
```
- Potential RC1 issues (Pritesh)
- [During verification use signature filtering ](https://github.com/notaryproject/notation-go/issues/197)
- [GenerateEnvelope plugin request doesnot have expiry.](https://github.com/notaryproject/notation/issues/443)
- [Using timeout as the restricting mechanism fo signature verification #201
](https://github.com/notaryproject/notation-go/issues/201)
- [fractional second support](https://cloud-native.slack.com/archives/CQUH8U287/p1667934661142869) for expiry and signing time - Whats the usecase? (Pritesh)
- Website and documentation - Toddy
### Notes:
- Yi to discuss with Steve on the rescheduling the invite for Monday from 5:00 PM PST to 4:00 PM PST.
- RC1 supports registries that are compliant with OCI Artifact Manifest like ECR, ACR, Zot. The fallback solution stated above in agenda will be moved to RC2 and will need more deep dive on the approach and solution.
- During verification use signature filtering will be moved out of RC1 scope and will be taken into RC2.
- GenerateEnvelope plugin request doesnot have expiry has two parts to it - 1. Spec update (Pritesh/Vani) and 2. Implementation (MSFT). This issue will be in scope for RC1.
-
## Nov 10, 2022
### Attendees:
- Vani Rao
- Toddy SM
- Samir Kakkar
- David Tesar
### Agenda Items:
- OCI compatibility https://cloud-native.slack.com/archives/CQUH8U287/p1668101298107019?thread_ts=1668100458.892709&cid=CQUH8U287
- Open SSF Scorecard issues https://github.com/notaryproject/notation/issues/408
- Security Incident Response
- CNCF Fuzzing
- What's supported/stable at RC-1
- Website/Documentation support
### Meeting Notes
- We will implement OCI for RC-1. It isn't sure how this has been factored into timeline. Samir was unsure of why ORAS can't handle this on it's own, but will wait for Yi's spec for futher discussion.
- We should implement a security incident response page ideally for RC-1. Waiting to see if enhancements in coming days from GitHub may meet our needs, but regardless will need a security incident response page. This is raised on CNCF scorecard as well.
- There is possiblity for resources from CNCF to support/add fuzzing to the project. I reached out on Slack to security thread, but still no response. https://cloud-native.slack.com/archives/CDMCCN2SJ/p1667949707733439 Not critical for RC-1, but would be good to get in the queue to get CNCF resource support here.
- Supportibility: On the client side, the sub commands which are marked supported for RC-1 will be in the release notes if we don't implement any of the suggestions here: https://github.com/notaryproject/notation/discussions/257
- Supportibility: On the API side we should try to not have any major breaking changes although realize this *might* be possible and will defer to SemVer to help with this.
- Supportibility: Biggest factor is having stable signature stamp for what is signed so future versions will be able to verify previous things which are signed.
- AWS will take a look at all of the items here: https://github.com/notaryproject/notaryproject.dev/issues/77#issuecomment-1291667125 and get back to us on the #notary-docs channel on where they can help. Agree we need to have more regular updates and can post link(s) to vendor-specific implementation updates at least for RC-1.
## Nov 7, 2022
### Attendees:
- Yi Zha
- Sajay Antony
- Feynman Zhou
- Shiwei Zhang
- Patrick Zheng
- Rakesh Gariganti
- Vani Rao
- Toddy SM
- Samir Kakkar
- Jungie Gao
### Agenda Items:
- What we can do to improve the Trust policy UX for rc.1 release? https://github.com/notaryproject/notation/issues/398 (Yi)
- Reopening https://github.com/notaryproject/notation-core-go/issues/88 as this is causing an issue with verification plugins (Rakesh)
- Stay on track to unblock Ratify as of 11/11/2022.
### Meeting Notes
- Agreed to move time to 4:00 PM PST( Basically keeping the time the same)
- Need to make getting started easier. Requires a user story created for a command like `notation init`
- Can we create good default trust policy
- can we take user inputs to enable a good experience for signing and verification
- Trust policy needs improvements to enable adding/removing scopes
- Define use cases of possible improvements for adding allow/deny list and with support for wildcard scopes.
## Nov 2, 2022
### Attendees:
- Vani Rao
- Patrick Zheng
- Samir Kakkar
- Rakesh Gariganti
- Shiwei Zhang
- Yi Zha
- Feynman Zhou
- Toddy Mladenov
- Junjie Gao
- David Tesar
### Agenda Items:
- Continue to review [refactoring Notation-go proposal](https://hackmd.io/nAV5ipF1TKyxFdrO7_75Mg?view)
- Check the release status of Notation beta.1
- HLE 1-2 days estimate to complete refactoring work in notation-go for Ratify TS/TP development - MSFT or we can take it starting tomorrow and complete it by Monday.
- If this is completed by Monday, can MSFT estimate Ratify time frame to complete the TS/TP and what is the date look like prior to 12/01.
- Is all refactoring notation work needed, this is something new that got added to RC-1, so along with the tasks on RC-1 Github what is the time estimate to hit 11/15 for RC-1. What is must TOGO for RC-1 and what can be moved to RC-2.
- Come up with a plan to hit 11/15 date for RC-1 across all the items and complete the estimation on the GITHUB which has no assignment.
### Meeting Notes
# Archived Notes
Older meeting notes have been archived to: https://github.com/notaryproject/meeting-notes
* 2021 meeting notes https://hackmd.io/-5DLI3xiRmmgiC1ugo7fHw?view
# Meeting Notes Template
(template for copying)
## Meeting Date
### Attendees:
- _add yourself_
### Agenda Items:
- _add your topics_
### Notes:
- _meeting minutes_
