Notary Project Meeting Notes

tags: Notary Project, notary

TUF-notary meeting notes

NOTE: Time Change - Starting May 9 2022, we will hold two meetings a a week to account for folks in the US, Europe and Asia times.
Meetings are now:

• Mondays 5-6pm pacific time, 8-9pm US Eastern, 8-9am Shanghai (US Summer time)
• Mondays 4-5pm pacific time (US Winter time)
• Thursdays 9-10am pacific time, 12pm US Eastern, 5pm UK

Links

• On GitHub
• CNCF Calendar
• Zoom Dial-in link
  • Passcode: 77777 (5x 7)
• Notary Project Conversations on Slack
• Find your local number
• Notary Project GitHub Projects
• YouTube Recordings
  • Recordings prior to April 9, 2021

Dial by your location

877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 611 593 2621

One tap mobile

+16465588656,6115932621# US (New York)
+16699006833,6115932621# US (San Jose)

Note: See Meeting Notes Template below

## Meeting Notes Template
(template for copying)

## Meeting Date

### Attendees:
- _add yourself_

### Agenda Items:
- _add your topics_

### Notes:
- _meeting minutes_

### Recording:

_recording_url_

Agenda items must identify the (owner) of the item

Meeting chair rotation

• Yi Zha
• Feynman Zhou
• Samir Kakkar
• Pritesh Bandi
• Toddy Mladenov
• Vani Rao
• David Tesar (emeritus)
• Justin Cormack (emeritus)
• Steve Lasker (emeritus)

Mar 24, 2025

Agenda Items

• Review milestone v2.0.0-beta.1 and triage new issues (Feynman)

Notes

• Patrick to update the issue description for the blob command UX revisit to focus on the shorthand enhancement for flags.
• Yi to create separate issues related to UX improvements for notation.
• Maintainers to vote on two community meeting poll within one week.
• Feynman to ping Vani and other US-based contributors to vote on the US-friendly community meeting poll.
• Feynman to update the community meeting polls to remove the cadence information and focus only on identifying comfortable meeting times.
• Maintainers to discuss and make decisions on the community meeting cadence in a separate issue https://github.com/notaryproject/.github/issues/80.

Recording

https://youtube.com/live/CQU-tcrkG2E

Mar 17, 2025

Agenda Items

• Announcement of release notation v2.0.0-alpha.1 (Feynman/Patrick)
• Meeting schedule poll and cadence discussion (Feynman)
  • Considering changing the cadence from weekly to bi-weekly and providing two series to accomodate people from different regions
  • Notary Project community meeting (US-friendly) poll
  • Notary Project community meeting (APAC-friendly) poll
• Brainstorming on the Formatted Output of Notation CLI (Feynman)
• Info: good-first issue list and help-wanted issue list for new contributors
• Triage issue https://github.com/notaryproject/notation/issues/1226 (Yi)

Notes

Quick recap

The Notary Project maintainers discussed the release of 2.0.0-alpha.1, proposed changes to meeting schedules, and explored the implementation of formatted output for the Notation CLI. They addressed the need for automatic output support, prioritizing stable commands and focusing on JSON format initially. Maintainers also shared issue lists for new contributors and discussed supporting the cozy hash envelope for blob code signature.

• Next steps
  • Feynman to create an issue to discuss lowering the meeting cadence from weekly to bi-weekly.
  • Feynman to create a general guidance document for formatted output support in Notation CLI.
  • Feynman to update the project website and README with links to the "Good First Issues" and "Help Wanted" issue lists.
  • Patrick and Yi to discuss and work on the implementation of COSE hash envelope support for blob policy signatures (Issue #1226).
  • Patrick and Yi to update the Notary Project specification for COSE hash envelope support.

Recording

https://youtube.com/live/n6saG6HIFQY

Mar 10, 2025

Attendees

• Dhseeh (Individual)
• Byron Chien (Amazon)
• Josh Polkinghorn (Amazon)
• Victor Lu (Individual)
• Sunil Ravipati (Individual)
• Patrick Zheng (Microsoft)
• Shiwei Zhang (Microsoft)
• Feynman Zhou (Microsoft)
• Patrick Zheng (Microsoft)
• Yi Zha (Microsoft)

Agenda Items

• Triage GitHub issues in v2.0.0-alpha milestone (Feynman Zhou)
• v1.4.0-alpha release for blob signing (Yi)

Notes

• Notary Project maintainers triaged all opening GitHub issues in the v2.0.0-alpha.1 milestone. Maintainers will re-visit the release timeline by EoW.
• Notary Project maintainers will cut v2.0.0-alpha.1 first and decide whether we need v1.4.0-alpha.1 later on.

Recording

https://www.youtube.com/live/5fkp91A2IWU?si=v6vyuxd-z8wWm5ba

Mar 3, 2025

Skipped due to no agenda

Feb 24, 2025

Attendees

• Yi Zha (Microsoft)
• Josh Polkinghorn (Amazon)
• Patrick Zheng (Microsoft)
• Shiwei Zhang (Microsoft)
• Feynman Zhou (Microsoft)
• Patrick Zheng (Microsoft)
• Toddy Mladenov (Microsoft)

Agenda Items

• Discussion of the Blob signing proposal and release plan (Yi)
  • v1.4.0 alpha –> beta –> stable
  • The scope of alpha
    • Scenario 1 in the proposal
• Proposal for archiving the roadmap repository (Feynman)
• Notation Enhancement Proposal Template (Feynman)
• Vote on the community meeting schedules (Feynman)

Notes

• Notary Project maintainers agreed to plan a v1.4.0 release. This release might be backed port from v2.0.0-alpha. This release will focus on the Scenario 1: Blob signing and verification with file-based distribution. The Scenario 2: Blob signing and verification with registry-based distribution will be re-visited and designed in the next iteration.
  Proposal for archiving the roadmap repository - Notary Project governance maintainers and org maintainers are supposed to vote on it
• Notary Project maintainers agreed to move the Notation Enhancement Proposal Template to .github repository. It should be a part of the contribution process and applicable to all sub-projects of Notary Project.
• Feynman will create a Doodle Poll to request community folks to vote on the community meeting schedules

Recording

https://www.youtube.com/live/pB7ylytsB3g?si=4puhF5PAvRRuXo52

Feb 10, 2025

Attendees:

• Josh Polkinghorn (Amazon)
• Patrick Zheng (Microsoft)
• Shiwei Zhang (Microsoft)
• Feynman Zhou (Microsoft)
• Patrick Zheng (Microsoft)

Agenda Items:

• Discuss the scope and release plan of Notation v1.4.0 and Notation v2.0.0
• PoC of blob signing and verification
  • What's difference between a blob file in OCI registry and an OCI artifact? Why do we propose --reference in notation blob verify?
  • Should we consider notation push to enable push/attach a signature to the registry?
  • Potential UX enhancement
• Explore and brainstorming OSS signing scenario
  • https://github.com/notaryproject/notation/discussions/1161
  • https://staging.augmentedmind.de/2025/02/08/docker-image-signing-with-notation/

Notes:

• Notary Project triaged issues in v2.0.0-alpha milestone. The major enhancements will be blob signing & verification, OCI Spec v1.1 support, formatted output support, and diagnostic experience enhancement.
• Notary Project maintainers agreed to release Notation v2.0.0-alpha.1 by end of March, 2025. It is planned to be demonstrated at KubeCon EU in early April.
• Another two topics will be moved to the next community meeting. Notary Project maintainers will demonstrate the PoC of blob signing & verification

Recording:

https://youtube.com/live/hvfXzpw0wi4

Jan 13, 2025

Attendees:

• Pritesh Bandi (Amazon)
• Patrick Zheng (Microsoft)
• Shiwei Zhang (Microsoft)
• Feynman Zhou (Microsoft)
• Josh (Amazon)
• Yi Zha (Microsoft)
• Toddy Mladenov (Microsoft)
• Sajay Antony (Microsoft)

Agenda Items:

• Timeline of publishing the security audit report and blog post
• Release v1.3.0 check-in
• Review and determine the scope of the v1.4.0 milestone

Notes:

• Pritesh proposed to adjust the PR merging criteria by removing the rule of requiring at least 2 approvals from different orgs
• Welcome Josh from AWS joinning the community
• The security audit report and blog post are planned to be published by Jan 17, 2025. @yizha1 will work with audit team to get them published this week
• Notary Project maintainers aligned to release v1.3.0 within around a week since it will include the security vulnerability fixes from the security audit report.
• Notary Project maintainers agreed to focus on blog signing and Detal CRL support in the [v1.4.0 milestone].(https://github.com/notaryproject/notation/milestone/25). Other issues have been moved to v2.0 due to limited resource.

Recording:

https://www.youtube.com/live/O_ZvfqfOQ6g?si=sqo5j3mDnGVDaHXl

Jan 6, 2025

Attendees

• Pritesh Bandi (Amazon)
• Patrick Zheng (Microsoft)
• Shiwei Zhang (Microsoft)
• Feynman Zhou (Microsoft)
• Vani Rao (AWS)
• Yi Zha (Microsoft)
• Toddy Mladenov (Microsoft)
• Sajay Antony (Microsoft)

Agenda Items

• Security Audit and Notation v1.3.0 status check-in (Yi)
• KubeCon updates (Yi)
• Triage issues

Notes

• Security Audit report will be published next week. We will need to publish two security advisories this week ASAP. @pritesh
• Give one addtional week (this week) for testing as last week is still within holiday season
• Notary Project maintainer tracker session was accepted for KubeCon EU 2024
• Yi shared the start of engagement with in-toto community.
• Need to create an issue to track how to make the commit signing guideline more visible, especially provide a guideline for users in the PR once they fail to sign their commits.

Recording

• https://www.youtube.com/watch?v=Bp6BNbWmK9U

Archived meeting notes

See https://github.com/notaryproject/meeting-notes for archived meeting notes