# CNAB Community Meeting **Meeting time:** Every other Wednesday 9:00 AM - 10:00 AM US Pacific Time **Zoom Link:** https://zoom.us/j/653255416 **GitHub Repo:** https://github.com/deislabs/cnab-spec **Group slack channel:** #cnab @ cloud-native.slack.com (Get an invite from: https://slack.cncf.io) **Mailing list:** https://groups.google.com/a/opencontainers.org/forum/#!forum/dev **Document Link:** https://aka.ms/cnab/meeting **YouTube:** https://www.youtube.com/playlist?list=PLL6BzOBDywQeaaKFZkdt10JTZr5BxjQvQ ## Meeting Minutes and Agenda ## Jan. 15 - Security and Registry Meeting | | | | -------- | -------- | | Recording | | | Attending | Radu Matei, Matt Butcher, Chris Crone, Trishank Karthik Kuppusamy, Karen Chu | | Note Taker | Trishank Karthik Kuppusamy | ### Agenda - Bundle formats as part of the core spec and relationship to registries and security (https://github.com/cnabio/cnab-spec/blob/master/104-bundle-formats.md) - Notary V2 scenarios and requirements (https://github.com/SteveLasker/notary) - Walkthrough of security spec PRs: [#301](https://github.com/cnabio/cnab-spec/pull/281), [#302](https://github.com/cnabio/cnab-spec/pull/282), and [#303](https://github.com/cnabio/cnab-spec/pull/280) - Moving security implementations into `github.com/cnabio` and discuss next steps ### Notes - Bundle formats - Radu: clarify in Slack - Matt: can we have a formal process where someone like myself can verify and vouch that CNAB-Sec is compliant with CNAB-Core? - We can keep the process light by nominating one person in a team to make sure their changes are interoperable with other teams - PRs - Let's get 301-304 reviewed and merged as first _working draft_ - Trishank will circle back to 300 later - Matt, Chris, and others will review in the next 1-2 weeks - Radu and Trishank should make as much progress as possible with 300 in the same time frame - People are not likely to read external specs, so let's try to explain as much as possible - Notary v2 - Radu will track their work to see how it will impact us in the future - CNAB-Sec 1.0 will target Notary v1 - CNAB-Sec 2.0 might target Notary v2 - Trishank: add uses cases to Notary v2 (note to self) - Implementations - Can we vote to move signy (Go) and pysigny (Python) to cnabio? - Chris: we should merge them so that they are visible - Radu: Go version is more advanced than Python right now, and the README makes clearly we are still in WD - Action items: we should start testing whether signy works with duffle / cnab-go - Transfer knowledge of Datadog use cases to signy and also Notary v2 ## Jan. 8 - General Meeting | | | | -------- | -------- | | Recording | https://youtu.be/bsDOqRCzhzM | | Attending | Ralph Squillace, Radu Matei, Matt Butcher, Chris Crone, Trishank Karthik Kuppusamy, Carolyn Van Slyck, Silvin Lubecki, Jacob LeGrone, Vaughn Dice | | Note Taker | Radu M | ### Agenda - Add Silvin as maintainer on Spec repo (Matt Butcher) - _Stable_ working draft for CNAB Security and Distribution (when ready) vs. 1.0, considering upcoming changes with OCI Artifacts and Notary v2 (Radu M) - Move other repositories (e.g. `signy`, `cnab-to-oci`) under github.com/cnabio (Radu M) - Please review the latest PRs on the security and claim specifications (https://github.com/cnabio/cnab-spec/pulls) (Radu M) - Common repository for `cnab-to-oci` C bindings? (Rust and Python bindings in progress) (Radu M) - Claims spec process to completion (Matt Butcher) - Update on MS usage of CNAB and Porter (Matt Butcher) - Should we parse digest from the `image` field? https://github.com/cnabio/cnab-go/pull/166 (Jacob) -- see also https://github.com/cnabio/cnab-spec/issues/287 - Anyone working on a distributed claim store? (Chris) ### Notes - Add Silvin as maintainer on Spec repo - we voted last November to add him, but the configuration to the repo was not added - Stable draft vs. 1.0 for security and registry - Chris: if we wait for registries to support new versions, it might take a long time. Notary work is unknown at this point. - Trishank: not sure if there will be incompatible changes for Notary, so we don't know at this point. We should release a 1.0 with the stable draft, then update if / when new versions are supported. - Matt: do we anticipate changes to the core spec? - Radu: we could end up with different versions - Chris: I worry that if we don't cut versions, people trying to adopt will be deterred because they will think we don't have stable versions. - move other repos to `cnabio` - Matt: switch to DCO for all repos (JDF) - Chris: `cnab-to-oci` has to go through legal first, but it needs to vetted first - Matt: we should also move `signy` to have an _official_ implementation for security as well - there might be a change to the core spec that would require an errata - claims spec - Matt: I would like to push the claims spec to completion spec, as multiple tools use it already - Matt: there is an outstanding requirement to change `name` to `installation` that might break existing tools. - Matt: strive to have the claims spec in a stable draft by end of February - Ralph: does the spec have any statement that would prevent storing state in claims, or does it need changes? - Matt: we have a statement that would allow an opaque data storage for systems like Terraform - Carolyn: have we been thinking about tracking the actions that have been performed on a bundle besides the last one, like an audit operation? - Matt: I don't think there is anything specific on it, I will look at it carefully - but because a claim has a name and revision ID, it should be trivial to retrieve all claims related to a bundle - Carolyn: distinction between something we implement vs. something required of all tools - Jacob: I have been working on an API that queries all claims for a specific bundle - Chris: Jacob, could you share that API? It is something that Docker App also needs to solve - Jacob: I would like to switch the API to protobuf and at least share the proto - I want to open source it, it might take some time - Carolyn: is it for claim storage? - Jacob: the API handles installations and internal workflows, for storing, querying, distributing instalations - Carolyn: I've been working on a plugin for claims backends for tools (Porter, Duffle) to use and store claims in backends - it would be nice to collaborate - Jacob: I could do a demo (add as agenda) - Matt: if there are changes required in the claim spec to enable distributed claim stores, please - Jacob: add an identity to claims for audit purposes - we explicitly stated that we don't handle this in claims right now, but this might be required, as we're currently storing that outside the claim - Matt: could you open an issue for this? This will end up being required most probably. - update on MSFT usage of CNAB and Azure examples - Ralph was supposed to present this (existing Azure examples have been migrated to CNAB, and the Azure Docs team started implemented bundles) - Should we parse digest from the `image` field? https://github.com/cnabio/cnab-go/pull/166 (Jacob) - Jacob: context in PR linked above, more opinions are very helpful here. The PR introduces a `Digest()` function for images - should the method return the content digest, return it only if it was added in the bundle, or return it from the image - Jacob: there is also a question of what the content digest is in the context of Docker images - please check the discussion and comment. - Matt: we should re-document and add this again on the agenda for next time. ## Dec. 11 Agenda - General Meeting | | | | -------- | -------- | | Recording | https://www.youtube.com/watch?v=947TG3yDogw | | Attending | Matt Butcher, Radu Matei, Silvin Lubecki, Glyn Normington, Vaughn Dice, Karen Chu, Jacob LeGrone, Chris G, Ralph Squillace | | Note Taker | Matt Butcher | ### Agenda - Intros and Announcements - Demos - Status on Claims spec (Butcher) - This needs one more review: https://github.com/cnabio/cnab-spec/pull/295 - A claim should have a reference to the bundle https://github.com/cnabio/cnab-spec/issues/297 - Upgrade action should mount the previous bundle https://github.com/cnabio/cnab-spec/issues/296 - Clarify terminology: https://github.com/cnabio/cnab-spec/issues/298 - Status on Security and Registry specs - Coordination: Are there any release announcements in the next 2 months? (Butcher) - Holiday Schedule ### Notes: - Demos - Notes: Radu shows generating Rust bindings for OCI registries pulls by bridging Go (via CGO) and Rust (via bindgen) and dynamically loading the library. His demo showed pulling a CNAB bundle.json from Rust using this. - Q (Jacob): Did we talk about storing the bundle.json itself instead of a pointer to a blob? - A (Radu): I think CNAB-to-OCI used to do this, but we lost the content digest when we did that because we don't know how the registry will store it - Q (Glyn): It may be worth wrapping the unsafe, bindgen-generated interface to cnab-go in rich Rust types. - A (Radu): Yes, this demo was just getting a simple case working. - Q (Glyn): Is the Go runtime loaded each time? - A (Radu): Not sure, but probably - Q (Jacov): do people want to see a demo of how we use bazel to construct the digests prior to pushing? - A (Glyn): it's likely that you have an unintentional expectation that docker compression will remain the same, so look out for that - A (Radu): love to see Jacob's demo however - Q (Radu): How do we package shared objects in binary releases? - A (): - Status of Claims Spec - #295 needs another lgtm - #296, #297 Butcher to take another pass at them - Some verbiage still needs clarification - Next meeting would be great to lock this small spec area down; really only tidying is required - Anything else should be in here? - Q (jacob): what is your definition of a release? - A: an installation of a claim; an ugrade is a "release" of an installation, but releases aren't tracked in the spec but installations are. The language got muddied; perhaps we just eliminate one term altogether. Jacob: I think we just need "installation" and not release. Agreement: Butcher/Glyn. don't want confusion with things like helm, too. - Jacob: PR for cnab-go that just needs a review: #165 - Radu: Do we want to change the import paths for cnab-go and duffle? - A: Jacob: I updated for cnab-go - A: Go ahead and upgrade duffle - Status of security spec - Ralph: Trishank is still strongly motivated to move it to completion - Radu: There is a Go implementation with CNAB-to-OCI and Notary. Started a Python implementation. The FFI work might also work with Python sharing with Rust(?). Technically, all the pieces are there and functional - Status of registry spec - OCI blocking issue #1: Index has no concept of a config object. No way to add a type to an index (e.g. a CNAB type) - OCI blocking issue #2: All images referenced in an index must be part of the same registry as the index. No way to include references to remote objects (e.g. like part of a different repo) - Issue is really storing multiple types in the same repository, not necessarily referencing external artifacts. The conversation in OCI is all wrapped up together. We don't need the external references, though... just multiple types in the same registry. - Discussion about cyclic dependencies, garbage collection re: external references - Any upcomming announcements? - No big ones - Holiday Schedule - Next meeting will be January 8, 2020 - Renaming libcnab-rust repo to cnab.rs - Add Jacob Legrone as a maintainer (Radu) - Create issues for the next three: - Then we can do the GitHub rename - Cut some releases - Add GitHub action for running tests ## **Nov. 13 Agenda - General Meeting** | | | | -------- | -------- | | Recording | https://youtu.be/aagxX3Qq1WI | | Attending | Matt Butcher, Carolyn Van Slyck, Jacob LeGrone, Karen Chu, Glyn Normington, Andrew Stringer, Radu Matei, Ralph Squillace, Vaughn Dice | | Note Taker | Carolyn | ### Agenda - Intros and Announcements - Demos? - The State of the Claims spec (Butcher) - libcnab-rust (Butcher) - [Make status.json a CNAB Output](https://github.com/deislabs/cnab-spec/pull/290) - CNAB Registries and CNAB Security (Radu M) ### Notes - The State of the Claims spec (Butcher) - Butcher takes the lead on getting the claims spec going again. - Sufficiently vague so that the tools can move around their home dirs without hating on the spec - libcnab-rust (Butcher) - restarted work on the Rust library - anyone opposed to having a full runtime in Rust? - Suggestion to split out library and client/runtime so that people can consume it like we do cnab-go - Ruffles repo! - Need integration tests across both to ensure we have the same outputs - [Make status.json a CNAB Output](https://github.com/deislabs/cnab-spec/pull/290) - Hearty 👍 all around - Security Spec Update - Spec: working on recommendations - Need people who know python to help with implementation