tags: notary

tuf-notary meeting notes

Notary v2 meeting notes

Time: Friday 1800 UTC (1000 PT; 1300 ET)

• On Github
• CNCF Calendar
• Zoom Dial-in link
  • Passcode: 77777 (5x 7)
• Notary v2 Conversations on Slack
• Find your local number
• Notary v2 GitHub Projects
• YouTube Recordings

Notary/notation meeting notes and info

Dial by your location

877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 611 593 2621

One tap mobile

+16465588656,6115932621# US (New York)
+16699006833,6115932621# US (San Jose)

Note: Template for copying at the bottom of the note.

March 11, 2022

Attendees:

• Marina Moore
• Brandon Mitchell
• Steve Lasker (Microsoft)

Agenda Items:

• General update

Notes:

• Thoughts on "eventually consistent TUF" to allow snapshots to be handled directly in the registry without an intermediate server

February 18, 2022

Attendees:

• Marina Moore
• Brandon Mitchell

Agenda Items:

• Discussion on how to package metadata to allow partial copying (one repository vs the entire registry's metadata)
• PR review

February 11, 2022

Attendees:

• Marina Moore
• Brandon Mitchell
• Steve Lasker (Microsoft)

Agenda Items:

• Discussion about verification
• what to include in signatures

January 21, 2022

Attendees:

• Marina Moore
• Brandon Mitchell
• Steve Lasker (Microsoft)

Agenda Items:

• Check in

January 14, 2022

Attendees:

• Marina Moore
• Brandon Mitchell

Agenda Items:

• New meeting time?
• Questions about oras-go & the artifact spec (Marina)

January 7, 2022

Attendees:

• Marina Moore
• Steve Lasker (Microsoft)
• Brandon Mitchell

Agenda Items:

• Check in

Notes:

• some upcoming progress on oras-go
  • should unblock the tuf-notary work with references and copying
• tuf-notary blocking on a couple of go-tuf prs, but progress is being made

December 10, 2021

Recording)

Attendees:

• Marina Moore
• Stve Lasker (Microsoft)
• Brandon Mitchell

Agenda Items:

• timestamp and snapshot

Notes:

• meeting minutes

December 3, 2021

Recording

Attendees:

• Marina Moore
• Brandon Mitchell
• Steve Lasker

Agenda Items:

• Implementation update
• Snapshot and timestamp

Notes:

• meeting minutes
• Extension proposal

November 19, 2021

Recording

Attendees:

• Marina Moore
• Brandon Mitchell
• Trishank Karthik Kuppusamy (Datadog)
• Steve Lasker
• add yourself

Agenda Items:

• progress on adding delegations
• use of oras references
  • seems to require this pr?

Notes:

• Brandon will contribute a Makefile within the next week

November 12, 2021

Recording

Attendees:

• Marina Moore (NYU)
• Brandon Mitchell
• Steve Lasker (Microsoft)
• add yourself

Agenda Items:

• Implementation status (Marina)

Notes:

• Go Standard layout: https://github.com/golang-standards/project-layout
• meeting minutes

November 5, 2021

Recording

Attendees:

• Brandon Mitchell
• Marina Moore (NYU)
• add yourself

Agenda Items:

• tuf-notary project board
• Implementation status
• add your topics

Notes:

• meeting minutes

October 29, 2021

Recording

Attendees:

• Marina Moore (NYU)
• Brandon Mitchell
• Trishank Karthik Kuppusamy (Datadog)
• add yourself

Agenda Items

• example metadata
• implementation progress: registry upload

Notes:

• How to copy between registries?
  • Especially between registries with differing implementations
• Consider plugin for go-tuf to have different signed data

October 22, 2021

Attendees:

• Marina Moore (NYU)
• Brandon Mitchell
• Trishank Karthik Kuppusamy (Datadog)
• add yourself

Agenda Items:

• Meeting time
• CLI setup
• Reviews requested
  • CLI design

Notes:

• meeting minutes

October 7, 2021

Attendees:

• Brandon Mitchell
• Marina Moore
• add yourself

Agenda Items:

• Options for uploading TUF metadata
• Workflow demo
• What are we signing?
  • digests or descriptors
  • Can we use Notation signatures as delegated targets metadata?

Notes:

• TUF Metadata uploading:
  • Either option 1 or 2 should be fine, option 3 could be added later like adding a symlink in a filesystem (Brandon)
• meeting minutes

September 23, 2021

Attendees:

• Brandon Mitchell
• Marina Moore (NYU)
• Sajay Antony
• Ethan Lowman (Datadog)
• Trishank Karthik Kuppusamy (Datadog)
• add yourself

Agenda Items:

• Proposed API
• Demo draft
• Question (Ethan): What is the motivation for signing an OCI descriptor rather than using the OCI manifest verbatim as the TUF target (using the OCI digest & size as the TUF digest & size). Is it mainly to avoid type confusion attacks?

Notes:

• meeting minutes

September 16, 2021

Attendees:

• Steve Lasker (Microsoft)
• Ethan Lowman (Datadog)
• Sajay Antony (Microsoft)
• add yourself

Agenda Items:

• TUF metadata on a registry (Marina)

Notes:

• meeting minutes
• [Sajay] - Would like to get clarity on what needs to be distributed offline. This needs to be typically small since ephemeral clients need to obtain (keys/policy through something like a mount)
  • How many requests does the client need to make after it resolved the manifest or descriptor?
    • For e.g. do we need 3 or 5 requests to get the signature data on a clean client. (without considering the bootstrap data like policy/keys/root.json)
    • Can we scope the problems to single repository firsts and then consider remote respositories.
      • Multiple (origins/dns) is a concern for the customers we have spoken to. There have been strongs asks of not requiring more than the trusted set of DNS and all content needs to come from within their network.
      • For revocation we do need to reach out to a different origin so it makes sense for administrators to manage these kind of workflows like importing content or TUF metadata

2021-09-09

Attendees:

• Marina Moore (NYU)
• Steve Lasker (Microsoft)
• Brandon Mitchell
• Trishank Karthik Kuppusamy (Datadog)
• Sajay Antony
• Jon Johnson
• Ethan Lowman (Datadog)
• add yourself

Agenda Items:

• New issues
• Slack channel?
• Update on implementation effort

Notes:

• (very incomplete meeting minutes)
• May need to shard snapshot data for large orgs
  • Shard with OCI index to nested list may help sharding
• Steve: "A demo-script that uses oras discover and an implementation of distribution that supports references. This should give you the infra to validate the tuf implementation works, or has gaps we should fill."
• https://github.com/SteveLasker/Presentations/tree/master/demo-scripts/reference-types
• Tag signing: Steve wants ability to know all digests (history) that a tag has pointed to, and what's current
• Timestamps:
  • either need constant updates or multiple TUF servers pushing updates
• Brandon: are reference types scoped to a single repository?
  • Steve: not yet, deferred for now, until we can tighten scope for a single repo
  • Steve: while the artifact-spec currently scopes to a repository, it's related to lifecycle managmeent/gc and a means to copy a graph of content within and across registries. Nothing stops the content stored in an artifact to reference cross repo content.
• Sajay: TuF v1 kept a different catalog which makes the lookup dependent on a different tag store and hence can lead to tag drift. Deployment engines typically look at the registry so would be good to have the registry the start point of lookup and not have a different catalog for TUF.
  • Tooling for timeliness - Can we discuss standalone tooling that can be run in some environment that is outside the registry and set expectations on how to honour timeliness of the signatures. For e.g. should we consider a daemonset that customers can run to keep the signatures updated with some scoping of the what keys
  • Cross repository - Currently the artifact spec doesn't have cross repository support and if we needed this for supporting a snapshot or Tuf metadata across repositoires it would be nice to define the linkage and lifetimes of the metadata.
  • Size and sharding of content - Collection signing can lead to large scopes. Can we consider how a signer can update just one tag without worrying about the state of other tags in the same repository.

2021-09-02

Attendees:

• Marina Moore
• Steve Lasker
• Brandon Mitchell
• Justin Cormack
• Trishank Karthik Kuppusamy
• Pritesh

Agenda Items:

• Platform for minutes
• Issue on tuf-notary repo
  • Separate these into sub-issues, with this as a TODO list for v1
  • Open to new items for this list
• Defining project goals
  • How to do updates on registries
    • external service in charge of snapshot
    • addition to registry spec
  • move/scope project goals from notation repo
• What can we implement now, what needs more discussion
  • Start with targets, root metadata
• Implement based on artifact spec?

Notes:

• What images should be included in targets metadata
  • Notary v1 users usually include all versions of an image
  • how can we limit this to ones we actually want to sign

Archived Notes

Meeting Notes Template

(template for copying)

Meeting Date

Attendees:

• add yourself

Agenda Items:

• add your topics

Notes:

• meeting minutes