###### tags: `notary` # tuf-notary meeting notes [Notary v2 meeting notes](https://hackmd.io/_vrqBGAOSUC_VWvFzWruZw) Time: Friday 1800 UTC (1000 PT; 1300 ET) - [On Github](https://github.com/notaryproject/tuf) - [CNCF Calendar](https://www.cncf.io/community/calendar/) - [Zoom Dial-in link](https://zoom.us/j/6115932621?pwd=SGtsUXhQWHVvTjBuNnp4KzI1UFhyZz09) - Passcode: 77777 (5x 7) - [Notary v2 Conversations on Slack]( https://app.slack.com/client/T08PSQ7BQ/CQUH8U287/thread/CEX1W7WMD-1582660575.076600) - [Find your local number](https://zoom.us/u/aLDk4OXTu) - [Notary v2 GitHub Projects](https://github.com/notaryproject/) - [YouTube Recordings](https://youtube.com/playlist?list=PL1ykZdgmLkb7SlXax-hJVUgvNHmq4Cyz9) [Notary/notation meeting notes and info](https://hackmd.io/_vrqBGAOSUC_VWvFzWruZw) ### Dial by your location 877 369 0926 US Toll-free 855 880 1246 US Toll-free Meeting ID: 611 593 2621 #### One tap mobile +16465588656,,6115932621# US (New York) +16699006833,,6115932621# US (San Jose) **Note:** Template for copying at the bottom of the note. ## March 11, 2022 ### Attendees: - Marina Moore - Brandon Mitchell - Steve Lasker (Microsoft) ### Agenda Items: - General update ### Notes: - Thoughts on "eventually consistent TUF" to allow snapshots to be handled directly in the registry without an intermediate server ## February 18, 2022 ### Attendees: - Marina Moore - Brandon Mitchell ### Agenda Items: - Discussion on how to package metadata to allow partial copying (one repository vs the entire registry's metadata) - PR review ## February 11, 2022 ### Attendees: - Marina Moore - Brandon Mitchell - Steve Lasker (Microsoft) ### Agenda Items: * Discussion about verification * [what to include in signatures](https://github.com/notaryproject/tuf/pull/30) ## January 21, 2022 ### Attendees: - Marina Moore - Brandon Mitchell - Steve Lasker (Microsoft) ### Agenda Items: - Check in ## January 14, 2022 ### Attendees: - Marina Moore - Brandon Mitchell ### Agenda Items: - [New meeting time?](https://doodle.com/poll/5ezafb6sgktu2unm) - Questions about oras-go & the artifact spec (Marina) - ## January 7, 2022 ### Attendees: - Marina Moore - Steve Lasker (Microsoft) - Brandon Mitchell ### Agenda Items: - Check in ### Notes: - some upcoming progress on oras-go - should unblock the tuf-notary work with references and copying - tuf-notary blocking on a couple of go-tuf prs, but progress is being made ## December 10, 2021 [Recording](https://youtu.be/7h68zLQq0Xs)) ### Attendees: - Marina Moore - Stve Lasker (Microsoft) - Brandon Mitchell ### Agenda Items: - [timestamp and snapshot](https://github.com/notaryproject/tuf/pull/28) ### Notes: - _meeting minutes_ ## December 3, 2021 [Recording](https://youtu.be/Zy08Tutot2Q) ### Attendees: - Marina Moore - Brandon Mitchell - Steve Lasker ### Agenda Items: - Implementation update - [Snapshot and timestamp](https://github.com/notaryproject/tuf/issues/7) ### Notes: - _meeting minutes_ - [Extension proposal](https://github.com/opencontainers/distribution-spec/pull/111) ## November 19, 2021 [Recording](https://youtu.be/OR-3ylTYk0U) ### Attendees: - Marina Moore - Brandon Mitchell - Trishank Karthik Kuppusamy (Datadog) - Steve Lasker - _add yourself_ ### Agenda Items: - [progress on adding delegations](https://github.com/notaryproject/tuf/pull/25) - use of oras references - seems to require [this pr](https://github.com/oras-project/oras-go/pull/51)? ### Notes: - Brandon will contribute a Makefile within the next week ## November 12, 2021 [Recording](https://youtu.be/w6GYQaz9Xyc) ### Attendees: - Marina Moore (NYU) - Brandon Mitchell - Steve Lasker (Microsoft) - _add yourself_ ### Agenda Items: - Implementation status (Marina) - ### Notes: - Go Standard layout: <https://github.com/golang-standards/project-layout> - _meeting minutes_ ## November 5, 2021 [Recording](https://youtu.be/4RRqQjKJDDw) ### Attendees: - Brandon Mitchell - Marina Moore (NYU) - _add yourself_ ### Agenda Items: - [tuf-notary project board](https://github.com/notaryproject/tuf/projects/1) - Implementation status - _add your topics_ ### Notes: - _meeting minutes_ ## October 29, 2021 [Recording](https://youtu.be/gupEcJGKgwI) ### Attendees: - Marina Moore (NYU) - Brandon Mitchell - Trishank Karthik Kuppusamy (Datadog) - _add yourself_ ## Agenda Items - [example metadata](https://github.com/notaryproject/tuf/pull/15) - implementation progress: [registry upload](https://github.com/notaryproject/tuf/pull/14) ### Notes: - How to copy between registries? - Especially between registries with differing implementations - Consider plugin for go-tuf to have different signed data ## October 22, 2021 ### Attendees: - Marina Moore (NYU) - Brandon Mitchell - Trishank Karthik Kuppusamy (Datadog) - _add yourself_ ### Agenda Items: - [Meeting time](https://doodle.com/poll/46w7txu55gkt25rh?utm_source=poll&utm_medium=link) - [CLI setup](https://github.com/notaryproject/tuf/pull/11) - Reviews requested - [CLI design](https://github.com/notaryproject/tuf/pull/10) - ### Notes: - _meeting minutes_ ## October 7, 2021 ### Attendees: - Brandon Mitchell - Marina Moore - _add yourself_ ### Agenda Items: - [Options for uploading TUF metadata](https://hackmd.io/6iqoF3ZvSHyljajRd7hhCg) - [Workflow demo](https://github.com/notaryproject/tuf/pull/9/files) - What are we signing? - digests or descriptors - Can we use Notation signatures as delegated targets metadata? ### Notes: - TUF Metadata uploading: - Either option 1 or 2 should be fine, option 3 could be added later like adding a symlink in a filesystem (Brandon) - _meeting minutes_ ## September 23, 2021 ### Attendees: - Brandon Mitchell - Marina Moore (NYU) - Sajay Antony - Ethan Lowman (Datadog) - Trishank Karthik Kuppusamy (Datadog) - _add yourself_ ### Agenda Items: - [Proposed API](https://github.com/notaryproject/tuf/pull/10) - [Demo draft](https://github.com/notaryproject/tuf/pull/9) - Question (Ethan): What is the motivation for signing an OCI descriptor rather than using the OCI manifest verbatim as the TUF target (using the OCI digest & size as the TUF digest & size). Is it mainly to avoid type confusion attacks? ### Notes: - _meeting minutes_ ## September 16, 2021 ### Attendees: - Steve Lasker (Microsoft) - Ethan Lowman (Datadog) - Sajay Antony (Microsoft) - _add yourself_ ### Agenda Items: - [TUF metadata on a registry](https://github.com/notaryproject/tuf/issues/3) (Marina) ### Notes: - _meeting minutes_ - [Sajay] - Would like to get clarity on what needs to be distributed offline. This needs to be typically small since ephemeral clients need to obtain (keys/policy through something like a mount) - How many requests does the client need to make after it resolved the manifest or descriptor? - For e.g. do we need 3 or 5 requests to get the signature data on a clean client. (without considering the bootstrap data like policy/keys/root.json) - Can we scope the problems to single repository firsts and then consider remote respositories. - Multiple (origins/dns) is a concern for the customers we have spoken to. There have been strongs asks of not requiring more than the trusted set of DNS and all content needs to come from within their network. - For revocation we do need to reach out to a different origin so it makes sense for administrators to manage these kind of workflows like importing content or TUF metadata ## 2021-09-09 ### Attendees: - Marina Moore (NYU) - Steve Lasker (Microsoft) - Brandon Mitchell - Trishank Karthik Kuppusamy (Datadog) - Sajay Antony - Jon Johnson - Ethan Lowman (Datadog) - _add yourself_ ### Agenda Items: - [New issues](https://github.com/notaryproject/tuf/issues) - Slack channel? - Update on implementation effort ### Notes: - _(very incomplete meeting minutes)_ - May need to shard snapshot data for large orgs - Shard with OCI index to nested list may help sharding - Steve: "A demo-script that uses `oras discover` and an implementation of distribution that supports references. This should give you the infra to validate the tuf implementation works, or has gaps we should fill." - https://github.com/SteveLasker/Presentations/tree/master/demo-scripts/reference-types - Tag signing: Steve wants ability to know all digests (history) that a tag has pointed to, and what's current - Timestamps: - either need constant updates or multiple TUF servers pushing updates - Brandon: are reference types scoped to a single repository? - Steve: not yet, deferred for now, until we can tighten scope for a single repo - Steve: while the artifact-spec currently scopes to a repository, it's related to lifecycle managmeent/gc and a means to copy a graph of content within and across registries. Nothing stops the content stored in an artifact to reference cross repo content. - Sajay: TuF v1 kept a different catalog which makes the lookup dependent on a different tag store and hence can lead to tag drift. Deployment engines typically look at the registry so would be good to have the registry the start point of lookup and not have a different catalog for TUF. - **Tooling for timeliness** - Can we discuss standalone tooling that can be run in some environment that is outside the registry and set expectations on how to honour timeliness of the signatures. For e.g. should we consider a daemonset that customers can run to keep the signatures updated with some scoping of the what keys - **Cross repository** - Currently the artifact spec doesn't have cross repository support and if we needed this for supporting a snapshot or Tuf metadata across repositoires it would be nice to define the linkage and lifetimes of the metadata. - **Size and sharding of content** - Collection signing can lead to large scopes. Can we consider how a signer can update just one tag without worrying about the state of other tags in the same repository. ## 2021-09-02 ### Attendees: - Marina Moore - Steve Lasker - Brandon Mitchell - Justin Cormack - Trishank Karthik Kuppusamy - Pritesh ### Agenda Items: * Platform for minutes * [Issue on tuf-notary repo](https://github.com/notaryproject/tuf/issues/2) * Separate these into sub-issues, with this as a TODO list for v1 * Open to new items for this list * Defining project goals * How to do updates on registries * external service in charge of snapshot * addition to registry spec * move/scope project goals from notation repo * What can we implement now, what needs more discussion * Start with targets, root metadata * Implement based on artifact spec? ### Notes: - What images should be included in targets metadata - Notary v1 users usually include all versions of an image - how can we limit this to ones we actually want to sign - # Archived Notes # Meeting Notes Template (template for copying) ## Meeting Date ### Attendees: - _add yourself_ ### Agenda Items: - _add your topics_ ### Notes: - _meeting minutes_