- Toddy Mladenov
- Vani Rao
- Manifest Fallback Support
- Vani is working with Nima
- Toddy is investigating the behavious of various registries
- Extracting the descriptor from the signature in
notation inspect
- We can investigate what would it take to add this capability
- We should at least cover how to do that using JWS- and COSE-specific parsers in the documentation
- Toddy Mladenov
- Yi Zha
- Shiwei Zhang
- Patrick Zheng
- Feynman Zhou
- Samir Kakkar
- Vani Rao
- Junjie Gao
- Nima Talebi
- add yourself
- Planning for the Manifest Fallback Support (Vani/Nima)
- Notation inspect command review/discussion (Samir/Vani)
- Do we need docker client running on machine for registry creds in notation? (Pritesh)
- For PRs created by dependabot like the follows, do we still need approvals from different orgs?(Yi)
- Implementation planning for Manifest Fallback support to be shared next week.
- Oras CLI fallback feature test results to be shared.
- PRs created by dependabot will still need approvals from different orgs, collectively it will be priortized from both orgs to get merged quickly.
- Toddy Mladenov
- Vani Rao
- Samir Kakkar
- Review the roadmap items and see if anything needs to be brought in for RC-2 ( Samir)
- The purpose of the roadmap repo (Samir)
- _meeting minutes
- Toddy Mladenov
- Vani Rao
- Samir Kakkar
- Yi Zha
- Patrick Zheng
- Fallback Support Priority. Any further updates from the other community ? (Vani)
- RC.2 release items priority from customers perspective (Vani)
- Semantic Versioning https://github.com/orgs/notaryproject/projects/10/views/22
- Notation inspect signature iteratively will be a good feature for rc.2 from customers perspective https://github.com/orgs/notaryproject/projects/10/views/22
- Include Metadata at the time of signing (Attestations) which is also iterative and additional feature for customers notaryproject/roadmap#67
- E2E Testing and Debug logging can be moved to rc.3 because we already have a version of it in rc.1, since both are incremental, this can be moved. Any opinions (Vani)
- Fallback Support Priority/resourcing
- Release date Dec 5, 2022 for rc.1 release, see summary. (Yi)
- rc.2 plan, see discussion. (Yi)
- New Notary website prototype preview and ask for feedback (Feynman)
- Fallback support
- Notary compatibility
- We discussed prioritzing the following:
- Stabilizing the signature format so content signed with RC1 can be consumed by all subsequent releases. The APIs may have additive or breaking changes
- Stability the APIs so users can pull newer versions, or use older versions of the notation cli or the notation-go library without concerns of breaking changes
- Adding capabiliites that are still backwards compatible, but older versions aren't necessarilty compatible. This could be in signature content, or apis. The user would need to update their clients to support the new capability. This is to avoid a frozen state of the project.
- We discussed prioritzing the following:
- Vani Rao
- Samir Kakkar
- Toddy Mladenov
- Pritesh Bandi
- Yi Zha
- Patrick Zheng
- Sajay Antony
- Feynman Zhou
- Shiwei Zhang
- Steve Lasker
- rc.1 release readiness Dec 5, 2023 - Resolve the usage of "notation remove" vs "Notation delete" notaryproject/notation#466 (Vani)
- Release notation v1.0.0-rc.1 (Yi)
- rc.2 scope and timeline, see latest proposal (Yi)
- rc.2 plan and new proposed date, see latest scope proposal (Vani)
- Restrict permissions on repos (Pritesh)
- Discuss the roadmap items and move things in the "roadmap" repo accordingly (Samir)
- meeting minutes
- Need to clarify the behavior for registry backwards compat, when the registry doesn't support OCI Artifact Manifest: TODO: Open an issue/PR on Signature Specification
- Related issues:
- Vani Rao
- Samir Kakkar
- Toddy Mladenov
- Pritesh Bandi
- Yi Zha
- Patrick Zheng
- Sajay Antony
- Feynman Zhou
- Shiwei Zhang
- Release date Dec 5, 2022 for rc.1 release, see summary. (Yi)
- rc.2 plan, see discussion. (Yi)
- New Notary website prototype preview and ask for feedback (Feynman)
- Yi Zha
- Patrick Zheng
- Vani Rao
- Pritesh Bandi
- Samir Kakkar
- Code freeze targeted EOD of Wed Pacific time, E2E Testing will start Thursday and Friday. Status check-in.
- Confirm fallback to image manifest is not in rc.1, see illustration.
- Discuss any special documentations or blogs required for rc.1, since it is a major milestone.
- Rc.2 scope discussion (if we have time).
Vani Rao Samir Kakkar Toddy Mladenov Pritesh Roy Williams
- Rc.1 release status update, see discussion notaryproject/specifications#205 (Yi)
- Suggest to scope out more issues and set code freeze date on Nov 23.
- rc.2 scope discussion kick-off, see discussion notaryproject/specifications#206, please add your comments there. (Yi)
- Suggest plan regular releases per monthly cadence
- Suggest plan on-demand releases for critical issues.
- Unblock of Ratify is done. Ratify dates will not be delayed.
- Notation-Go refactoring have two PRs (#200 and #207) left for review. #207 is waiting for rebase. There is not too much left to do on that.
- Notation CLI should be fine. We need to update the CLI after the refactoring of Notation-Go
- Notation using OCI artifacts to store signatures is done in the library.
- For the timeout we should have a write up for the behavior as part of RC.1 but implementation is not blocking for RC.1.
- Tag to SHA translation - spec is in review right now. Improving the documentation and the output from the CLI implementation will be post RC.1.
- Pritesh
- Toddy M
- Vani
- Patrick Zheng
- Feynman
- Sajay
- Yi Zha
- Changed the meeting timing for Monday based on the daylight time saving. Send the latest invite for 4:00 PM PST timeframe.
- Approve and merge #186, with following issues to be addressed after refactoring (Yi) -- This will unblock Ratify since the API interfaces are reviewed and aligned
- Fallback support: Should we support artifact manifest fallback if its not an OCI image / distribution spec? Also, how will manifest fallback work? If notation is not able to push artifact manifest, notation will try to push oci manifest? If so are there any sharp edges? (Pritesh)
- Update the signature manifest spec to accept both the OCI Artifact manifest and the OCI image manifest.
- Update the signature manifest spec to accept both the OCI Artifact manifest and the OCI image manifest.
- The client SHOULD generate and push OCI Artifact manifest to the remote registry.
- The client SHOULD NOT generate and push OCI Image manifest to the remote registry.
- The spec MUST NOT define anything related on the manifest fallback but accepts two manifest types.
- For the OCI image manifest, the spec SHOULD define how the config blob is generated and processed.
- Update notation-go implementation and documentation.
- On push, it pushes OCI image manifest if the attempt of OCI artifact manifest fails due to not being supported by the remote registry.
- On pull, it accepts both manifest type
- Potential RC1 issues (Pritesh)
- fractional second support for expiry and signing time - Whats the usecase? (Pritesh)
- Website and documentation - Toddy
- Yi to discuss with Steve on the rescheduling the invite for Monday from 5:00 PM PST to 4:00 PM PST.
- RC1 supports registries that are compliant with OCI Artifact Manifest like ECR, ACR, Zot. The fallback solution stated above in agenda will be moved to RC2 and will need more deep dive on the approach and solution.
- During verification use signature filtering will be moved out of RC1 scope and will be taken into RC2.
- GenerateEnvelope plugin request doesnot have expiry has two parts to it - 1. Spec update (Pritesh/Vani) and 2. Implementation (MSFT). This issue will be in scope for RC1.
- Vani Rao
- Toddy SM
- Samir Kakkar
- David Tesar
- OCI compatibility https://cloud-native.slack.com/archives/CQUH8U287/p1668101298107019?thread_ts=1668100458.892709&cid=CQUH8U287
- Open SSF Scorecard issues notaryproject/notation#408
- Security Incident Response
- CNCF Fuzzing
- What's supported/stable at RC-1
- Website/Documentation support
- We will implement OCI for RC-1. It isn't sure how this has been factored into timeline. Samir was unsure of why ORAS can't handle this on it's own, but will wait for Yi's spec for futher discussion.
- We should implement a security incident response page ideally for RC-1. Waiting to see if enhancements in coming days from GitHub may meet our needs, but regardless will need a security incident response page. This is raised on CNCF scorecard as well.
- There is possiblity for resources from CNCF to support/add fuzzing to the project. I reached out on Slack to security thread, but still no response. https://cloud-native.slack.com/archives/CDMCCN2SJ/p1667949707733439 Not critical for RC-1, but would be good to get in the queue to get CNCF resource support here.
- Supportibility: On the client side, the sub commands which are marked supported for RC-1 will be in the release notes if we don't implement any of the suggestions here: notaryproject/notation#257
- Supportibility: On the API side we should try to not have any major breaking changes although realize this might be possible and will defer to SemVer to help with this.
- Supportibility: Biggest factor is having stable signature stamp for what is signed so future versions will be able to verify previous things which are signed.
- AWS will take a look at all of the items here: notaryproject/notaryproject.dev#77 (comment) and get back to us on the #notary-docs channel on where they can help. Agree we need to have more regular updates and can post link(s) to vendor-specific implementation updates at least for RC-1.
- Yi Zha
- Sajay Antony
- Feynman Zhou
- Shiwei Zhang
- Patrick Zheng
- Rakesh Gariganti
- Vani Rao
- Toddy SM
- Samir Kakkar
- Jungie Gao
- What we can do to improve the Trust policy UX for rc.1 release? notaryproject/notation#398 (Yi)
- Reopening notaryproject/notation-core-go#88 as this is causing an issue with verification plugins (Rakesh)
- Stay on track to unblock Ratify as of 11/11/2022.
- Agreed to move time to 4:00 PM PST( Basically keeping the time the same)
- Need to make getting started easier. Requires a user story created for a command like
notation init
- Can we create good default trust policy
- can we take user inputs to enable a good experience for signing and verification
- Trust policy needs improvements to enable adding/removing scopes
- Define use cases of possible improvements for adding allow/deny list and with support for wildcard scopes.
- Vani Rao
- Patrick Zheng
- Samir Kakkar
- Rakesh Gariganti
- Shiwei Zhang
- Yi Zha
- Feynman Zhou
- Toddy Mladenov
- Junjie Gao
- David Tesar
- Continue to review refactoring Notation-go proposal
- Check the release status of Notation beta.1
- HLE 1-2 days estimate to complete refactoring work in notation-go for Ratify TS/TP development - MSFT or we can take it starting tomorrow and complete it by Monday.
- If this is completed by Monday, can MSFT estimate Ratify time frame to complete the TS/TP and what is the date look like prior to 12/01.
- Is all refactoring notation work needed, this is something new that got added to RC-1, so along with the tasks on RC-1 Github what is the time estimate to hit 11/15 for RC-1. What is must TOGO for RC-1 and what can be moved to RC-2.
- Come up with a plan to hit 11/15 date for RC-1 across all the items and complete the estimation on the GITHUB which has no assignment.
- Vani Rao
- Patrick Zheng
- Samir Kakkar
- Rakesh Gariganti
- Sajay Antony
- Shiwei Zhang
- Yi Zha
- Feynman Zhou
- Toddy Mladenov
- Junjie Gao
- David Tesar
- Great team work on Notation project beta.1 release. KUDOS! (Yi)
- Review refactoring proposal -- important for rc.1 release, at least 30 min needed (Yi)
- Speed up the PR review for beta.1 release (2 days left for release), currently there are total 10 PRs in the queue (Yi)
- Vani Rao
- Samir Kakkar
- Rakesh Gariganti
- Sajay Antony
- Shiwei Zhang
- Yi Zha
- Feynman Zhou
- Toddy Mladenov
- Junjie Gao
- David Tesar
- Walk through PRs (Yi)
- Which team will do the implentation per the changes in plugin spec (Yi)
- rc.1 call-out: (Yi)
- Should we add "Notation supports OCI artifact" in rc.1? ORAS-go v2.0.0-rc.4 release on Oct 31 will support OCI artifact.
- Support of "--debug" option requires refactoring in notation-go (Proposal is under prepration)
- Signing workflow is not fully compliant with spec, which was found during notation-go code review. Need to be fixed
- Next step for issue Using Verifier without a repository
- Mark issues and PRs for beta.1 release based on the scope "verify using TS/TP + new CLI specs" (Yi)
- Finalize the Alpha.4 Release Notes and migrate all release notes to the website (Feynman)
- Work with Ratify on next steps and priortizing of ratify-project/ratify#274 after Notation beta-1 is available.
- Rakesh will help to review PRs
- Bring OCI artifact support from ORAS-go v2.0.0-RC.4 post Notation v1.0.0-beta.1
- Create a GitHub issue to track the
--debug
option (there is an existing issue, I can add it later here.) - Shiwei's team will share refactoring proposal by this week
- Create a GitHub issue to fix the problem of signing workflow is not fully compliant with spec
- Provide a proposal against Rakesh's comment to Using Verifier without a repository
- Samir will resolve the comments in Alpha.4 Release Notes and publish it on the Notary Website
- Good to consider nested verification when considering notation-go refactoring. See related ratify issue
- Review the proposal of pagination solution
- David Tesar
- Smir Kakkar
- Vani Rao
- Alpha4 testing Status - Any blockers or call out ? - Ratify consumes notation as code(depends on notation-go) not via cli. As per ratify’s go,mod they are using alpha1 of notation. For trust-store/trust-policy Ratify should use this function which will default trust store and trust policy location to notation’s location but we should test this with next release of Ratify.
- Define Beta1 Milestone - Based on the initial discussion as of 10/10/2022, this release will include "verify using TS/TP" + new CLI specs - Tentatively end of this month.
- notaryproject/notation-go#137 - Close pending discussions.
- Way forward for RC-1 release. We need to align on the issues list from GITHUB. Fill estimates for task assigned notaryproject/projects/10/views/8
- Working with Yi on the estimates - Vani / Pritesh
- Discuss in the community call for all the “-1” which is yet to be estimated. Target RC-1 for 11/15 and call out if any blockers or concerns.
- “COSE Spec” status - ETA ?
- Offline/Local Signing experience Finalize next steps and rough estimation.
- Discussion and alignment on support for “signing with local keys” notaryproject/roadmap#15.
- Separate the two issues “Content being local” vs “Key being local”. Content being local is not a blocker but key being local is a blocker. notaryproject/roadmap#44 (edited)
- Data versus Developer compatibility
- Ratify and discussion on do we want people to take dependency on notation-go
- We will release beta 1 at end of month, not call it alpha 5
- Try to target getting this PR merged before next dev release on Sunday. notaryproject/notation#343
- Issue: Using Verifier without a repository
- Issue: System vs User file/directory precedence
- Next release timeline?
- Offline signing UX proposal - https://hackmd.io/bwQx3LxHQHOrBpR-RRM8Qg?view
- Vani Rao
- David Tesar
- Pritesh Bandi
- [User Story] CLI Cmds for Trust Policy Management I remember this US is not in rc.1, suggest to remove this from rc.1. Another suggestion is to add issue of OCI artifact support into rc.1 -- Yi
- alpha.4 is about to release on Oct 13 PST time. Since COSE Support is now in alpha.4, so Samir may need to update the release note accordingly. -- Yi
- Updated the status in notation planning board. In short, Shiwei's team will start to work on command implementation according to the updated spec, and this issue Debug option, on which rough estimation al least 3 weeks effort. -- Yi
- Suggest to review and merge PR 373 rather than PR 370 for "verifying using TS/TP", since the code is already in dev-rc.1 branch with additional changes and already tested in dev-rc.1 branch. Sorry for missing the communication before last holiday week. Now it is just need to be merged back to main branch. -- Yi
- Added CLI help doc for Alpha.4 in PR 384 and PR 394, need to be reviewed before cutting Alpha.4 (Feynman)
- Alignment of the issues as part of RC-1 https://github.com/orgs/notaryproject/projects/10/views/8. Estimate for completion. (Pritesh/Vani)
- Discussion Threat model (Notary + Internal) notaryproject/notation#391 (Pritesh)
- Notation sign/verify Tag to Digest translation notaryproject/roadmap#61 (Pritesh)
- Local key signing notaryproject/roadmap#44 (lower priority) (Pritesh/Vani)
- Documentation - Multiple open issue; ReadME; hello world example
- Website updation like official binary linking etc
- Will be get Nate from CNCF?
- External Security Review ? (Discussion - Pritesh/Vani)
- Fine to publish an updated alpha.4 release IF we can get the two CLI help PRs merged today (North America day time). China team will release their daytime 10/14 with those two PRs if merged or not, so 10/14 morning NA time it is released.
- Ok to add COSE to release notes after release
- Pritesh added some items to RC-1, briefly reviewed on call and seem reasonable. Some items might have already been in process by Shiwei's team. Need to assign owners where there are none.
- Need to cleanup RC-1 issues backlog. Many of the issues are closed, for instance COSE support. After this we need to have a sync with Vani/Yi/Samir/David about timelines for alpha.5 and RC-1 as well as trying to get into a more regular and smaller release cadence with a smaller set of scoped user stories which deliver end-user value. This would ideally be out-of-band from community calls.
- Need to clarify what else we actually need for notary website with RC-1. The RC-1 tagged issues are out of date. Created this "epic" to track in a single place.
- Patrick Zheng
- Yi Zha
- David Tesar
- Vani Rao
- Pritesh Bandi
- Samir Kakkar
- Milind Gokarnm
- Enable the official release start from Notation Alpha.4 and disable the weekly dev build, see proposal (Feynman)
- The Notary documentation structure and content has been updated by Zach; We need to improve the user manual for KubeCon and RC.1 (Feynman)
- Feynman is updating the Notary release process doc and will provide a guideline for cutting alpha.4 (Feynman)
- Will Notation v1.0.0-alpha.4 work with AWS KMS? Can we provide a guide for users? (Feynman) --> not now or in time for KubeCon
- PR review list updated
- Way forward notaryproject/notation#370
- Walk through rc.1 issue list
- Cut the alpha-4 release now with the support for "self signed cert", and for use at KubeCon
- Alpha-5 will come with "Trust store and Trust Policy" support.
- As soon as alpha-4 is released, we check in PR from Rakesh notaryproject/notation#370 first, and then add any other changes on top
- In Thursday meeting we can discuss if items from RC-1 can be brought into Alpha-5.
- Lets rethink the user/system level split It needs to be more simple/clear.
- Samir/Vani will cut alpha.4 release for notation-go (core-go is done). Yi/Feynman will release notation alpha.4 after dependency update PR merged including latest notation-go with alpha.4 and ideally removing notation-core-go dep if reasonable to easily remove. If notation-core-go dep can't easily be removed, then put into file new issue.
- Vani Rao
- David Tesar
- Samir Kakkar
- Pritesh Bandi
- Nima Talebi
- Brian Lee
- Alpha4 dev build for Oct 13, 2022 - GREEN - Any call outs ?
- Question from MSFT - Notation Github Action consider moving to notaryproject repo as "notation-action"- Vani/ Steve commented in the notary v2 channel. (David/Pritesh/Vani).
- Go through RC1 stories/issues and call out any blockers.
- Vani Rao
- David Tesar
- Samir Kakkar
- Pritesh Bandi
Alpha 4 Release Task List - 10/13/2022 will be the Dev Build - Status is GREEN.
- Alignment of Trust Store and Trust Policy in Alpha 4 (Pritesh/Feynman)
- As per notaryproject/roadmap#45, notation should perform signature verification using TS/TP and customer will manage TS/TP manually (on their own). – Pending Work for Alpha 4
- Alpha-4 release (10/13/2022) - David / Feyman / Samir / Vani
• PR Priority List – Work in progress
- notaryproject/notation-go#137 dir package isolates read/write path
notaryproject/notation-go#146 support cose envelopenotaryproject/notation#341 Add notation sign CLI spec- notaryproject/notation#361 add CLI notation certificate and key specs
- notaryproject/notation#362 add CLI specs for notation list/login/logout/plugin
- Go through RC1 User Story / Issues and call out any blockers
- David Tesar
- Vani Rao
- Re-Opened Story notaryproject/roadmap#45 - Trust Store and Trust Policy in Alpha 4
- Testing of the Dev Build.
- Readiness to cut Release Alpha 4
- Call out if any blockers for RC-1, or any dependency on any development work for anyone to proceed.
- Notation Github Action consider moving to notaryproject repo as "notation-action"
- Please review PRs in order of priority
- RC-1 high-priority item to consider - local/offline signing
- Pritesh Bandi
- Patrick Zheng
- Vani Rao
- David Tesar
- Yi Zha
- Feynman Zhou
- Kudos to Pritesh and Shiwei's team for making big progress in PR review in a collaborative way. (Yi)
- Any update on PR review priority list? (Yi)
- Anything we need prioritzation and dependency consideration, since next week is public holiday in China. (Yi)
- Trust store and trust policy in alpha-4? (Pritesh)
- It's been moved to RC-1
Alpha 4 Release Task List - 09/30/2022 - Status is YELLOW Team to align across all the pending activities for Alpha4
- refactor: refactor pluginSigner to support new signature interface#131 - All reviews are completed. Waiting for MFT to merge. Post merge Pritesh to create a new PR. (Pritesh)
- Fix the certs validation in trust store - notaryproject/notation-go#151 - COMPLETED (Pritesh)
- COSE envelope implementation - notaryproject/notation-core-go#75 - 2 Pending reviews which is part RC-1 (Pritesh/Milind).
- Failed to sign images using self-signed certificates created from Key vault#320 - Yi is waiting on merge notaryproject/notation-go#147 and notaryproject/notation-go#131. Use latest notation-go and notation-core-go and test. Yi to come back with the results. (Shiwei)
- Bump notation-go libraries for alpha-4 release#347 - David created and linked to #357 which might resolve this issue. Once PR #357 is merged #347 will be automatically closed.Currently#357 is in draft. What is blocking ? (David)
- Create v2.0.0.alpha-4.MD release notes #65 - verify (All) - Any questions can be commented on git.
- Release a new version of Notary V2 specification#183 - David modified the milestone to point to Alpha 4. (David)
- Testing Plugins prior to Alpha 4 Release. (Discussion)
- Any clarification or roadblock for RC-1 ? (Call Out)
- David Tesar
- Samir Kakkar
- Ian McMillan
- Pritesh Bandi
- Sorry for a long agenda item. I did a status update on notation planning board, there are 8 PRs to be reviewed or in-review, and 5 issues pending PR creations. If we spend one week on reviewing one PR in sequential, there will be at least 8+5 weeks, which means 3 months, then it will be next year. Not to mention there will be more PRs to be fired in upcoming weeks. How can we speed up to clean up the PR-review queue? Can we complete the existing 8 PRs by end of Sep? The following PR need to be reviewed and merged ASAP, since there are some refactoring code merged in notation-core-go these days, and the following one is for refactoring in notation-go. (Yi)
- Cut Alpha 4 release on 09/23/2022 or 09/26/2022.
- Relax the certificate chain requirement to be compatible with the self-signing certificate. Complete the update to the Spec. notaryproject/specifications#193. - COMPLETED
- Build notation-go and notation core-go with the latest ORAS-GO lib changes. - COMPLETED
RC 1 Release Task List - Status - Yellow ( No Blockers called out - Yet to determine Release cutoff date)
o Notation Sign experience notaryproject/roadmap#40 - Yet to be reviewed by Yi/Milind/Pritesh. In Progress o As part of the user story notaryproject/roadmap#41 - Need feedback for the issue notaryproject/notation#228 from Yi and Feynman. InProgress o Notation plugin extensibility to sign and verify - notaryproject/notation#240 - Reduced scope as part of the user story (notaryproject/notation#193) - based on the Dir structure Spec document copy paste the plugin - Roughly 2 weeks. Yi/Shiwei- InProgress. o Validate if the implementation is sufficient for RC1 "Notation Plugin List - notaryproject/notation#241 "- The user story is here to ensure: - There is nothing missing/needed for what we're deeming RC-1. - That we're all on the same page that we want to support this for RC-1. - Pritesh to verify - InProgress o Two main items from the user story notaryproject/notation#230 need clarification. Steve - Validate if "Implementation of the new Plugin command" is in place. - Validate if we need additional story for the "Spec CLI Command" to modify and have visibility on the new plugin command. - Scope for Signer plugin - need to test and verify. Internal to AWS ONLY
o Support COSE as signing envelope notaryproject/roadmap#7. Yi to confirm if this is merged to the Main in the other cose branch. Review from Pritesh/Milind. - InProgress o Other items for RC-1, not covered by explicit user stories above. - CLI logging is part of RC1 (debug) notaryproject/notation#300 - For notation client Sign and Plugin. - Logging framework in ORAS ? Need more discussion. Shiwei - In Discussion - Notation default signature format. Milind/Shiwei/Roy - COSE and JWS - Which format is default during signing. o One review pending for "Relax EKU requirements on signing certificates " - notaryproject/specifications#167 - Milind o Threat Model - Larger team discussion. o External Pentest of Notation, decide if RC1 is the right time to do this. - Larger team discussion. o Complete revocation spec in RC-1
- To help with the backlog of PR open for reviews, we need to establish a priortization mechanism. Before the Monday NV2 sync meeting, we must establish that prority list, ideally the friday before. Lets make it a recurring agenda item, and any person waiting on their PR must add it in the list. We also discussed going back to utilizing the Monday evening calls for resolving high-priority PRs with goal to merge during call. PR Review criteria guidance still valid and suggestion for non-critical PRs where we don't necessarily need cross-org review to have same team quickly give two different code reviews so can merge no later than 1 week after approvals. Made a minor suggestion to this guidance in that discussion thread.
- Before Alpha-4 is released, need to test notaryproject/notation#320 is now working. We created a new alpha-4 milestone
- Vani and Samir will work with Yi and Feyman, on doing the alpha-4 release steps before or during the 9/26/2022 call.
- Pen Test and Threat Modeling. Want to do it as part of RC-1, but is this a must have will require further discussion. David proposed it being after RC-1 as COSE already has this testing and it will cause likely significant delays to RC-1.
- Ian is going to sync up with David to fix the DCO issue on the minor spec PR. Agreed we should just merge this after that is resolved.
- Yi Zha
- Feynman Zhou
- Samir Kakkar
- Pritesh Bandi
- Shiwei Zhang
- Patrick Zheng
- Josh Duffney
- Sajay Antony
- Milind Gokarnm
- Roy Williams
- COSE PR review
- Pushing review on refactor PR #76: Once this PR is merged, Stage/cose branch will be rebased and merged to main since JWS refactoring is done.
- Confirm the rc.1 scope
Alpha 4 Release Task List Status : Green
- Relax the certificate chain requirement to be compatible with the self-signing certificate. Complete the update to [the Spec] - Spec approved by David
- Implementation of the self-sign certificate changes, ETA will be 09/22/2022. Review is in progress for notaryproject/notation-core-go#77
- Build notation-go and notation core-go with the latest ORAS-GO lib changes.
- Cut Alpha 4 release on 09/23/2022 or 09/26/2022. Group alignment.
RC 1 Release Task List Status : TBD based on scope and planned release date
- Status of [user Stories for RC-1](https://github.com/orgs/notaryproject/projects/10/views/10)
- Review and add any comments on the proposal of using CLI to manage trust store published by Yi. https://hackmd.io/@yizha1/cli_trust_store - Pritesh/Milind. InProgress
- Configuring Trust Store in notation and CLI work for Trust Store notaryproject/roadmap#38. Once the review of CLI spec for Trust store is completed by all of us, Patrick Zheng to implement trust store CLI commands. - InProgress
- Notation Sign experience notaryproject/roadmap#40 . To be reviewed by Yi/Milind/Pritesh. InProgress
- As part of the user story notaryproject/roadmap#41
- Need feedback for this issue notaryproject/notation#228 from Yi and Feynman. InProgress
- Notation plugin extensibility to sign and verify notaryproject/notation#240
- Reduced scope as part of the user story (notaryproject/notation#193) - based on the Dir structure Spec document copy paste the plugin - Roughly 2 weeks. Yi/Shiwei- InProgress.
- Validate if the implementation is sufficient for RC1 "Notation Plugin List - notaryproject/notation#241 ". The user story is here to ensure:
- There is nothing missing/needed for what we're deeming RC-1.
- That we're all on the same page that we want to support this for RC-1.
- Pritesh to verify - InProgress
- Two main items from the user story notaryproject/notation#230 need clarification. Steve
- Validate if "Implementation of the new Plugin command" is in place.
- Validate if we need additional story for the "Spec CLI Command" to modify and have visibility on the new plugin command.
- Support COSE as signing envelope notaryproject/roadmap#7. Yi to confirm if this is merged to the Main in the other cose branch. Review from Pritesh/Milind. - InProgress
- Review and add any comments on the proposal of using CLI to manage trust store published by Yi. https://hackmd.io/@yizha1/cli_trust_store - Pritesh/Milind. InProgress
- Other items for RC-1, not covered by explicit user stories above.*
- CLI logging is part of RC1 (debug) notaryproject/notation#300 - For notation client Sign and Plugin.
- Logging framework in ORAS ? Need more discussion. - Shiwei - In Discussion
- Notation default signature format. Milind/Shiwei/Roy
- COSE and JWS - Which format is default during signing.
- One review pending for "Relax EKU requirements on signing certificates " - notaryproject/specifications#167 - Milind
- Threat Model - Larger team discussion.
- External Pentest of Notation, decide if RC1 is the right time to do this. - Larger team discussion.
- Complete revocation spec in RC-1
- CLI logging is part of RC1 (debug) notaryproject/notation#300 - For notation client Sign and Plugin.
Task List Post RC1 Release
- No objections to moving implementation of revocation feature to RC2, we'll complete spec in RC1
- No objections to moving TSA support to post RC1. This will impact scenarios where short lived certs are used.
- Implementation of Trust policy for CLI commands to RC2. https://github.com/notaryproject/roadmap/issues/39
- Two issues for notation to support OCI reference type, as following: (No action listed - Build to be done with the updated dependencies)
- notation-go repo: notaryproject/notation-go#136
- notation CLI repo: notaryproject/notation#33 (notaryproject/notation#335
- The issue of supporting OCI reference type tracked in ORAS-go is oras-project/oras-go#271, which is included in ORAS-go milestone v2.0.0-rc.4 planned in late Oct 2022.
Miscellaneous Tasks
- Junjie need the following clarification (requested on 09/13/2022) - Who is helping ? The go version has been updated to 1.19 for notation and 1.18 for notation-go and notation-core-go, but our Github CI required check need go 1.17 to be built, which blocks the PR to be merged. Can someone with repo admin privilege help to cancel the go 1.17 required check for us? - More Context on this blocker.
- Gated release process via GH actions where # of maintainers must approve - David.
- We covered the next steps on two user stories, "Trust Stores CLI Cmd" and "Sign Cmd"
- Live discussion on refactor PR [#76](notaryproject/notation-core-go#76
- We agreed to create seperate issues for RC-1 for items that are not expressely covered by user stories ( all items in the above agenda .
- We agreed to trial using the "comments" coulmn in "Notation Planning" project to track last updates Vs putting them in the list of Agenda items
- David Tesar
- Samir Kakkar
- Milind Gokarn
- Roywill
- Pritesh
Alpha 4 Release Task List
- Relax the certificate chain requirement to be compatible with the self signing certificate , Complete the update to the spec notaryproject/specifications#193.
- Implementation of the self-sign certificate changes, ETA will be 09/22/2022. PR is raised.
- Build notation-go and notation core-go with the latest ORAS-GO lib changes.
- Cut Alpha 4 release on 09/23/2022 or 09/26/2022. Community alignment.
RC 1 Release Task List • Notation Sign experience notaryproject/roadmap#40 • Use an extensible plugin to sign and verify the artifacts notaryproject/notation#240 • Notation Plugin List notaryproject/notation#241. Ensure there is nothing missing for RC-1 and the community alignment and confirmation. Conclude the next steps for notaryproject/notation#230 • Review proposal of using CLI to manage trust store published by Yi https://hackmd.io/@yizha1/cli_trust_store • Configuring Trust Store in notation and CLI work for Trust Store notaryproject/roadmap#38. Yi has CLI spec for Trust store. • Support COSE as signing envelope notaryproject/roadmap#7. Is this confirmed for RC-1 • CLI logging is part of RC1 (debug) - Conclude if anything here. • Should this user story be removed since both trust store and trust policy are tracked separately notaryproject/roadmap#41 • Notation default signature format. • External Pentest of Notation, decide if RC1 is the right time to do this. • Two issues for notation to support OCI reference type, as following: (No action listed - Build to be done with the updated dependencies) • notation-go repo: notaryproject/notation-go#136 • notation CLI repo: notaryproject/notation#335 • The issue of supporting OCI reference type tracked in ORAS-go is oras-project/oras-go#271, which is included in ORAS-go milestone v2.0.0-rc.4 planned in late Oct 2022.
Task List Post RC1 Release • Revocation feature implementation will be added in RC2, we'll complete spec in RC1 • TSA support will be added post RC1. This will impact scenarios where short lived certs are used. • Implementation of Trust policy for CLI commands to RC2. https://github.com/notaryproject/roadmap/issues/39
Miscellaneous Tasks • Junjie need the following clarification (requested on 09/13/2022) - Who is helping ? The go version has been updated to 1.19 for notation and 1.18 for notation-go and notation-core-go, but our Github CI required check need go 1.17 to be built, which blocks the PR to be merged. Can someone with repo admin privilege help to cancel the go 1.17 required check for us? • Gated release process via GH actions where # of maintainers must approve
- Roywill
- Milind Gokarn
- Yi Zha
- Feynman Zhou
- Steve Lasker
- Samir Kakkar
- Vani Rao
- Shiwei Zhang
- Next steps for alpha-4 /alpha-3-patch? Any remaining updates to release process? With oras-go v2.0.0-rc.3 released just waiting on support for self signed cert.
- Estimates for "migrate to OCI artifact from ORAS artifact"(Library that will work with OCI Spec). Shiwei/Yi/Milind
- Readiness for RC.1 - Work to be done in ORAS-go. oras-go #271
- Finalize the ORAS library commands.
- PR #73 notation-core-go refactor
- Branches
stage/cose
: stage changes to be merged tomain
cose
for working COSE envelope
- Full PRs:
- Related PRs:
- notation-go: notaryproject/notation-go#131
- Branches
- Walkthrough all the user story readiness for RC.1 and its timeline.
- (If needed) Close out on diagnostic logging scope RC.1
- (If needed) Close out on E2E CLI testing scope RC.1
- Review the test results for stability of RC.1
- (If Needed) TSA - consider just 1&2 in scope RC.1, 3&4 RC.2
- Trust Store & Trust Policy Milind walkthrough --> Discuss cli experience for RC.1
- CLI maturity
- Cache
- Push/Pull
- List
- Signature revocation - Need to align on plan even if no implemention in Notation for RC.1
- David Tesar
- Nima Talebi
- Vani Rao
- Milind Gokarn
- Align and conclude notation rc.1 release scope and ETA(release date), see Proposal. We can add comments in this proposal link, once we are aligned, we can update the GitHub milestones. (Yi)
- Align the work for sign and verify CLI experiences (Yi)
- see the proposal in comment
- Review CLI maturity
- Include diagnostic logging in RC.1 feature set. efine what type of logging and the estimate.
- Yi Zha
- Feynman Zhou
- Steve Lasker
- Samir Kakkar
- Vani Rao
- Roy Willimas
- David Tesar
- Milind Gokarnm
- Shiwei Zhang
- Align Notation rc.1 release content with effort estimate for all in scope user stories RC-1-UserStories in the notatary-plan board.
- Procedural cadence for the release. Define roles and responsibilities. Ex: Approval for release cut after submitting test results and release notes - Members from Maintianers group (https://github.com/orgs/notaryproject/teams/notaryproject-org-maintainers/members)
- Notation plans for supporting OCI spec. Migrate to OCI Artifact from ORAS Artifact. (oras-project/oras-go#271)
- Next Steps for Alpha 4/Alpha 3-Patch.
- As part of rc.1, we need to document the APIs.
- Ensure all items for rc.1 have an assigned owner.
-
Shiwei and Milind reviewed the open PRs
-
Alpha-4/Alpha-3-patch is gated on having support for "self signed certificate" and "oras-go rc.3 release"
-
Reviewed the proposed RC-1 release content
- Milind requested bringing in diagnostic logging in RC-1
- Milind pointed out the CLI commands for trust policy will be significant effort
- Milind clarified that sign and verify commands needs spec and implementation.
- We will break out trust store and trust policy work seperately
- Samir asked for inclusion of notaryproject/notation#300 in RC-1
- Steve will get data on the open items in OCI-reference spec and Shiwei will help us get a scope estimate for (oras-project/oras-go#271)
-
Will use automated end to end test cases to ensure quality releases.
- Jared Stein (MSFT)
- Samir Kakkar
- Nima Talebi
- Any more review comments from Rekesh on PR notation-core-go#53. This PR will be merged this week according to PR review process. (Yi)
- Align Notation rc.1 release date, the proposal is to release rc.1 by end of Sep, and the scope of user stories is as RC-1-UserStories in the notatary-plan board (Yi)
- PRs are still in review
- Lets add the scope effort for all items in RC-1, and then we can better estimate the date
- FYI : ORAS-go v2.0.0-rc.3 release date is
8/319/5
- Yi Zha
- Feynman Zhou
- Steve Lasker
- Libinbin
- Rakesh Gariganti
- Samir Kakkar
- Niaz Khan
- Vani Rao
- Review
- PR notation-core-go#53
- Pritesh's question answered at discussion notation#278
- Spec conflicts notaryproject#189
- signing-and-verification-workflow.md verifies the certificate chain before signing (steps 1.i and 1.iii).
- specs/plugin-extensibility.md verifies the ceritifate chain after signing (steps 5.i.c and 5.i.d.c).
- Align Notation rc.1 scope(feature level) and target date (Yi)
- Alpha-3 patch for pulling in "oras-go" upate for oras-project/oras-go#237, and doing a system release of Notar v2 (Vani/Samir)
- Rakesh to review the PR notation-core-go#53
- Rakesh to reply to issue notaryproject#189 and help to resolve the spec conflicts
- We will announce alpha-3 after the ORAS-go latest release 2.0.0.rc_3 ( due 8/31) is brought into an alpha-3 patch release
- Need to ensure the alpha-3-path ( or alpha-4) release is usable end to end
- For COSE to be a part of RC-1, need to understand the scope.
- OCI WG reference spec implementation work in ORAS-GO, should be a part of RC-1.
- Need to define our release process to ensure maintainers approve a release. Need to define test caes and ensure they are passing before release
- Yi will create a bug issue for the alpha-3 issue blocking signing/verifying end to end workflow
- Samir/Pritesh to merge PR to allow a self signed cert (not insist on a certificate chain)
- Pritesh Bandi
- Nima Talebi
- Vani Rao
- Milind Gokarn
- What's the purpose of notation-core-go refactoring? (Pritesh) Need more elaboration on the discussion notaryproject/notation#278
- Discuss the governance control for release.(Niaz).
- Reply to Pritesh's item, Binbin provided more information in GitHub discussion, please take a look, let us know any other questions. Due to time difference, it's hard to join the community morning meeting, but we could try using slack or Github for an offline discussion as well. Feel free to ping us if needed. (Yi)
- I cannot join the morning meeting due to timezone, but I would like to kick off the discussion for roadmap. Please provide your feedback on the following items (Yi)
- Align Notation rc.1 scope(feature level) and target date.
- The milestones post rc.1, what is the scope and timeline for rc.2, rc.x, 1.0.0 GA release
- Proposal: Can we book a dedicate timeslot to review the existing issues in roadmap repo, and make a release plan accordingly, we could review and update the release plan every month or other candence?
- Milind Gokarnm
- Nima Talebi
- Pritesh Bandi
- Shiwei Zhang
- Vani Rao
- Sajay Antony
- Yi Zha
- What's the purpose of notation-core-go refactoring? (Pritesh) Need more elaboration on the discussion notaryproject/notation#278
- Milind to clarify this issue Define experience for notation sign command #91 (Yi)
- What is left for issue Relax EKU requirements on signing certificates #167 (Yi)
- Nima need help driving the ORAS issue to closure oras-project/oras-go#237 and doing the release of oras-go. (Samir/Vani).
- Discuss the governance control for release.(Niaz).
- Shiwei to update signing alg to verbose names
- Milind to open a issue for changing keyId to keyName
- Milind to open an issue to simplify
generate-signature
such that keyspec->signing alg mapping is done by Notation instead of every plugin - Nima is adding unit tests for fixing empty response Docker-Content-Digest in ORAS-go. Shiwei and Sylvia will help to review this PR later
- Release ORAS-go and ORAS CLI after the issue empty response Docker-Content-Digest is resolved, then apply it in Notation
- David Tesar
- Samir Kakkar
- Milind Gokarnm
- Pritesh Bandi
- Shiwei Zhang
- Vani Rao
- For alpha-3:
- Need alignment on the version numbering
- Updating the https://github.com/notaryproject/notation/blob/main/RELEASE_CHECKLIST.md process to capture dependencies (notation-core-go -> notation-go -> notation) and (oras-go -> notation-go);
- And releasing each repo with version or not (notaryproject/notation-go#111)
- Progress on oras-project/oras-go#237 for registery interop .. PR in progress
- Post alpha-3:
- Our release process needs to be well documented. The current process does not apply to all repos
- We will do another alpha (or patch) release before RC-1 to include the PRs
- Milind/Pritesh provided feedback on PRs by Shiwei
- Shiwei/David: To identify signatures envelope (COSE or JWS) there are two use cases
- Signature coming from local storage where we don't have the manifest to tell us the signature envelope type
- Signature being pulled from registry, there we have the "media-type"
- Additionally, there could different verions of a signature envelope ( e.g. COSE could have multiple formats) Action Item: @shizh / @david to create an issue
- Pritesh: versioning for a particular signature format be left to the format. Example - JWS does it by using ‘cty' header
- Action items
- Samir update the System release (aka roadmap repo) notes for alpha-3 PR with the new version numbering
- Samir create an issue with third party library
- David to update Release checklist for all repos.
- Samir/Milind
- alpha 3: still two PRs not merged: #104 and #294, if not merged, notation sign and verify won't work. (Yi)
- alpha 3: addtional issue #97 (go-ldap/ldap upgraded from 3.4.3 to 3.4.4) reported by dependabot 15 days ago, recommend to merge it (Yi)
- alpha 3: Let Yi release notation-go, since there are release dependencies: notation CLI -> notation-go -> notation-core-go (Yi)
- Revise plugin extensibility spec by Shiwei
- Steve Lasker (Microsoft)
- Milind Gokarnm
- Vani Rao
- Samir Kakkar
- Finalize the Release notes for Alpha 3 and update on remaining open items if any. (Samir)
- Documentation of the Release Process. (Samir)
- RELEASE_CHECKLIST.md
- David recorded the process on ~May 31st, 2022
- Steve to look up recordings and post them
- May 31, 2022 - including release process from David release process at 59:52
- Need approval for Samir's request to add 'Vani Rao' to maintain release from GitHUB -https://github.com/orgs/notaryproject/teams/notation-release-managers/discussions.
- Completed
- fix: dir package optimize #104 needed for Alpha 3 (Steve)
- fix: update notation-go #294 needed for Alpha 3 (Steve)
- Would like to be date driven for Alpha-3, cutting Friday
- ecr: oras pull error: empty response Docker-Content-Digest #225 Reminder for ECR folks (Steve)
- Milind following up with Michael
- notaryproject/notation#299 (comment) ( Samir)
- David Tesar
- Samir Kakkar
- Milind Gokarnm
- Roy Williams
- Yi Zha
- Feynman Zhou
- Shiwei Zhang
- Sajay Antony
- Security issue signature verification found by Shiwei
- Agree on Way forward for issue#268. The proposal is to fix the issue according to existing spec, and then release alpha.3. The reason is updating spec takes time for PR reivew, and COSE support also need to update the spec, so we can wait for COSE implementation to update the spec in upcoming weeks.
- Security issue was discussed. Milind will create a PR to address it.
- We reached a consensus on this issue#268, that is, go ahead releasing alpha.3 with existing spec. Shiwei will create a separate PR based on COSE PR to formally fix both the spec and implementation.
- Besides the above we did Q&A on the plugin spec.
- Proposal of changing the payload to digest of payload in the request contract for generating signature. need further discussion.
- Proposal of changing the response contract for generating signature. We reached a consensus.
- Millind brought up a discussion, which will be moved to next community call, since this discussion issue will be updated soon.
- Alpha.3 release is delayed to end of this week, since there is a new issue reported, and some PRs are not merged yet.
- David Tesar
- Samir Kakkar
- Pritesh Bandi
- Vani Rao
- Review of alpha-3 milestone. Pending items and ETA
- PR of alpha-3 release notes
- Effort estimates for RC-1 items
- David, start with creating issues in each "Repo" to start our release process for alpha-3.
- Yi Zha
- Samir Kakkar
- Milind Gokarnm
- Pritesh Bandi
- Sajay Antony
- Steve Lasker
- Feyman Zhou
- David Tesar
- Shiwei Zhang
- Roy Williams
- PR review - Update COSE support spec: notaryproject/specifications#179
- The three open issues in notaryproject/notation#93, are they still needed?
- Requesting more details on "CodeCov" bot
- Requesting more details on https://github.com/orgs/notaryproject/projects/10/views/17
- Update on all items open for alpha-3. What are the remaining blockers for alpha-3 ?
- Proposal of creating user story of COSE support in notationproject/roadmap repo as roadmap #38
- go-cose security review
- David Tesar
- Samir Kakkar
- Bring completed (or in flight items such as those pending PR review) into alpha-3 (Samir)
- David and Samir moved all "done" and relevant "in-progress" items into Alpha-3 ( Refer here), based on the draft releases notes content (Refer here)
- David Tesar (Microsoft)
- Yi Zha
- Samir Kakkar
- Milind Gokarnm
- Pritesh Bandi
- Feynman Zhou
- Niaz Khan
- Sajay
- Shiwei Zhang
- Review pending PRs
- Notary planning board updates (Most of issues have assignees now)
- Create a review process guide and onboard new qualified maintainers
- Review the proposal on weekly build for Notation notaryproject/notation#261
- Review draft alpha-3 release notes at https://hackmd.io/LLCH4EcOTaaxlaJk0ZdVfA?both
- Notation CLI support for Timestamp Authority signatures: notaryproject/roadmap#59 (comment)
- Multiple PRs are out for review. Milind will propose the draft rules for review of code PRs, where two code reviews and one of the maintainers from "Code-review" group will be required
- Lets do weekly builds for Notation client, and use the dd-mm-yy or mm-dd-yy format for the release. Lets keep it simple.
- For anything in the roadmap repo, whoever has it assigned, could they close any duplicates in another repo, and/or link to the roadmap item. Keep the roadmap item open, until we get maintainers to close it. Going forward, roadma repo should only have high level user stories and not granular/implementation items. Refer example here. notaryproject/roadmap#38
- Alpha-3 discussion . Any items marked for RC-1 which is completed, or will be completed at time of alpha-3, should be included in alpha-3.
- The existing commands for certiicates CRUD are not compatiable with the new Trust store (directory based) design. For alpha-3, we should not wait on fixing this. Before deciding to include this in RC-1, lets first define the behaviour we want for the Certification CLI command before starting implementation.
- David Tesar
- Steve Lasker
- Samir Kakkar
- Rakesh Garigant
- Milind Gokarnm
- Pritesh Bandi
- Niaz Khan
- Vani Rao
- Support multiple trust stores and custom verification level #164 (Milind)
- Verification Plugins #165 (Milind)
- Complete evaluation of "Discuss" milestone items. (Samir/David)
- Alpha-3 release date before RC-1 release date
- Milind will update PR based on the feedback
- Alpha-3 will be the next milestone. RC-1 will come after that.
- Samir and David will propose what goes in Alpha-3 ( what all user stories to support). Will adjust its scope definition accordingly in https://github.com/notaryproject/roadmap
- David Tesar (Microsoft)
- Steve Lasker (Microsoft)
- Yi Zha
- Sajay Antony
- Samir Kakkar
- Rakesh Garigant
- Milind Gokarnm
- Pritesh Bando
- Roy Williams
- Feynman Zhou
- Ready to close release candidate signature format
- Consider dropping docker-* commands
- PR Signing Scheme #175 and [Verification Plugins #165]
- PR Support multiple trust stores and custom verification level (Milind)
- Discuss in/out scope user-stories for RC-1 (David & Samir)
- Alpha 3 milestone consideration (David & Samir) (notaryproject/specifications#165) (Milind)
- Niaz Khan
- David Tesar
- Steve Lasker
- Samir Kakkar
- Roy Williams
- add yourself
- Notary RC1 scope (Samir and David)
- PR Signing Scheme #175 and Verification Plugins #165 (Milind)
- PR Support multiple trust stores and custom verification level (Milind)
- cose signature format inclusion (Steve)
- add your topics
- meeting minutes
- David Tesar
- Sajay Antony
- Feynman Zhou
- Yi Zha
- Steve Lasker
- Niaz Khan
- Roy Williams
- Ramkumar Chinchani
- Samir Kakkar
- Milind Gokarn
- Rakesh Gariganti
- Pritesh
- add yourself
- Verification Plugins #165 - h2 enable flexibility and cross instance stability for verification? (Steve)
- Review #PR 218: support notation login (Shiwei)
- PR Support multiple trust stores and custom verification level (Milind)
- Change targetArtifact to subject, consistent with the artifact spec #169 - accidently merged before additional reviews. Revert or keep (Steve)
- notation user stories on planning board (David & Feynman)
- notation milestones alphas & rcs (Steve)
- Continue disucssion on verification plugin extensibilty offline
- Iam McMillan
- Milind Gokarnm
- Rakesh Gariganti
- Pritesh
- Samir Kakkar
- Ivan Wallis
- David Tesar
- Steve Lasker
- Niaz Khan
- EKU Discussion, use of various signing certs (Ian McMillan)
- Close on migration off of spreadsheet (David)
- Triage RC-1 items on board (David/Samir)
- Triage alpha.2 and alpha.3 items on board (David/Samir)
- Cover new user story proposals for RC-1 (David)
- Support multiple trust stores and custom verification level (Milind)
- Verification Plugin and Signing Scheme spec(Milind)
- Unresolved discussions on implementation PRs (Milind)
- David Tesar
- Samir Kakkar
- Milind Gokarn
- Rakesh Gariganti
- Feynman Zhou
- Jesse Butler
- Pritesh
- Roy Will
- Sajay Antony
- Yi Zha
- Niaz Khan
- Steve Lasker
- Clarity on code signing EKU cert requirement
- Proper spec location(s) and inspect spec - (Yi Zha)
- Where is Verify Spec?
- Clarify
recommended
vs.required
in Notation Directory Structure (Steve) - Trust policy updates PR (Milind)
- Verify Spec
- The rationale of seperating the Notation Specs in Notation repo Vs putting all the specs in notaryproject repo, is to keep Notation specific details with its implementation.
- System-level directories are required. User-level directories are recommended. The defaults vary based on operating system.
- id-kp-codeSigning discussion will be continued in next meeting.
- User expereince should not change after RC-1 is released. Applying this tenet to CLI imply - "The CLI commands and sub options we agree and approve should be the only ones supported in Notation"
- Milind provied an overview of two PRs he requested for approval/review
- Steve Lasker
- David Tesar
- Milind Gokarn
- Rakesh Gariganti
- Pritesh
- Upcoming spec updates (Milind)
- Specify multiple trust stores in policy
- Custom verification level
- Directory based config precedence (#203)
- Task status updates (Milind)
- Code reviewers group
- Showcase project board, feedback, and "epic" views
- Migration off of spreadsheet nearly complete minus yellow items assigned to AWS
- David Tesar
- Samir Kakkar
- Milind Gokarn
- Rakesh Gariganti
- Shiwei Zhang
- Feynman Zhou
- Jesse Butler
- Michael Brown
- Pritesh
- Roy Will
- Sajay Antony
- Yi Zha
- Samir - Requesing a scope/time Update on https://cloud-native.slack.com/archives/CQUH8U287/p1656163785567499 ORAS-Go client libraries needed in Notation Client to support the latest ORAS artifact spec 1.0.0-rc.1
- notation is waiting for #140, #175, and #188 from this milestone. https://github.com/oras-project/oras-go/milestone/5
- oras-project/oras-go#140
- oras-project/oras-go#175
- oras-project/oras-go#188. ( Fixed)
- Samir - Requesting a daily scrum update on all pending items for RC-1 release.
- Pritesh - notaryproject/notation-core-go#7
- Registy auth with local credentials #206 (Milind)
- Local key support #31 (Milind)
- notary-release-managers group needs to have access to notation-core-go and roadmap repos
- Daily Scrum - we will do daily updates of items chat via project board & chat in slack. Keep existing two meetings per week.
- We will snap milestone names to what is listed in the roadmap repo. They vary across repositories.
- David Tesar
- Pritesh
- Rakesh Gariganti
- Samir Kakkar
- Samir - Project task review, and compare with the planned roadmap repo work
- meeting minutes
- David Tesar
- Feynman Zhou
- Roy Will
- Milind Gokarn
- Pritesh
- Rakesh Gariganti
- Samir Kakkar
- Shiwei Zhang
- Yi Zha
- Yi and Feynman - Confirm the scope and timeline of RC1
- Yi and Feynman - Align the code review process: like who are reviewers and review deadline
- Pritesh - Review [notaryproject/notaryproject #162] Added requirement for codesigning and timestamping certificate Roy will review and comment back
- Milind - PR reviews . notaryproject/notation#192
- Rakesh - Registry Interactions update
- meeting minutes
- Samir Kakkar
- Rakesh Gariganti
- Pritesh Bandi
- Milind Gokarnm
- Jeremy Rickard (Microsoft)
config.json
spec is outdated and needs updates (low priority) (Milind)- Scope of Registry auth spec PR 192 (Milind)
- Jeremy gave an intro and Milind provided and update to the overall Notation project status to attendees
- David - Lets do another Notation CLI release once the bug fix from Shiwei fore registry authentication (443 port) is addressed. In the meantime lets edit the release notes of the last release to include the workaround
- Responded and updated the project status items in the task spreadsheet
- Samir Kakkar
- Rakesh Gariganti
- Pritesh Bandi
- Milind Gokarnm
- Yi (Microsoft)
- Feynman Zhou
- Shiwei Zhang
- Steve Lasker
- Roy Williams
- David Tesar
- Samir: Update on everyone's action items
- Shiwei: PR approvals
- Milind: Registry Authorization Spec PR; Directory structure spec PR; Directory structure implementation
- Rakesh : Taks for the above items and change of ownership
- Steve: CLI commands
- Milind reviewed PR for directory spec; Need more discussion (Milind will create a new issue) on System Level Vs User Level priority/overrides for directory structure of Plugins, Configuration, Truststore, Trust policies, Signature caches. The solution should be secure by default and usable.
- Milind reviewed Registry Authentication spec : Need to find a way to support http (non https) registries
- Rakesh and Milind covered the item from the spreadsheet. We will continue to coordinate via spredsheet until RC-1 as single source of truth. We can migrate to project board in parallel and deprecate spredsheet after RC-1.
- Shiwei suggested how to split notation, Notation-go work vis-a-vis registry authentication.
- Shiwei and Feyman will update the start dates for items assigned to Shiwei. Priortize authentication and directory spec ahead of other work to unblock others.
- Shiwei gave an overview and requested review of PR 198 and 199
- Steve gave an overview and requested review of PR notaryproject/notation#171
- Steve Lasker (Microsoft)
- Samir Kakkar
- Rakesh Gariganti
- Pritesh Bandi
- Ivan Wallis
- David Tesar
- Samir : Update on everyone's action items
- Samir : Add new work items identified (Directory structure implemementation based on spec)
- David on project managmeen
- Steve on PKCS #8, #12 update on libraried to encrypt/decrypt keys
- Ivan has questions on Plugins and Signature format
- Lets have an offline disccusion on CLI usabilty, secuirty, for the commands for RC-1
- PKCS #8, #12 Need more dev work to support key encrypt/decrypt. Suggestion to defer password protection for keys stored locally on disk beyond RC-1. Lets think over oher options and make a decision next week notaryproject/roadmap#31
- Added new work item for "Directory structure implementation"
- Reassigned some items between Milind and Shiwei to ublock progress
- We will gradually migrate to the new centralized "Project beta" on Github that David created, and deprecate use of spreadsheet and roadmap to track work items. https://github.com/orgs/notaryproject/projects/10/views/4
- Steve Lasker
- Samir Kakkar
- Milind Gokarnm
- Pritesh Bandi
- David Tesar
- Roy Williams
- Rakesh Gariganti
- Feynman Zhou
- Shiwei Zhang
- Update on everyone's action items
- Milind and Shiwei are notation, notation-go, and notation-go-core maintainers and can approve PR. This will move things along faster
- PR Review: Registry Authentication Spec #192
- Steve Lasker
- Samir Kakkar
- Milind Gokarnm
- Pritesh Bandi
- Ivan Wallis ( Venafi)
- David Tesar
- Roy Williams
- Streamline code reviews (Milind)
- Discussion on Plugin model: Changes are merged in https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md
- PKCS#7 is the signature format; PKCS#11 is the API spec for integerating with HSMs/Token devices.
- Samir Kakkar
- Rakesh Gariganti
- Feynman Zhou
- David Tesar
- Milind Gokarn
- Steve Lasker
- Roy Williams
- Jesse Butler
- Signature spec updates(Milind)
- Code review process(Milind)
- Code reviewers from Microsoft (Milind)
- Review spec updates - Rakesh
- CICD and Release process (Rakesh)
- v0.9.0-alpha.1 released
- Feyman will work with Shwewei to get dates on past due items
- Shiwei and Milind will look at each other's PR and approve asap
- For CLI commands, lets focus on -Sign, Verify, Inspect and plugin commands. Rest can wait.
- David did a demdemo what is currently implemented for CI/CD/Testing, by taking the example of this upcoming alpha release
- Feyman will lay a plan for where we want to end up for end to end test and release process
- Samir Kakkar
- Need a "Notation" release with the latest ORAS libraries to address (iamsamirzon)
- notaryproject/notation#119
- There are lot of other updates as well.
- Need additional member for https://github.com/orgs/notaryproject/teams/notary-project-admins/members (iamsamirzon)
- Once done, create a new version of "MilestonesAcrossAllRepos" and directly track all work going for first RC-1 release there.
- Go through RC-1 roadmap items and cleanup, set status, assign owners. (iamsamirzon) https://github.com/notaryproject/roadmap/projects/1?card_filter_query=milestone%3ARC-1
- Go through open PRs in thee specfic repos and ensure alignment with roadmap (iamsamirzon)
- Work to merge spreadsheet backlog into specfic repos and assign owner (iamsamirzon)
- Feynman Zhou
- David Tesar
- Milind Gokarn
- Samir Kakkar
- Pritesh
- Go through roadmap items and cleanup, set status, assign owners. Focus on Alpha-3 items first: https://github.com/notaryproject/roadmap/projects/1?card_filter_query=milestone%3Aalpha-3
- Work to merge spreadsheet backlog into public items
- We may or may not have an Alpha-3 release, but definitely will be making alpha releases in interim to RC1. Alpha-3 items are needed for RC-1.
- Discussed whether or not we should just merge Alpha-3 into RC milestones or not. Will follow up on this next week.
- Feynman Zhou
- David Tesar
- Roy Williams
- Milind Gokarn
- Pritesh Bandi
- Rakesh Gariganti
- Sajay Antony
- PRs for review (Milind)
- Logging from Notation CLI and lib (Milind)
- Iilya Dmitrichenko
- Maik Riechert
- Samir Kakkar
- Milind Gokarn
- Pritesh Bandi
- Rakesh Gariganti
- Steve Lasker
- Roy Williams
- Shiwei Zhang
- Discovery and configuring trust policy (Steve)
- PRs for review
- Introduction of new and old members.
- Review of the above two PRs
- Notation Directory Structure Spec (Required for RC-1)
- Discovery and configuring trust policy (Continue discussion on PR. Not part of RC-1)
- Steve Lasker
- Roy Williams
- Milind Gokarn
- Samir Kakkar
- Shiwei Zhang
- Rakesh Gariganti
- Sajay Antony
- PRs ready to merge
- PRs for review
- Any changes to project plan dates (Milind, Shiwei)
- Spec updates
- meeting minutes
- Steve Lasker
- Roy Williams
- Milind Gokarn
- Samir Kakkar
- Pritesh Bandi
- add yourself
- New meeting schedule (Milind)
- Where should we store signature envelope? (Pritesh)
- As blob only (which is referred by manifest)
- As data field in manifest + blob
- As annotations only Conclusion: We will go with approach 1 where the signature will be stored as separate blob only.
- Spec : Notation directory structure (Milind)
- Project plan updates (Milind)
- Notation registry auth(Milind)
- Code review process (Milind)
- Project Tracking in Roadmap repo(Samir)
- Draft PR for CLI command feedback #171
- Move Thursday meeting From 5-6pm to 9-10am
- Adding a Monday 5-6pm pacific time to account for EU and US
- Signature Envelope Storage - To minimize churn for RC1, we'll use the existing persistance as a blob in the ORAS Artifact reference object.
- Config - keep config.json for shared items, with two additional configs to manage isolation of configurations, avoiding having to merge into a single config.json
- Directory Location: discussion for where config can be stored, securely, avoiding code running as part of a build from having access to the config of keys or certs. No decision, but needs more thought.
- meeting minutes
- Steve Lasker
- David Tesar
- Milind Gokarn
- Samir Kakkar
- Roy Williams
- Sajay Antony
- Rakesh Gariganti
- Shiwei Zhang
- add yourself
- RC1 scope (Samir)
- Closed the two TBD items from last week. JWS format for RC-1
- Security review for Notation RC-1 cliet decision to be made close to it being ready
- Will explore a process to close roadmap items in a async manner based on PRp;ls being closed
- PR code review process (Milind)
- Simplify trust store and trust policy (Milind)
- meeting minutes
- Steve Lasker (Microsoft)
- Samir Kakkar
- Milind Gokarn
- Rakesh Gariganti
- David Tesar (Microsoft)
- Shiwei Zhang (Microsoft)
- Rename notation-go-lib to notation-go
- Repository renaming done
- Rename go module #34
- Security reviews kickoff initiaited for go-cose library, and its integration with Notation cleint_
- TBD : Schedule Security review for Notation RC-1 release, that will use existing JWS encoding format
- TBD : Dual support for both JWS and COSE signature encoding format for subsequent releases
- Steve Lasker (Microsoft)
- Milind Gokarn
- Samir Kakkar
- Rakesh Gariganti
- Sajay Antony
- Shiwei Zhang
- Signature spec PR
- Notation design goals and versioning
- meeting minutes
- Steve Lasker (Microsoft)
- Milind Gokarn
- Samir Khan
- Sajay Antony
- Shiwei Zhang
- Pritesh
- add yourself
- Review updates to signature spec and policy
- meeting minutes
- Marina Moore (NYU)
- Samir Kakkar (AWS)
- Steve Lasker (Microsoft)
- New time, Wednesdays 5-6pm Pacific Time, 8-9pm Eastern, 8-9am Shanghai (Steve)
- Based on updated doodle poll results, proposing 5-6pm Thursday 9-10am Shanghai
- Trust Stores and changes to config (Milind)
- add your topics
- meeting minutes
- Steve Lasker (Microsoft)
- Tianon
- Samir Kakkar (AWS)
- Milind Gokarn (AWS)
- Brandon Mitchell
- David Tesar (Microsoft)
- Should the signature format support multiple signing forms now? (Milind)
- (Steve) We're hoping to land the COSE format for the initial release, but we've said notary will support multiple signature formats over time, for instance different governments (China has been the common example, but also support for newer over time). If we add multiples now, we validate the spec supports multiples. If we land COSE for v1, we can pull JWT out, knowing the spec supports multiple formats.
- go-cose library design - but this is merged into the remote-signing branch
- Doodle poll (Steve)
- promise to get it out today
- Trust Policy (Steve)
- public key discovery
- policy for configuring what a user wants to trust
- add your topics
- meeting minutes
- Steve Lasker
- Samir Kakkar (Chair)
- Marina Moore (NYU)
- Lukas Pühringer (NYU)
- Tianon
- add yourself
- New time for notary call to account for Shanghai timezones
- Steve to create a doodle poll
- Alpha 3 milestone (Samir)
- add your topics
- meeting minutes
Cancelled, folks are working on PRs and execution
- Steve Lasker (Microsoft)
- Brandon Mitchell
- Tianon
- Pritesh
- Samir
- add yourself
- Alpha 2 complete
- Alpha 3 goals (Samir)
- RC1 goals
- add your topics
- meeting minutes
- Samir Kakkar ( AWS)
- Pritesh Bandi (AWS)
- Brandon Mitchell
- Marina Moore (NYU)
- Getting Alpha-2 released (Samir)
- add your topics
- _meeting minutes
- Samir Kakkar ( AWS)
- Pritesh Bandi (AWS)
- Brandon Mitchell
- PR Reviews are making progress
- add your topics
- meeting minutes
Mark Grand (JFrog) Samir Kakkar ( AWS)
- add yourself
- add your topics
- We had a short meeting. No new PRs to review this week
- Recommend everyone to look at the roadmap repo and the project plan there. We are getting close to alpha-2
- Steve Lasker (Microsoft)
- Brandon Mitchell
- Tianon
- Samir Kakkar (AWS)
- Pritish Bandi (AWS)
- Milind Gokarn (AWS)
- add yourself
- Add support for signature filtering. (Pritesh)
- Add support for trust anchor. (Pritesh)
- Fall back options ORAS and Notary Project (Brandon)
- Samir Kakkar (AWS)
- Pritish Bandi (AWS)
- Milind Gokarn (AWS)
- Mark Grand (JFrog)
- Steve Lasker (Microsoft)
- Marina Moore (NYU)
- Tianon
- Brandon Mitchell
- add yourself
- Open PRs for review
- Notation plugin for signing (Milind)
- Adding scope to trust policy. (Pritesh)
- Registry Interop (Steve)
- Azure Key Vault Plug-in
- Closing on the COSE format becomes important to closing on the plug-in spec
- meeting minutes
- Brandon Mitchell
- Tianon
- Marina Moore
- Samir Kakkar
- Steve Lasker (Microsoft) [Chair]
- Pritesh Bandi
- Open PRs for review
- Adding scope to trust policy. (Pritesh)
- Added support for signature filtering. (Pritesh)
- PR is in my fork as its stacked on existing open PRs
- meeting minutes
- Discussion on explict distinction for scpoping for repositories Vs namespaces
- Supported cases:
wabbit-networks.io/software
<-- repo matchwabbit-networks.io/software/*
<-- match immediate namespace
wabbit-networks.io/software/prod-good
wabbit-networks.io/software/*/*
<--wabbit-networks.io/software/prod/asd
<-- will add if requried in futurewabbit-networks.io/software/**
<-- match all nested namespaces inside software namespace
- Invalid cases:
wabbit-networks.io/software*
<-- parse errorwabbit-networks.io/software/prod-*
<-- parse errorwabbit-networks.io/software/prod-bad/
<-- parse errorwabbit-networks.io/soft*
<-- parse error
- Supported cases:
- Mark Grand
- Brandon Mitchell
- Marina Moore [Chair]
- Samir Kakkar
- Tianon
- Steve Lasker
- Pritesh Bandi
- Open PRs for review
- Adding scope to trust policy. (Pritesh)
- Added signing and verification workflows (Pritesh)
-
Trust policy:
- Reviewing discussion points from last meeting for scoping
- Considered but not interested in allowing multiple policies to match, only planning to match a single policy, requiring ordering.
- Other possible scoping suggestions looked at, but not planned for current development efforts
- Scope isn't being treated as a security control so they aren't concerned about prefix matching matching the wrong thing. The user controls what images are being matched external to this.
- In general the current design in extendable for future use.
- For now moving with the Longest prefix match and deferring wild card for a later time.
- Discussed we can make different trust stores. If the same policy scope has two different artifact type with different signing keys, we can even add an artifact type in the future.
- If we need to put rich comments in the JSON files, we could add a "description" field in the future.
-
Discussion on Revocation ()
- Refer the paper from Steve on this topic https://stevelasker.blog/2022/01/11/roles-and-responsibilities-of-signing-sboms-and-security-scanners/
- When should a key be revoked ( In case of compromise ? Any other reasons ?) a. Ideally a key should not be revoked because a vulnerability is found in the code it signed
- When could a signature be revoked on an artifact( In case of a finding a vulnerability ?) https://github.com/notaryproject/notaryproject/blob/main/scenarios.md#scenario-11-revoking-a-signature a. Is there a standard for this? Should we add this in scope for NotaryV2 ?
- Some users may not want revocation to automatically hamper their production envoirnement
- Mark Grand
- Justin Cormack [Chair]
- Brandon Mitchell
- Steve Lasker
- Mahendra Reddy
- Tianon
- add yourself
- Review the doodle poll for the 2022 timeslot. Please get your votes in. (Steve)
- Review Trust Policy Scoping Scenarios (Pritesh)
- Review Trust Anchor in TrustPolicy (Pritesh)
- Review Signing and verification workflows, Including detailed verification workflow (Pritesh)
- Review signing inline (Justin)
- add your topics
- Doodle poll concensus: Thursday 9-10am pacific time
- Trust Policy: can we skip the priority determination and instead accept any matching policy regardless of the order (Brandon)
- [Pritesh - post meeting] If we go with the longest prefix match order doesn't matter as each and every policy will be evaluated for applicability with a longest-prefix match.
- Wildcards must be scoped to a dns segment. To avoid SQL injection style attacks, adding a . in the replacement would be considered invalid.
- [Pritesh - post meeting] That's interesting, we should do thiswith wildcard but we still have a policy ordering issue.
- There's a desire to limit scope to other signature metadata rather than host/repo. E.g. originator may include metadata on their name to make portable images+signatures. Also some users may want to sign SBOMs or attestation data with a different key than the image, and only trust one key to a certain type of signature. (Brandon)
- [Pritesh - post meeting] IMO initially, we should keep default notary validations simple and generic. If a user wants complex validation they can implement them using extensions. Or if the use-case becomes popular we can add support later.
- For regionalized entries, for now, should we defer this, where the user enters multiple trust policies. One for each region, which all point to the same trust store.
- Consider two levels of wildcards like git,
*
for a single dns/path element,**
for multiple levels (Brandon) - meeting minutes
Older meeting notes have been archived to: https://github.com/notaryproject/meeting-notes
- 2021 meeting notes https://hackmd.io/-5DLI3xiRmmgiC1ugo7fHw?view
(template for copying)
- add yourself
- add your topics
- meeting minutes