Re: [VOTE] In-toto for incubating

Santiago Torres Arias <santiago@...>

Hi Richard.

+0 binding
Debian is not a company.
I'm somewhat sad to read this reaction, considering we're an open source
project that is *not* backed by a company (one of the few around here in
fact). Although there are other users/communities we work with, I wanted
to single out the long-standing work we've done with Debian dating back
to 2015.

search[1] nor Debian Maintainer search[2]. In a section below, Debian
was removed and replaced with "New York University". Not a blocker,
but being a Debian Developer myself, I feel compelled to mention it.
Debian packages[3][4] for in-toto are from 2021-03-12, skipping 1.1.0,
1.1.1, and the recent 1.2.0 releases[5].
Being a DD yourself, maybe you know Holger Levsen?

He's been coaching us in doing the packaging for the Debian ecosystem,
including a transport for APT[1]. Which I believe is also used by
QubesOS. It is also part of the reproducible builds project to check
cross-build reproducibility (see integration with rebuilderd).

Naturally, it is hard for me to make a statement to what level Debian is
involved, without feeling like I'm putting words on people's mouths.
However, I do believe that members of the Debian community have always
been participating and helping us out (mostly as a part of a shared goal
of build reprodicubility, as it is crucial for software supply chain
security). Personally, I was surprised to see your positive attitude for
reproducible builds on another project's (which is good to see it
mentioned!) vote but glossed over the in-toto bits as part of the
effort (I'm don't bleieve there are other CNCF projects listed here):

Commit history graph[6] shows a distinct slowdown starting 2020. Does
this mean the project has reached/is approaching feature completeness?
In a sense, yes, the Python implementation is being used in production,
so we are wary to do major overhauls. We have adopted the attitude to
use the golang implementation to test out new features and then port
them back to the python one.

I can also say that we had various degrees of developer turnover once
the pandemic started...

Is the "every 3 months release cadence" starting with 1.2.0?
No, this has been a committment we've done and/or around version 1.0. We
have lagged a couple of times, I agree.

Recent PRs were largely janitorial and/or from bots[7]. Along similar
lines, the three example PRs[8][9][10] are dated middle of last year.
... [snip]
I know from my own DDs that velocity can be deceiving, and that it can
also be compensated by extremely wide adoption.
This is true, I'm not entirely in control on velocity. Overall, we get
high fluctuation on it, depending on how features get approved, new
integrations pop up, etc. I wish I had a better answer to this.

Is there a timeframe for Future Plans & ITEs[11]?
Overall, yes. Not sure if you've seen the roadmap reviews. We have also
moved to a monthly community meeting time where we discuss ITE status
and vote to increase velocity. We're starting to see a lot of
implementations (e.g., witness) that are bringing up new features. As
usual, we're in a tightrope between ensuring everybody is heard in terms
of feature additions (so as to not overlap), and allow people to play
with things to see what works.

Yet, I do not currently get a strong feeling of high velocity nor of
very wide adoption. At the same time, I realize I am very late to the
game in this DD process. Having joined TOC just before a week of
illness makes me the late-comer with questions & vote. I explicitly
do not want to block anything with incomplete information.
As such, my current vote is +0 as per above. Depending on answers, I
would be happy to switch to +1.
I do appreciate your perspective. And I've be happy to answer questions
or rephrase answers as needed.



On Thu, Feb 17, 2022 at 09:00:52PM +0100, Richard Hartmann wrote:

Join to automatically receive all group messages.