Re: [VOTE] In-toto for incubating

Richard Hartmann

Thank you for the quick & detailed response.

Also, again, I am still getting up to speed with this new hat on.

On Thu, Feb 17, 2022 at 9:30 PM Santiago Torres Arias <santiago@...> wrote:

Debian is not a company.
I'm somewhat sad to read this reaction, considering we're an open source
project that is *not* backed by a company (one of the few around here in
fact). Although there are other users/communities we work with, I wanted
to single out the long-standing work we've done with Debian dating back
to 2015.
Sorry, for being unclear; the DD doc referred to Debian as a company.
The rest was me trying to drill into what specific relationship
exists. It would still be good to bump the version shipped with
Debian, IMO.

apt-transport-in-toto[1] is current.

Being a DD yourself, maybe you know Holger Levsen?
For two decades, yes; I reached out-of-band.
That org membership is non-public and he's not listed in MAINTAINERS.

Personally, I was surprised to see your positive attitude for
reproducible builds on another project's (which is good to see it
mentioned!) vote but glossed over the in-toto bits as part of the
That wasn't mentioned in the the DD doc and I missed it when looking
through the repo; sorry.

To make it explicit: Any project building reproducibly gets extra
points for being serious in my book.

(I'm don't bleieve there are other CNCF projects listed here):
With my Prometheus hat on, I have tried to get Prometheus onto that
list for years but didn't make huge progress.
With my Grafana hat on: Same.

In a sense, yes, the Python implementation is being used in production,
so we are wary to do major overhauls. We have adopted the attitude to
use the golang implementation to test out new features and then port
them back to the python one.
Thanks; I was going from DD doc & homepage.
In absolute numbers, not relative contributions over time, the Go
version looks similar to the Python for the last 1-2 years. Is [2] the
correct repository to look at?

I can also say that we had various degrees of developer turnover once
the pandemic started...
No, this has been a committment we've done and/or around version 1.0. We
have lagged a couple of times, I agree.
More than understandable; I know how it is. Public documentation
should manage expectations and arguably underpromise.

Overall, yes. Not sure if you've seen the roadmap reviews. We have also
moved to a monthly community meeting time where we discuss ITE status
and vote to increase velocity. We're starting to see a lot of
implementations (e.g., witness) that are bringing up new features. As
usual, we're in a tightrope between ensuring everybody is heard in terms
of feature additions (so as to not overlap), and allow people to play
with things to see what works.
I didn't see them no. Do you have a direct link to an overview?

I do appreciate your perspective. And I've be happy to answer questions
or rephrase answers as needed.
As the DD doc is done and voting period already ongoing, I am not sure
how much use it is to go back and change it. I am too new in my TOC
role to have any opinion on this.

For the moment, I still feel more comfortable with +0 but want to
emphasize that this is _not_ a -1.

Again, thanks for the quick & detailed reply,

