Re: [VOTE] In-toto for incubating

Lukas Puehringer

Hi Richard,

Thank you for the thorough review and detailed comments! And thanks for the nudge about the Debian releases, I just pushed an up-to-date downstream release to mentors [1].

Regarding our relationship to Debian and Reproducible Builds, we’ve been regulars at Debconfs and RB Summits since the inception of the in-toto project (see e.g. [2], [3]), and quite a few in-toto related projects have benefited from our involvement with the community, most notably [4],[5],[6].

It is true that I personally am not a Debian Developer, but I have worked together with the DD Holger Levsen in the past to prepare and upload the downstream releases.

And here is a link to the latest organization-wide “Roadmap review” document, which Santiago mentioned:

There is definitely more going on in the broader in-toto ecosystem, than in the reference implementation, due to the maturity the latter has reached [7].

Let me know if you have questions about any of the resources I shared. I’m happy to provide more details (also off-list).

Kind regards,

On 18.02.2022, at 00:28, Richard Hartmann <richih@...> wrote:

Thank you for the quick & detailed response.

Also, again, I am still getting up to speed with this new hat on.

On Thu, Feb 17, 2022 at 9:30 PM Santiago Torres Arias <santiago@...> wrote:

Debian is not a company.

I'm somewhat sad to read this reaction, considering we're an open source
project that is *not* backed by a company (one of the few around here in
fact). Although there are other users/communities we work with, I wanted
to single out the long-standing work we've done with Debian dating back
to 2015.

Sorry, for being unclear; the DD doc referred to Debian as a company.
The rest was me trying to drill into what specific relationship
exists. It would still be good to bump the version shipped with
Debian, IMO.

apt-transport-in-toto[1] is current.

Being a DD yourself, maybe you know Holger Levsen?

For two decades, yes; I reached out-of-band.

That org membership is non-public and he's not listed in MAINTAINERS.

Personally, I was surprised to see your positive attitude for
reproducible builds on another project's (which is good to see it
mentioned!) vote but glossed over the in-toto bits as part of the

That wasn't mentioned in the the DD doc and I missed it when looking
through the repo; sorry.

To make it explicit: Any project building reproducibly gets extra
points for being serious in my book.

(I'm don't bleieve there are other CNCF projects listed here):

With my Prometheus hat on, I have tried to get Prometheus onto that
list for years but didn't make huge progress.
With my Grafana hat on: Same.

In a sense, yes, the Python implementation is being used in production,
so we are wary to do major overhauls. We have adopted the attitude to
use the golang implementation to test out new features and then port
them back to the python one.

Thanks; I was going from DD doc & homepage.
In absolute numbers, not relative contributions over time, the Go
version looks similar to the Python for the last 1-2 years. Is [2] the
correct repository to look at?

I can also say that we had various degrees of developer turnover once
the pandemic started...
No, this has been a committment we've done and/or around version 1.0. We
have lagged a couple of times, I agree.

More than understandable; I know how it is. Public documentation
should manage expectations and arguably underpromise.

Overall, yes. Not sure if you've seen the roadmap reviews. We have also
moved to a monthly community meeting time where we discuss ITE status
and vote to increase velocity. We're starting to see a lot of
implementations (e.g., witness) that are bringing up new features. As
usual, we're in a tightrope between ensuring everybody is heard in terms
of feature additions (so as to not overlap), and allow people to play
with things to see what works.

I didn't see them no. Do you have a direct link to an overview?

I do appreciate your perspective. And I've be happy to answer questions
or rephrase answers as needed.

As the DD doc is done and voting period already ongoing, I am not sure
how much use it is to go back and change it. I am too new in my TOC
role to have any opinion on this.

For the moment, I still feel more comfortable with +0 but want to
emphasize that this is _not_ a -1.

Again, thanks for the quick & detailed reply,

Join to automatically receive all group messages.