Re: Notary V2 re-review / removal from the CNCF?

Davanum Srinivas


Threads on email tend to rot out for this purpose. Could you please open an issue similar to [1]. Please add pointers to any previous public discussions (If i remember correctly, you had raised this before?)

Also, please remember that we may not see much traffic until folks come back in Jan. 


On Wed, Dec 14, 2022 at 1:05 PM Justin Cappos <justincappos@...> wrote:
As I understand it, the TOC is starting to review projects with a consideration to reassess their level in the CNCF or even to remove them altogether.  I wanted to bring the Notary V2 project to the TOC's attention as a project that is misplaced and worthy of review.

First of all, the original Notary V1 project was added by the CNCF and was voted in both because it had a strong security foundation and a substantial user base.  

Strangely, the Notary V2 project has none of the original Notary project members, none of the lines of code from Notary V1, and none of the security design.  It is effectively a completely different project that has taken the same name in order to preserve the incubating status in the CNCF.  Even worse, it is at incubation level and making use of CNCF resources / marketing / reputation, yet has had no security reviews, etc.

I would kindly suggest that the TOC consider either removing Notary V2 from the CNCF or asking it to reapply to the CNCF.

Notary V1 (the original) likely could also plausibly be archived or reviewed at some point, but this is of less urgency as it did actually receive due diligence at some point.

I know I raised the same concern back in July 2021, but after talking with others in the community I thought it was worth raising again.  As transparency is an important part of open source foundations and projects, after raising this issue a week ago to the TOC privately, I am now making this request public.


Davanum Srinivas ::

Join { to automatically receive all group messages.