Re: Notary V2 re-review / removal from the CNCF?

Davanum Srinivas


For those of you who got this email and wondering where the discussion is happening, it's here:

Thanks for folks who made it to the TOC meeting today, the recording from today is here:

The TOC is reaching out to community members regarding this concern and the processes around it and others’ remediation. Please be patient, we will document these events once we have collected more information to ensure all concerns are presented from everyone (especially those who could not make it to the meeting today!).


On Wed, Dec 14, 2022 at 1:44 PM Davanum Srinivas via <> wrote:

Threads on email tend to rot out for this purpose. Could you please open an issue similar to [1]. Please add pointers to any previous public discussions (If i remember correctly, you had raised this before?)

Also, please remember that we may not see much traffic until folks come back in Jan. 


On Wed, Dec 14, 2022 at 1:05 PM Justin Cappos <justincappos@...> wrote:
As I understand it, the TOC is starting to review projects with a consideration to reassess their level in the CNCF or even to remove them altogether.  I wanted to bring the Notary V2 project to the TOC's attention as a project that is misplaced and worthy of review.

First of all, the original Notary V1 project was added by the CNCF and was voted in both because it had a strong security foundation and a substantial user base.  

Strangely, the Notary V2 project has none of the original Notary project members, none of the lines of code from Notary V1, and none of the security design.  It is effectively a completely different project that has taken the same name in order to preserve the incubating status in the CNCF.  Even worse, it is at incubation level and making use of CNCF resources / marketing / reputation, yet has had no security reviews, etc.

I would kindly suggest that the TOC consider either removing Notary V2 from the CNCF or asking it to reapply to the CNCF.

Notary V1 (the original) likely could also plausibly be archived or reviewed at some point, but this is of less urgency as it did actually receive due diligence at some point.

I know I raised the same concern back in July 2021, but after talking with others in the community I thought it was worth raising again.  As transparency is an important part of open source foundations and projects, after raising this issue a week ago to the TOC privately, I am now making this request public.


Davanum Srinivas ::

Davanum Srinivas ::

Join { to automatically receive all group messages.