FYI ---------- Forwarded message ---------- From: Jie Yu <jie@...> Date: Tue, Jun 27, 2017 at 6:57 AM Subject: CSI regular community sync To: container-storage-interface-community@... Cc:

Last call for comments. TOC vote to follow.

Just wanted to weigh in from CoreOS. We are using Notary for signing packages as well for the Quay container registry running at Quay.io. Signing packages is tricky and TUF seems to get things right.

Thanks Justin, that is very helpful & certainly length-appropriate.

I didn't do a deep dive, but it looks like the "simple signing" design from Fedora would enable an attacker that has compromised the signing server to compromise user devices (even with HSMs, etc.).

Scott What are your thoughts on Notary? a

Per the comments on GnuPG - the ubiquitous use of GPG is what drove Red Hat to work on what we call "simple signing" [1][2]. We would love to partner on more of this work. [1]:

Thanks Richard. +1 on .debs. My 2c is that signing functionality used to be quite inhumane, and any project seeking to do better could certainly focus on being "pleasant". Although the Notary

<cncf-toc@...> wrote: Speaking as a Debian Developer, most of my work in that regard is underpinned by GnuPG. A lot of the functionality mentioned could be built with GnuPG and installed

To be clear I dialed in but it was totally unclear how to unmute myself. I own a phone with a mute button perhaps there's a default setting we could fix to not default phone to mute

That's good info. Keen to learn more from the community about this use case and project!

Notary has also been shipping to enterprise customers as part of Docker EE. Good to know Vmware has followed suit. If enterprise adoption is a point of evaluation we can put together a few case

Harbor is an open source enterprise registry built on top of Docker distribution. It adds enterprise features such as RBAC, LDAP/AD support, auditing, Notary, and other features (follow link below).

<cncf-toc@...> wrote: I called in over the German number. It kicked me out while blarring gibberish first, but then allowed me to call in just fine. Other than the one time I heard, well,

Hi all Thanks Patrick & Docker people for Notary pres. I personally found it very useful & educational, having avoided package signing myself as much as possible ;-) I would love to understand how a

I'm not sure what the problem was Camille on your end but I'll investigate why you couldn't un mute yourself. Thanks for your patience, we are still learning the ins and outs of Zoom. --

actually there is phone-only option Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll) -- Eduardo Silva Open Source, Treasure Data http://www.treasuredata.com/opensource

Zoom is cool but I need something phone-only that doesn't mute me in a fashion where I don't control it myself. Can we fix config default or move to something else? C

Those requests are proxied by GH these days, but I will try. Will do. Fabian is listed as a lead and he's in on this effort as well. Still, I will make them officially aware. Richard

Richard Thanks! Please talk to the GH project owner who has "openmetrics". For help & next steps, you can follow up with Lee & Ken via email - ccd. You can find the Kubernetes Instrumentation SIG at