|
Re: [VOTE] Streamlining incubation process
+1 binding On Fri, Apr 23, 2021 at 8:39 AM Liz Rice <liz@...> wrote:
--
~Dave |
|
|
|
Re: [VOTE] Streamlining incubation process
Ricardo Rocha
+1 binding
toggle quoted message
Show quoted text
On Fri, Apr 23, 2021 at 07:36:27AM +0100, Liz Rice via lists.cncf.io wrote:
+1 binding |
|
|
|
Re: [VOTE] Streamlining incubation process
Liz Rice
+1 binding
|
|
|
|
Re: [VOTE] Streamlining incubation process
Sheng Liang <sheng.liang@...>
+1 binding
From: cncf-toc@... <cncf-toc@...>
On Behalf Of Ricardo Aravena via lists.cncf.io
+1 (nb)
On Thu, Apr 22, 2021 at 2:05 PM Amye Scavarda Perrin <ascavarda@...> wrote:
|
|
|
|
Re: [VOTE] Streamlining incubation process
Ricardo Aravena
+1 (nb)
On Thu, Apr 22, 2021 at 2:05 PM Amye Scavarda Perrin <ascavarda@...> wrote:
|
|
|
|
Re: [VOTE] Streamlining incubation process
+1 non-binding
From: cncf-toc@... <cncf-toc@...> on behalf of Amye Scavarda Perrin via lists.cncf.io <ascavarda=linuxfoundation.org@...>
Sent: 22 April 2021 22:05 To: CNCF TOC <cncf-toc@...> Subject: [cncf-toc] [VOTE] Streamlining incubation process A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640
Please vote (+1/0/-1) by replying to this thread. Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support! Amye Scavarda Perrin | Program Manager |
amye@...
|
|
|
|
Re: [VOTE] Streamlining incubation process
Alena Prokharchyk
+1 binding
toggle quoted message
Show quoted text
-alena
|
|
|
|
Re: [VOTE] Streamlining incubation process
+1 Binding On Thu, Apr 22, 2021 at 5:05 PM Amye Scavarda Perrin <ascavarda@...> wrote:
--
Davanum Srinivas :: https://twitter.com/dims
|
|
|
|
Re: [VOTE] Streamlining incubation process
Josh Berkus
On 4/22/21 2:05 PM, Amye Scavarda Perrin wrote:
A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 <https://github.com/cncf/toc/pull/640>+1 NB As someone who frequently advises projects on how to get through the process, this is a huge step forwards. -- -- Josh Berkus Kubernetes Community Architect OSPO, OCTO |
|
|
|
Re: [VOTE] Streamlining incubation process
Santiago Torres Arias <santiago@...>
+1 (NB)
toggle quoted message
Show quoted text
On Thu, Apr 22, 2021 at 02:05:02PM -0700, Amye Scavarda Perrin wrote:
A proposal has been made to streamline the incubation process: |
|
|
|
[VOTE] Streamlining incubation process
Amye Scavarda Perrin
A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640
Please vote (+1/0/-1) by replying to this thread. Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support! Amye Scavarda Perrin | Program Manager | amye@... |
|
|
|
Re: Agenda for 4/20
Justin Cormack
I have a conflict too, I may be there for part of the call.
Apologies Justin On Tue, Apr 20, 2021 at 8:13 AM Lei Zhang <resouer@...> wrote:
|
|
|
|
Re: Agenda for 4/20
Lei Zhang
Sorry, I happened to have conflict and have to miss this one. On Mon, Apr 19, 2021 at 10:45 AM Amye Scavarda Perrin <ascavarda@...> wrote:
|
|
|
|
Re: Agenda for 4/20
Erin Boyd <erin_boyd@...>
I have to drop after 30 minutes. Apologies in advance,
toggle quoted message
Show quoted text
Erin
|
|
|
|
Re: [cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack
Richard Hartmann
Just to confirm: Chris A already sent this to all maintainers.
|
|
|
|
Agenda for 4/20
Amye Scavarda Perrin
Hi all,
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) Presentation: https://docs.google.com/presentation/d/1J9nti4JdiwLHxY15KtkmqyfP4OgNfrLAd3vxPvFTzsc/edit#slide=id.g25ca91f87f_0_0 Amye Scavarda Perrin | Program Manager | amye@... |
|
|
|
[cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack
Liz Rice
🙏 Thanks to SIG Security for this advice on Codecov @chris @amye you’re probably already on top of this, but please could we make sure the relevant project maintainers are aware and acting on this? Per their note, SIG Security are available on Slack if anyone has any questions ---------- Forwarded message --------- From: Lorenzo Fontana <fontanalorenz@...> Date: Sat, 17 Apr 2021 at 23:49 Subject: [cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack To: <cncf-sig-security@...> Hello everyone, On April 15th 2021, the Codecov team published a note [0] acknowledging a supply chain attack affecting their bash uploader. **Background of the attack** The Codecov bash uploader is the component responsible for reporting back coverage results to the CI systems of the projects using the service. This component is usually executed in a CI step by just downloading and executing the script via bash + cURL directly as described in their documentation [1]. This attack was possible because of an error in the image creation process that allowed the actor to extract the credential required to modify the script. From their announcement: The altered version of the bash uploader script could potentially affect: - Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the bash uploader script was executed. - Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys. - The git remote information (URL of the origin repository) of repositories using the bash uploader to upload coverage to Codecov in CI. **Action Items** CNCF projects using Codecov are recommended to do the following: - Rotate all the private credentials available in the context where the script was executed - Validate the bash script with a trusted copy of the SHA256 sum as described in the Codecov docs [2] - Watch out for any suspect usage of the tokens **Projects** The SIG does not have visibility on whether or not projects are using Codecov right now. However, we did a research and this is a list of the repositories that we found using Codecov: https://github.com/argoproj/argo-cd https://github.com/containerd/containerd https://github.com/coredns/coredns https://github.com/etcd-io/etcd https://github.com/goharbor/harbor https://github.com/jaegertracing/jaeger https://github.com/kubernetes/dashboard https://github.com/kubernetes/ingress-nginx https://github.com/prometheus/prometheus_api_client_ruby https://github.com/buildpacks/lifecycle https://github.com/cri-o/cri-o https://github.com/opentracing/opentracing-c If you don’t know how to check or have any other questions regarding this. Please feel free to reach out to the #sig-security channel on the CNCF Slack. The CNCF SIG-Security Team P.S: Thanks to Magno Logan, Emily Fox and Dan (POP) Papandrea for helping in getting this ready for the mailing list. [0] https://about.codecov.io/security-update/ [1] https://docs.codecov.io/docs/about-the-codecov-bash-uploader [2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script |
|
|
|
[RESULT] Emissary-ingress approved for Incubation
Amye Scavarda Perrin
The Emissary-ingress project has been approved for incubation.
9/11 -- passes +1 B Liz Rice: https://lists.cncf.io/g/cncf-toc/message/5744 Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/5715 Sheng Liang: https://lists.cncf.io/g/cncf-toc/message/5752 Dave Zolotusky: https://lists.cncf.io/g/cncf-toc/message/5754 Richardo Rocha: https://lists.cncf.io/g/cncf-toc/message/5755 Lei Zhang: https://lists.cncf.io/g/cncf-toc/message/5756 Alena Prokharchyk: https://lists.cncf.io/g/cncf-toc/message/5715 Davanum Srinivas: https://lists.cncf.io/g/cncf-toc/message/5791 Erin Boyd: https://lists.cncf.io/g/cncf-toc/message/5792 +1 NB Randy Abernethy https://lists.cncf.io/g/cncf-toc/message/5716 Matt Klein https://lists.cncf.io/g/cncf-toc/message/5717 Dave Sudia https://lists.cncf.io/g/cncf-toc/message/5719 Alois Reitbauer https://lists.cncf.io/g/cncf-toc/message/5724 Lee Calcote https://lists.cncf.io/g/cncf-toc/message/5725 Steve Flanders https://lists.cncf.io/g/cncf-toc/message/5730 Peter ONeill Jr https://lists.cncf.io/g/cncf-toc/message/5736 Flynn https://lists.cncf.io/g/cncf-toc/message/5737 Adam FitzGerald https://lists.cncf.io/g/cncf-toc/message/5738 Chris Short https://lists.cncf.io/g/cncf-toc/message/5739 Richard Li https://lists.cncf.io/g/cncf-toc/message/5740 Kan Yao https://lists.cncf.io/g/cncf-toc/message/5742 Johan Tordsson https://lists.cncf.io/g/cncf-toc/message/5743 Oleg Chornyi https://lists.cncf.io/g/cncf-toc/message/5745 Niraj Tolia https://lists.cncf.io/g/cncf-toc/message/5746 JJ https://lists.cncf.io/g/cncf-toc/message/5747 Barak Stout https://lists.cncf.io/g/cncf-toc/message/5749 Amye Scavarda Perrin | Program Manager | amye@... |
|
|
|
[cncf-sig-security] Supply Chain Security Paper Open for public comment
FYI
---------- Forwarded message --------- From: Emily Fox <themoxiefoxatwork@...> Date: Fri, Apr 9, 2021 at 11:20 AM Subject: [cncf-sig-security] Supply Chain Security Paper Open for public comment To: <cncf-sig-security@...> Hello! The cloud native security supply chain security group has worked diligently in creating an initial draft paper that provides the community with: * Recommendations for securing each point of an organisation's software supply chain, whether the organisation produces or consumes cloud native software. * Justifications and explanations for recommendations commensurate with the risk level and assurance requirements of an organization * Tooling to implement recommendations We are asking you, the community, to review the paper and provide comments/suggestions/improvements by Friday April 23rd 2021 so that we may incorporate them and finalized the initial version. You may access the document at the below URL: https://docs.google.com/document/d/1VURD9rdEhiuqPdixhEozkHw01Tk6e2AaJVjBK3pK6Zc/edit Chris Aniszczyk (@cra) |
|
|
|
Re: Agenda for 4/6 TOC meeting
Saad Ali
I will miss 4/6 meeting as well. On Tue, Apr 6, 2021 at 3:11 AM Justin Cormack via lists.cncf.io <justin.cormack=docker.com@...> wrote:
|
|
|