|
TOC Agenda for 10/3/17
Here's the deck for Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
Re: Notary/TUF: marshalled and ready to activate
Thanks Quinton for the detailed followup. I plan on calling a vote by Monday at the latest.
On Mon, Sep 25, 2017 at 5:52 PM, Quinton Hoole via cncf-toc <cncf-toc@...> wrote:
--
Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
Re: Notary/TUF: marshalled and ready to activate
Quinton Hoole
I think we’re good to go, with the caveat that the comparison matrices covering other update frameworks are still somewhat misleading and/or inaccurate (depending on your perspective), and should IMO be disregarded, and ultimately updated or deleted.
Most widely used trusted software update mechanisms can, in practice, check most of the boxes in the matrices, but TUF/Notary consolidates the required functionality into a single, well-defined, reviewed framework.
As long as we’re clear on that, I think that we have all of the info necessary to vote. Thanks to the Notary folks (and @endophage in particular) for your diligence and patience attempting to address all of the questions and concerns expressed.
FYI to the voting TOC members as context, below are a few illustrative comments that have been made by the community regarding the comparison matrices:
FWIW, the YUM part above is not correct as such. At SUSE we use GPG detach signed YUM repositories and it gives most if not all security features needed. YUM has a root repomd.xml with sha256 hashes of dependend files all the way down. SUSE and likely others sign to repomd.xml with a trusted GPG key with detached signature.
What is a problem is that YUM is a bit RPM centric and does not support plain files, so a new XML part that handles generic files would need to be added. I also admit that key handling is limited to a single GPG key signing the whole YUM repository instead of multiple roles/keys like in Notary, so some of the key attacks are present in YUM+GPG. But its not as bad as your graphics makes it to be.
————————
https://github.com/cncf/toc/pull/38#issuecomment-329091834
I just spoke to one of the APT developers while at OSS and it appears that Debian/Ubuntu packaging also solves most of the problems you've marked as "not handled" (similarly to what @msmeissn has been describing for zypper/yumrepo). I would be also shocked to discover that RedHat's dnf and yum do not solve these problems (to the same degree as zypper/apt/etc) as well…
———————
https://github.com/cncf/toc/pull/38#issuecomment-329758267
…I agree however, that the comparison table should be updated to match how the actual package managers in distributions behave to mitigate individual risks.
————————
It
is clear that many of the Linux vendors have started to construct parts of a protocol set similar to TUF using GPG, but there does not appear to be a formal reviewed specification in the same way as TUF has defined, with detailed security review, at least
as far as I can find. The discussion about which boxes in the table should be ticked, and the fact that no one can easily find definitive answers does suggest that the specification is ad hoc rather than formally specified like TUF, or the answers would be
much easier to find.
Q
Quinton Hoole Technical Vice President America Research Center 2330 Central Expressway, Santa Clara, CA 95050 Tel: 408-330-4721 Cell: 408-320-8917 Office # E2-9 Email: quinton.hoole@... ID#Q00403160
From: <cncf-toc-bounces@...> on behalf of Brian Grant via cncf-toc <cncf-toc@...>
Reply-To: Brian Grant <briangrant@...> Date: Friday, September 22, 2017 at 06:33 To: Alexis Richardson <alexis@...> Cc: Alexis Richardson via cncf-toc <cncf-toc@...> Subject: Re: [cncf-toc] Notary/TUF: marshalled and ready to activate
|
|
|
|
Re: Notary/TUF: marshalled and ready to activate
Brian Grant
I am ready
On Sep 22, 2017 1:16 AM, "Alexis Richardson via cncf-toc" <cncf-toc@...> wrote: Hi all
|
|
|
|
Re: TOC Principles pull request
alexis richardson
Dan, Thank-you. I think the TOC & community could probably get to voting soon. It would be even better if the broader CNCF was +1 too. Eg: GB, EUC, ... Would it be possible for you and Todd (cc'd) to rally round some of the GB and make sure they are ok with the text? For example Ike (cc'd) had some questions about governance that were in the g/doc comments. alexis
On Fri, Sep 22, 2017 at 12:00 PM, Dan Kohn <dan@...> wrote:
|
|
|
|
Re: TOC Principles pull request
Dan Kohn <dan@...>
The pull request has been open for 5 days, but the original document that the wording is taken from was published months ago. Alexis, I think it's appropriate for you to call for a vote on approving the TOC principles if you're ready. -- Dan Kohn <dan@...> Executive Director, Cloud Native Computing Foundation https://www.cncf.io +1-415-233-1000 https://www.dankohn.com
On Fri, Sep 22, 2017 at 2:52 AM, Alexis Richardson <alexis@...> wrote:
|
|
|
|
Notary/TUF: marshalled and ready to activate
alexis richardson
Hi all
I think we are ready to start soliciting votes for Notary. Please shout now if you disagree, especially if you have been a TOC Contributor carrying out DD. There were questions about TUF. My understanding from OCI is that container signatures are expected to be attached metadata that could be associated with any popular method eg gpg, tuf. If the OCI standardise this then they will focus on making it possible to attach signatures, rather than on picking gpg vs tuf for example. By the same token (no pun intended) the CNCF is not, I repeat not, blessing a standard. We should make this clear beyond the possibility of confusion. TUF is a spec. But we are not saying it is a standard. See the github thread for more. I want to thank Dan and all the DD folks for help thus far. Are we ready to start voting? Alexis
|
|
|
|
Re: TOC Principles pull request
alexis richardson
GovOps? GitGov?
On Fri, 22 Sep 2017, 06:33 Brian Grant <briangrant@...> wrote:
|
|
|
|
Re: TOC Principles pull request
Brian Grant
Thanks. LGTM. There don't appear to be any comments. I'm itching to click the merge button. :-)
On Mon, Sep 18, 2017 at 12:45 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote:
|
|
|
|
Re: CNCF SWG Agenda for 9/20 8 AM PT
Benjamin Hindman
To be determined in the SWG meeting this week! ;-)
On Tue, Sep 19, 2017 at 12:33 PM, Yaron Haviv <yaronh@...> wrote:
--
Benjamin Hindman Founder of Mesosphere and Co-Creator of Apache Mesos Follow us on Twitter: @mesosphere 
|
|
|
|
Re: my cncf contributor volunteer seems to have been missed
sorry about that, added, but I expect people to make a comment on the sheet moving forward
On Tue, Sep 19, 2017 at 2:10 PM, Alexis Richardson <alexis@...> wrote:
--
Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
Re: CNCF SWG Agenda for 9/20 8 AM PT
Yaron Haviv <yaronh@...>
Chris/Ben,
What do you include in “Cloud Native Storage Landscape” is it just Block & File (CSI scope) ? Or include Object, Scale-out Databases, Etc. (which IMO are a more natural fit for Cloud apps)
Yaron
From: cncf-toc-bounces@... [mailto:cncf-toc-bounces@...]
On Behalf Of Chris Aniszczyk via cncf-toc
Sent: Tuesday, September 19, 2017 10:03 PM To: CNCF TOC <cncf-toc@...> Subject: [cncf-toc] Fwd: CNCF SWG Agenda for 9/20 8 AM PT
FYI for wider awareness
---------- Forwarded message ---------- For the CNCF SWG on 9/20 I've added two topics based on email threads and discussions that have come from the last SWG meeting and Clint and Steve's presentation to the POC:
Agenda:
I've also updated the meeting minutes. Looking forward to discussing this all with you! --
-- Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
Re: my cncf contributor volunteer seems to have been missed
Christopher LILJENSTOLPE <cdl@...>
Ahh - so the finger pointing begins :) Seriously, there was a big pile-on there, so not surprised that it got missed. Chris can you add me, pls? Christopher On 19 Sep 2017, at 12:10, Alexis Richardson via cncf-toc wrote:
_______________________________________________ --
|
|
|
|
Re: my cncf contributor volunteer seems to have been missed
Christopher LILJENSTOLPE <cdl@...>
Thank’s Alexis, There was a big pile-on there, so not surprised that it got missed. Chris, can you add me, pls Christopher
On 19 Sep 2017, at 12:10, Alexis Richardson wrote:
--
|
|
|
|
Re: my cncf contributor volunteer seems to have been missed
alexis richardson
Chris L Thank-you for raising this. I must gracefully step aside and gesture at my colleague, Chris A, who had volunteered to populate that list with the names from the email thread ;-) a
On Tue, Sep 19, 2017 at 8:08 PM, Christopher LILJENSTOLPE <cdl@...> wrote:
|
|
|
|
Re: CNCF SWG Agenda for 9/20 8 AM PT
alexis richardson
A Landscape, explained by a white paper, would be Helpful!
On Tue, Sep 19, 2017 at 8:03 PM, Chris Aniszczyk via cncf-toc <cncf-toc@...> wrote:
|
|
|
|
CNCF SWG Agenda for 9/20 8 AM PT
FYI for wider awareness ---------- Forwarded message ---------- From: Benjamin Hindman <benh@...> Date: Tue, Sep 19, 2017 at 1:35 PM Subject: CNCF SWG Agenda for 9/20 8 AM PT To: cncf-wg-storage <cncf-wg-storage@...> For the CNCF SWG on 9/20 I've added two topics based on email threads and discussions that have come from the last SWG meeting and Clint and Steve's presentation to the POC:
I've also updated the meeting minutes. Looking forward to discussing this all with you! You received this message because you are subscribed to the Google Groups "cncf-wg-storage" group. To unsubscribe from this group and stop receiving emails from it, send an email to cncf-wg-storage+unsubscribe@ To post to this group, send email to cncf-wg-storage@googlegroups. To view this discussion on the web visit https://groups.google.com/d/ For more options, visit https://groups.google.com/d/ Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
RFC: CNCF Serverless WG Whitepaper
I mentioned that I would share this work from the CNCF Serverless WG: https://github.com/cncf/wg-serverless Please take a look at it, it's a fairly detailed overview of the serverless landscape (still in draft): https://goo.gl/udD8Fx Also please consider participating in the WG if you're interested in serverless! Thanks! Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
Re: FYI: CNCF TOC Meeting 9/19/2017 Agenda
Quinton Hoole
Regarding notary/TUF due diligence, there remain some significant and legitimate concerns about the accuracy of the comparison matrix in the slide deck (for example
this set of comments). Some updates have been made to the matrix in the proposal to address those specific concerns (presumably after the slide deck was prepared), but it’s not clear to
me that even those updates bring the matrix to a point of being accurate. So I don’t think it would be wise to solicit a vote on the basis of the comparison matrix in the slide deck.
Q
From: <cncf-toc-bounces@...> on behalf of Chris Aniszczyk via cncf-toc <cncf-toc@...>
Reply-To: Chris Aniszczyk <caniszczyk@...> Date: Monday, September 18, 2017 at 14:15 To: CNCF TOC <cncf-toc@...> Subject: [cncf-toc] FYI: CNCF TOC Meeting 9/19/2017 Agenda
|
|
|
|
FYI: CNCF TOC Meeting 9/19/2017 Agenda
Just a heads up, the TOC is meeting tomorrow, here's the agenda: We will cover information about the TOC principles, TOC election schedule, notary due diligence, GB dev seats and more. Here is also the TOC principles in markdown form ready for final review: Thanks! Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
