Date   

Re: [EXTERNAL] [cncf-toc] [VOTE] Streamlining incubation process

Ryan Cook
 

+1

 

From: cncf-toc@... [mailto:cncf-toc@...] On Behalf Of Amye Scavarda Perrin
Sent: Thursday, April 22, 2021 4:05 PM
To: CNCF TOC <cncf-toc@...>
Subject: [EXTERNAL] [cncf-toc] [VOTE] Streamlining incubation process

 

A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 


Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

 

--

Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Streamlining incubation process

Dave Zolotusky
 

+1 binding

On Fri, Apr 23, 2021 at 8:39 AM Liz Rice <liz@...> wrote:
+1 binding 


On Fri, 23 Apr 2021 at 00:01, Sheng Liang via lists.cncf.io <sheng.liang=suse.com@...> wrote:

+1 binding

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Ricardo Aravena via lists.cncf.io
Sent: Thursday, April 22, 2021 3:20 PM
To: Amye Scavarda Perrin <ascavarda@...>
Cc: CNCF TOC <cncf-toc@...>
Subject: Re: [cncf-toc] [VOTE] Streamlining incubation process

 

+1 (nb)

 

 

 

On Thu, Apr 22, 2021 at 2:05 PM Amye Scavarda Perrin <ascavarda@...> wrote:

A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 


Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

 

--

Amye Scavarda Perrin | Program Manager | amye@...



--
~Dave


Re: [VOTE] Streamlining incubation process

Ricardo Rocha
 

+1 binding

On Fri, Apr 23, 2021 at 07:36:27AM +0100, Liz Rice via lists.cncf.io wrote:
+1 binding


On Fri, 23 Apr 2021 at 00:01, Sheng Liang via lists.cncf.io <sheng.liang=
suse.com@lists.cncf.io> wrote:

+1 binding



*From:* cncf-toc@lists.cncf.io <cncf-toc@lists.cncf.io> *On Behalf Of *Ricardo
Aravena via lists.cncf.io
*Sent:* Thursday, April 22, 2021 3:20 PM
*To:* Amye Scavarda Perrin <ascavarda@linuxfoundation.org>
*Cc:* CNCF TOC <cncf-toc@lists.cncf.io>
*Subject:* Re: [cncf-toc] [VOTE] Streamlining incubation process



+1 (nb)







On Thu, Apr 22, 2021 at 2:05 PM Amye Scavarda Perrin <
ascavarda@linuxfoundation.org> wrote:

A proposal has been made to streamline the incubation process:
https://github.com/cncf/toc/pull/640


Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate
non-binding votes from the community as a sign of support!



--

Amye Scavarda Perrin | Program Manager | amye@linuxfoundation.org







Re: [VOTE] Streamlining incubation process

Liz Rice
 

+1 binding 


On Fri, 23 Apr 2021 at 00:01, Sheng Liang via lists.cncf.io <sheng.liang=suse.com@...> wrote:

+1 binding

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Ricardo Aravena via lists.cncf.io
Sent: Thursday, April 22, 2021 3:20 PM
To: Amye Scavarda Perrin <ascavarda@...>
Cc: CNCF TOC <cncf-toc@...>
Subject: Re: [cncf-toc] [VOTE] Streamlining incubation process

 

+1 (nb)

 

 

 

On Thu, Apr 22, 2021 at 2:05 PM Amye Scavarda Perrin <ascavarda@...> wrote:

A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 


Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

 

--

Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Streamlining incubation process

Sheng Liang <sheng.liang@...>
 

+1 binding

 

From: cncf-toc@... <cncf-toc@...> On Behalf Of Ricardo Aravena via lists.cncf.io
Sent: Thursday, April 22, 2021 3:20 PM
To: Amye Scavarda Perrin <ascavarda@...>
Cc: CNCF TOC <cncf-toc@...>
Subject: Re: [cncf-toc] [VOTE] Streamlining incubation process

 

+1 (nb)

 

 

 

On Thu, Apr 22, 2021 at 2:05 PM Amye Scavarda Perrin <ascavarda@...> wrote:

A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 


Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

 

--

Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Streamlining incubation process

Ricardo Aravena
 

+1 (nb)



On Thu, Apr 22, 2021 at 2:05 PM Amye Scavarda Perrin <ascavarda@...> wrote:
A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Streamlining incubation process

Alex Chircop
 

+1 non-binding


From: cncf-toc@... <cncf-toc@...> on behalf of Amye Scavarda Perrin via lists.cncf.io <ascavarda=linuxfoundation.org@...>
Sent: 22 April 2021 22:05
To: CNCF TOC <cncf-toc@...>
Subject: [cncf-toc] [VOTE] Streamlining incubation process
 
A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Streamlining incubation process

Alena Prokharchyk
 

+1 binding

-alena

On Apr 22, 2021, at 2:05 PM, Amye Scavarda Perrin <ascavarda@...> wrote:

A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Streamlining incubation process

Davanum Srinivas
 

+1 Binding

On Thu, Apr 22, 2021 at 5:05 PM Amye Scavarda Perrin <ascavarda@...> wrote:
A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...



--
Davanum Srinivas :: https://twitter.com/dims


Re: [VOTE] Streamlining incubation process

Josh Berkus
 

On 4/22/21 2:05 PM, Amye Scavarda Perrin wrote:
A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 <https://github.com/cncf/toc/pull/640>
+1 NB

As someone who frequently advises projects on how to get through the process, this is a huge step forwards.

--
-- Josh Berkus
Kubernetes Community Architect
OSPO, OCTO


Re: [VOTE] Streamlining incubation process

Santiago Torres Arias <santiago@...>
 

+1 (NB)

On Thu, Apr 22, 2021 at 02:05:02PM -0700, Amye Scavarda Perrin wrote:
A proposal has been made to streamline the incubation process:
https://github.com/cncf/toc/pull/640

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate
non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@linuxfoundation.org





[VOTE] Streamlining incubation process

Amye Scavarda Perrin
 

A proposal has been made to streamline the incubation process: https://github.com/cncf/toc/pull/640 

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: Agenda for 4/20

Justin Cormack
 

I have a conflict too, I may be there for part of the call.

Apologies

Justin


On Tue, Apr 20, 2021 at 8:13 AM Lei Zhang <resouer@...> wrote:
Sorry, I happened to have conflict and have to miss this one.

On Mon, Apr 19, 2021 at 10:45 AM Amye Scavarda Perrin <ascavarda@...> wrote:
Hi all, 
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) 



--
Amye Scavarda Perrin | Program Manager | amye@...


Re: Agenda for 4/20

Lei Zhang
 

Sorry, I happened to have conflict and have to miss this one.

On Mon, Apr 19, 2021 at 10:45 AM Amye Scavarda Perrin <ascavarda@...> wrote:
Hi all, 
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) 



--
Amye Scavarda Perrin | Program Manager | amye@...


Re: Agenda for 4/20

Erin Boyd
 

I have to drop after 30 minutes. Apologies in advance,
Erin


On Apr 19, 2021, at 11:45 AM, Amye Scavarda Perrin <ascavarda@...> wrote:

Hi all, 
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) 



Re: [cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack

Richard Hartmann
 

Just to confirm: Chris A already sent this to all maintainers.


Agenda for 4/20

Amye Scavarda Perrin
 

Hi all, 
We'll be meeting tomorrow at 8am Pacific. Tomorrow's discussion is on some updates to the incubating process. (https://github.com/cncf/toc/pull/640 has details.) 


[cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack

Liz Rice
 

🙏 Thanks to SIG Security for this advice on Codecov  

@chris @amye you’re probably already on top of this, but please could we make sure the relevant project maintainers are aware and acting on this? Per their note, SIG Security are available on Slack if anyone has any questions


---------- Forwarded message ---------
From: Lorenzo Fontana <fontanalorenz@...>
Date: Sat, 17 Apr 2021 at 23:49
Subject: [cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack
To: <cncf-sig-security@...>


Hello everyone,
On April 15th 2021, the Codecov team published a note [0] acknowledging a supply chain attack affecting their bash uploader.

**Background of the attack**

The Codecov bash uploader is the component responsible for reporting back coverage results to the CI systems of the projects using the service.

This component is usually executed in a CI step by just downloading and executing the script via bash  + cURL directly as described in their documentation [1].

This attack was possible because of an error in the image creation process that allowed the actor to extract the credential required to modify the script.

From their announcement:

The altered version of the bash uploader script could potentially affect:

- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the bash uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the bash uploader to upload coverage to Codecov in CI.


**Action Items**

CNCF projects using Codecov are recommended to do the following:

- Rotate all the private credentials available in the context where the script was executed
- Validate the bash script with a trusted copy of the SHA256 sum as described in the Codecov docs [2]
- Watch out for any suspect usage of the tokens


**Projects**

The SIG does not have visibility on whether or not projects are using Codecov right now. However, we did a research and this is a list of the repositories that we found using Codecov:

https://github.com/argoproj/argo-cd
https://github.com/containerd/containerd
https://github.com/coredns/coredns
https://github.com/etcd-io/etcd
https://github.com/goharbor/harbor
https://github.com/jaegertracing/jaeger
https://github.com/kubernetes/dashboard
https://github.com/kubernetes/ingress-nginx
https://github.com/prometheus/prometheus_api_client_ruby
https://github.com/buildpacks/lifecycle
https://github.com/cri-o/cri-o
https://github.com/opentracing/opentracing-c



If you don’t know how to check or have any other questions regarding this. Please feel free to reach out to the #sig-security channel on the CNCF Slack.

The CNCF SIG-Security Team

P.S: Thanks to Magno Logan, Emily Fox and Dan (POP) Papandrea for helping in getting this ready for the mailing list.


[0] https://about.codecov.io/security-update/
[1] https://docs.codecov.io/docs/about-the-codecov-bash-uploader
[2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script







[RESULT] Emissary-ingress approved for Incubation

Amye Scavarda Perrin
 

The Emissary-ingress project has been approved for incubation. 

9/11 -- passes

+1 NB
Randy Abernethy https://lists.cncf.io/g/cncf-toc/message/5716
Matt Klein https://lists.cncf.io/g/cncf-toc/message/5717
Dave Sudia https://lists.cncf.io/g/cncf-toc/message/5719
Alois Reitbauer  https://lists.cncf.io/g/cncf-toc/message/5724
Lee Calcote https://lists.cncf.io/g/cncf-toc/message/5725
Steve Flanders https://lists.cncf.io/g/cncf-toc/message/5730
Peter ONeill Jr https://lists.cncf.io/g/cncf-toc/message/5736
Flynn https://lists.cncf.io/g/cncf-toc/message/5737
Adam FitzGerald https://lists.cncf.io/g/cncf-toc/message/5738
Chris Short https://lists.cncf.io/g/cncf-toc/message/5739
Richard Li https://lists.cncf.io/g/cncf-toc/message/5740
Kan Yao https://lists.cncf.io/g/cncf-toc/message/5742
Johan Tordsson https://lists.cncf.io/g/cncf-toc/message/5743
Oleg Chornyi https://lists.cncf.io/g/cncf-toc/message/5745
Niraj Tolia https://lists.cncf.io/g/cncf-toc/message/5746
JJ https://lists.cncf.io/g/cncf-toc/message/5747
Barak Stout https://lists.cncf.io/g/cncf-toc/message/5749

--
Amye Scavarda Perrin | Program Manager | amye@...


[cncf-sig-security] Supply Chain Security Paper Open for public comment

Chris Aniszczyk
 

FYI

---------- Forwarded message ---------
From: Emily Fox <themoxiefoxatwork@...>
Date: Fri, Apr 9, 2021 at 11:20 AM
Subject: [cncf-sig-security] Supply Chain Security Paper Open for public comment
To: <cncf-sig-security@...>


Hello!
  The cloud native security supply chain security group has worked diligently in creating an initial draft paper that provides the community with:
* Recommendations for securing each point of an organisation's software supply chain, whether the organisation produces or consumes cloud native software.
* Justifications and explanations for recommendations commensurate with the risk level and assurance requirements of an organization
* Tooling to implement recommendations

We are asking you, the community, to review the paper and provide comments/suggestions/improvements by Friday April 23rd 2021 so that we may incorporate them and finalized the initial version.

You may access the document at the below URL:
https://docs.google.com/document/d/1VURD9rdEhiuqPdixhEozkHw01Tk6e2AaJVjBK3pK6Zc/edit



--
Chris Aniszczyk (@cra)

581 - 600 of 6392