|
meet at Re:invent?
alexis richardson
Will there be enough of us at Re:invent to justify a f2f attempt?
|
|
|
|
|
|
Re: Draft graduation criteria
alexis richardson
Hi all,
We can talk about this on the call, but the main point is "it feels like we are close". I propose to keep the doc open for comment for another 10-11 days and kick off a vote, if possible, around 27 Nov. alexis On Mon, Nov 14, 2016 at 1:02 PM, Dan Kohn via cncf-toc <cncf-toc@lists.cncf.io> wrote: We believe we're Ready to call for a vote on the project graduation
|
|
|
|
|
|
DRAFT agenda for TOC call today
alexis richardson
Hi all,
Some logistical issues with google docs mean that I'm posting the draft agenda as below. Slides will land just before the meeting. a Projects: - Welcome Fluentd + link to Blog Post https://www.cncf.io/blog/2016/11/09/fluentd-joins-cloud-native-computing-foundation New Project Proposals: * Please can we invite gRPC & Linkerd to make written proposals → Let's have a show of hands on the call → Need sponsors * Next meeting (not today) - Pachyderm will present Ref Arch & Landscape: - (Voted!) Big thanks to Ken & co. - Please use the Ref Arch. Example - (with Redpoint) Landscape picture - show 0.92 Review of last week - Kubecon & CNCon & PromDay highlights - Lessons learnt - Alexis TOC blog post: https://www.cncf.io/blog/2016/11/08/cloud-native-software-can-trust - I like Bryan's point about Literacy here http://www.techrepublic.com/article/silicon-valley-cto-explains-why-trump-happened/ (Dan & Chris) Exec Director's update: - Launch of Certification & why we need this & link to blog post https://www.cncf.io/blog/2016/11/08/cncf-partners-linux-foundation-launch-new-kubernetes-certification-training-managed-service-provider-program - DCO & CLA plans - Other GB updates (Dan & Chris) Future Meetings & Events - Dates for Tahoe meetup + why to attend (if you can & want to) - Dates for Kubecon/CNCon 2017 please Special Projects - - Last call: Graduation Criteria - Governance: Matt Proud - CNCF CI - Cloud Native Patterns & Example Apps: JJ - Architecture: Ken, Doug, .. AOB - Cancel Dec 21st
|
|
|
|
|
|
Re: Security policies for Kubernetes
Brian Grant
+mohr If you have feedback on the kubernetes proposal, please do provide that feedback on the doc or on the issue.
On Thu, Nov 10, 2016 at 10:05 AM, Nicko van Someren via cncf-toc <cncf-toc@...> wrote:
|
|
|
|
|
|
Re: Security policies for Kubernetes
Brandon Philips <brandon.philips@...>
Thanks Dan. I plan on pushing more on this post-KubeCon. Hopefully get PRs up against the documentation in the coming days. I will take this discussion under advisement but I think there are some clear people and process things we can get right before bike-shedding on disclosure process. Cheers, Brandon
On Thu, Nov 10, 2016 at 9:21 AM Dan Kohn <dan@...> wrote:
|
|
|
|
|
|
Draft graduation criteria
Dan Kohn <dan@...>
We believe we're Ready to call for a vote on the project graduation criteria. Could TOC members and others please add comments to the doc if they have additional concerns. https://docs.google.com/document/d/1l6e-hW7C3S6xJjGn47hUKKxeFBxiamAK7kn5efSryxY -- Dan Kohn <mailto:dan@linuxfoundation. Executive Director, Cloud Native Computing Foundation <https://cncf.io> tel:+1-415-233-1000
|
|
|
|
|
|
Re: Security policies for Kubernetes
Nicko van Someren <nicko@...>
I mailed a few of the OpenSSL team to ask them about this. Here's the reply from Rich Salz:
I hope that clarifies things. Cheers, Nicko On Thu, Nov 10, 2016 at 12:21 PM, Nicko van Someren <nicko@...> wrote:
Nicko van Someren CTO, Linux Foundation +1 (978) 821-0391
|
|
|
|
|
|
Re: Security policies for Kubernetes
Greg KH <gregkh@...>
On Thu, Nov 10, 2016 at 12:41:46PM -0700, Nicko van Someren wrote:
It's also worth noting that precisely because the Linux kernel team put out aAh, but I don't, I'm a horrible release maker. I did 3 releases 2 weeks ago, none last week, and then one this week. Or was it one last week, I can't remember... And all were on different days of the week, with no apparent reasoning behind when each is made[1] (some came later than announced, some earlier, and one with no announcement at all, and this was just the past 3 weeks.) So no, no one knows when our stable kernel releases are going to happen, heck, I don't even know that :) sorry, greg k-h [1] - It's my travel schedule that drives most of it, combined with when security bugs are found and fixed in Linus's tree, which happen unexpectedly as expected, or when embargos leak early, as happened with DirtyC0w[2]. [2] - DirtyC0w is proof that even when everything goes right on the project's security team side (kernel team was properly notified of problem in the wild, fix was found, backports to all relevant kernels were made and tested, embargo was planned, distros were notified ahead of time), it's really up to the other groups you notify to not mess up in order to keep it all together, which failed horribly here (embargo was leaked to the public from a distro, random companies knew there was a pending problem weeks early due to a different leak, competing OS team decides to make fun of the situatation and make a web site, etc.). So I'm really all for not telling _anyone_ outside of the project's team about security issues, as it always seems to go wrong.
|
|
|
|
|
|
Re: Security policies for Kubernetes
Nicko van Someren <nicko@...>
I don't disagree but in the absence of a highly regular release cadence, or in the case of an out-of-cycle release, it is still valuable to know when a new release is coming. But that's my comments, and not the OpenSSL's teams comments, I can't I will do. Thanks for raising the issue. Cheers, Nicko Nicko van Someren CTO, Linux Foundation +1 (978) 821-0391
|
|
|
|
|
|
Re: Security policies for Kubernetes
Greg KH <gregkh@...>
On Thu, Nov 10, 2016 at 07:21:34PM +0000, Nicko van Someren wrote:
That's interesting feedback. I was speaking to the VP of infrastructure at aUsers might get warm and fuzzies thinking that this is the only time they need to update, but really, they should be updating all the time. Announcing it ahead of time really doesn't help companies fix their infrastructure problems properly. But that's my comments, and not the OpenSSL's teams comments, I can't recall their exact reasons. I suggest talking to them at their next hackfest about it to get all of the details. thanks, greg k-h
|
|
|
|
|
|
Re: Security policies for Kubernetes
Nicko van Someren <nicko@...>
It's also worth noting that precisely because the Linux kernel team put out a release every single week the scheduling of IT resources for deployment is not a problem. People know in advance when your releases are going to drop. It is more valuable to have the advanced notice if you don't have a highly regular delivery schedule. Cheers, Nicko
On Thu, Nov 10, 2016 at 12:21 PM, Nicko van Someren <nicko@...> wrote:
--
Nicko van Someren CTO, Linux Foundation +1 (978) 821-0391
|
|
|
|
|
|
Re: Security policies for Kubernetes
Nicko van Someren <nicko@...>
That's interesting feedback. I was speaking to the VP of infrastructure at a major bank last week and he said that having a heads up from OpenSSL helps him hugely and he wished that more projects did it. I also had a request from one of the CII members asking for the same thing. Who in the OpenSSL team felt it didn't work? I would be interested to know what problems they find with this. Cheers, Nicko
On Thu, Nov 10, 2016 at 12:17 Greg KH <gregkh@...> wrote: On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:
|
|
|
|
|
|
Re: Security policies for Kubernetes
Greg KH <gregkh@...>
On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:
One thing I think would be valuable to include in the security process is forI think you might want to reconsider that, as over beers, the OpenSSL team says that this type of thing really doesn't work and just causes more problems... But hey, remember that I'm on a project that does weekly releases without telling anyone what the security fixes we made in them were, so what do I know? :) thanks, greg k-h
|
|
|
|
|
|
Re: Security policies for Kubernetes
Nicko van Someren <nicko@...>
Hi Alexis, Thanks for that. I read through the Google Doc and added some comments. One thing I think would be valuable to include in the security process is for there to be a broadcast mail to some 'announce' mailing list in advance of patches to high severity issues, indicating that a critical patch is imminent, with an expected release date but without full details of the issue. For large users with big IT infrastructure it may be necessary to schedule extra staff to install urgent patches quickly and having advanced notice of when this will be necessary is very helpful. Projects like OpenSSL usually send these out three days before security-critical releases (see https://goo.gl/BzElRC for examples). Cheers, Nicko
On Thu, Nov 10, 2016 at 10:26 AM, Alexis Richardson <alexis@...> wrote:
--
Nicko van Someren CTO, Linux Foundation +1 (978) 821-0391
|
|
|
|
|
|
Re: Security policies for Kubernetes
Chenxi Wang
Hi, Twistlock is a member and is a Container security company. We have been working with Google/GCP/Kubernetes for some time. We'd love to contribute. We'll start on the Github thread. Chenxi
On Thu, Nov 10, 2016 at 9:21 AM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
--
Chenxi Wang, Ph.D. Chief Strategy Officer, Twistlock @chenxiwang +1.650.224.7197
|
|
|
|
|
|
Re: Security policies for Kubernetes
alexis richardson
+nicko
On Thu, Nov 10, 2016 at 5:21 PM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
|
|
|
|
|
|
Security policies for Kubernetes
Dan Kohn <dan@...>
|
|
|
|
|
|
Re: [VOTE] Fluentd Project Proposal
alexis richardson
hooray
On Tue, Nov 8, 2016 at 4:12 PM, Chris Aniszczyk <caniszczyk@linuxfoundation.org> wrote: Yes we are all set Alexis, the official announcement will go out this
|
|
|
|
|
|
Re: [VOTE] Fluentd Project Proposal
Chris Aniszczyk
Yes we are all set Alexis, the official announcement will go out this morning:
On Tue, Nov 8, 2016 at 12:17 AM, Alexis Richardson via cncf-toc <cncf-toc@...> wrote: I believe that means we have six YES votes and Fluentd accepted. --
Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
|
|
Re: [VOTE] Fluentd Project Proposal
alexis richardson
I believe that means we have six YES votes and Fluentd accepted.
Chris, please let us know when the voting officially 'closes'. On Tue, Nov 8, 2016 at 3:21 AM, Camille Fournier via cncf-toc <cncf-toc@lists.cncf.io> wrote: Yes
|
|
|
|