Date   

Re: Notary/TuF & GPG (& Harbor)

alexis richardson
 

Thanks Justin, that is very helpful & certainly length-appropriate.



On Thu, Jun 22, 2017 at 3:50 AM, Justin Cappos via cncf-toc <cncf-toc@...> wrote:
I didn't do a deep dive, but it looks like the "simple signing" design from Fedora would enable an attacker that has compromised the signing server to compromise user devices (even with HSMs, etc.).  I also wasn't sure if there was a secure way to do key revocation in the case where an incident did occur.  These sorts of issues happen a lot more than one would expect [1-5] plus see [6] for dozens of other incidents.

TUF is designed to handle exactly these kinds of incidents while still retaining a high degree of security.  Actually, many ideas in TUF came out of security issues we found in YUM, APT, and other package managers [7,8].  We integrated ideas from an earlier system of ours into YUM, APT, YaST, Pacman, etc. back around 2009.

I'd be happy to talk more if there are any questions or thoughts, but want to keep this being too long or from rambling too far off-topic...

Thanks,

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



Notary/TuF & GPG (& Harbor)

Justin Cappos
 

I didn't do a deep dive, but it looks like the "simple signing" design from Fedora would enable an attacker that has compromised the signing server to compromise user devices (even with HSMs, etc.).  I also wasn't sure if there was a secure way to do key revocation in the case where an incident did occur.  These sorts of issues happen a lot more than one would expect [1-5] plus see [6] for dozens of other incidents.

TUF is designed to handle exactly these kinds of incidents while still retaining a high degree of security.  Actually, many ideas in TUF came out of security issues we found in YUM, APT, and other package managers [7,8].  We integrated ideas from an earlier system of ours into YUM, APT, YaST, Pacman, etc. back around 2009.

I'd be happy to talk more if there are any questions or thoughts, but want to keep this being too long or from rambling too far off-topic...

Thanks,


Re: Notary/TuF & GPG (& Harbor)

alexis richardson
 

Scott

What are your thoughts on Notary?

a


On Wed, Jun 21, 2017 at 6:41 PM, Scott McCarty via cncf-toc <cncf-toc@...> wrote:
Per the comments on GnuPG - the ubiquitous use of GPG is what drove Red Hat to work on what we call "simple signing" [1][2]. We would love to partner on more of this work.


[1]: http://www.projectatomic.io/blog/2016/07/working-with-containers-image-made-easy/

[2]: https://access.redhat.com/articles/2750891

Best Regards

Scott M


On 06/20/2017 05:23 PM, Alexis Richardson via cncf-toc wrote:
Thanks Richard.  +1 on .debs.  My 2c is that signing functionality used to be quite inhumane, and any project seeking to do better could certainly focus on being "pleasant".  Although the Notary didn't highlight this specifically, it sounded like they haven't ignored it either.


On Tue, Jun 20, 2017 at 7:38 PM, Richard Hartmann <richih@... <mailto:richih@...>> wrote:

    On Tue, Jun 20, 2017 at 6:03 PM, Alexis Richardson via cncf-toc
    <cncf-toc@... <mailto:cncf-toc@...>> wrote:

    > Thanks Patrick & Docker people for Notary pres. I personally
    found it very
    > useful & educational, having avoided package signing myself as
    much as
    > possible ;-)
    >
    > I would love to understand how a GPG person would make the case
    for sticking
    > with just that.

    Speaking as a Debian Developer, most of my work in that regard is
    underpinned by GnuPG. A lot of the functionality mentioned could be
    built with GnuPG and installed base and integration in many, many
    workflows and systems is a huge advantage in potential adaption. That
    being said, features like built-in quorum, expiring signatures, and
    other mechanisms can't easily be replicated with GnuPG, or its
    brethren, in their current form.

    I can see merit in both extending the PGP world to cover these aspects
    and in creating a new infrastructure.

    I am willing to bet that feature velocity will be higher outside of
    the PGP ecosystem as the installed base could be a disadvantage in
    this context. Also, some mechanisms are not designed for anything
    exceeding a certain scale.


    While this is not an endorsement of any particular project or path
    forward, I can say that the general functionality is highly needed.
    Years ago, I implemented a data store for a financial customer with
    third-party commercial hashsum timestamping services; that was not
    very pleasant at all. The functionality in and as of itself would be
    useful in a _lot_ of regards.


    Richard




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc

--

Scott McCarty, RHCA

Technical Product Marketing: Containers

Email: smccarty@...

Phone: 312-660-3535

Cell: 330-807-1043

Web: http://crunchtools.com

When should you split your application into multiple containers? http://red.ht/22xKw9i

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc


Re: Notary/TuF & GPG (& Harbor)

Scott McCarty
 

Per the comments on GnuPG - the ubiquitous use of GPG is what drove Red Hat to work on what we call "simple signing" [1][2]. We would love to partner on more of this work.


[1]: http://www.projectatomic.io/blog/2016/07/working-with-containers-image-made-easy/

[2]: https://access.redhat.com/articles/2750891

Best Regards

Scott M

On 06/20/2017 05:23 PM, Alexis Richardson via cncf-toc wrote:
Thanks Richard. +1 on .debs. My 2c is that signing functionality used to be quite inhumane, and any project seeking to do better could certainly focus on being "pleasant". Although the Notary didn't highlight this specifically, it sounded like they haven't ignored it either.


On Tue, Jun 20, 2017 at 7:38 PM, Richard Hartmann <richih@... <mailto:richih@...>> wrote:

On Tue, Jun 20, 2017 at 6:03 PM, Alexis Richardson via cncf-toc
<cncf-toc@... <mailto:cncf-toc@...>> wrote:

> Thanks Patrick & Docker people for Notary pres. I personally
found it very
> useful & educational, having avoided package signing myself as
much as
> possible ;-)
>
> I would love to understand how a GPG person would make the case
for sticking
> with just that.

Speaking as a Debian Developer, most of my work in that regard is
underpinned by GnuPG. A lot of the functionality mentioned could be
built with GnuPG and installed base and integration in many, many
workflows and systems is a huge advantage in potential adaption. That
being said, features like built-in quorum, expiring signatures, and
other mechanisms can't easily be replicated with GnuPG, or its
brethren, in their current form.

I can see merit in both extending the PGP world to cover these aspects
and in creating a new infrastructure.

I am willing to bet that feature velocity will be higher outside of
the PGP ecosystem as the installed base could be a disadvantage in
this context. Also, some mechanisms are not designed for anything
exceeding a certain scale.


While this is not an endorsement of any particular project or path
forward, I can say that the general functionality is highly needed.
Years ago, I implemented a data store for a financial customer with
third-party commercial hashsum timestamping services; that was not
very pleasant at all. The functionality in and as of itself would be
useful in a _lot_ of regards.


Richard




_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc
--

Scott McCarty, RHCA

Technical Product Marketing: Containers

Email: smccarty@...

Phone: 312-660-3535

Cell: 330-807-1043

Web: http://crunchtools.com

When should you split your application into multiple containers? http://red.ht/22xKw9i


Re: Notary/TuF & GPG (& Harbor)

alexis richardson
 

Thanks Richard.  +1 on .debs.  My 2c is that signing functionality used to be quite inhumane, and any project seeking to do better could certainly focus on being "pleasant".  Although the Notary didn't highlight this specifically, it sounded like they haven't ignored it either.


On Tue, Jun 20, 2017 at 7:38 PM, Richard Hartmann <richih@...> wrote:
On Tue, Jun 20, 2017 at 6:03 PM, Alexis Richardson via cncf-toc
<cncf-toc@...> wrote:

> Thanks Patrick & Docker people for Notary pres.  I personally found it very
> useful & educational, having avoided package signing myself as much as
> possible ;-)
>
> I would love to understand how a GPG person would make the case for sticking
> with just that.

Speaking as a Debian Developer, most of my work in that regard is
underpinned by GnuPG. A lot of the functionality mentioned could be
built with GnuPG and installed base and integration in many, many
workflows and systems is a huge advantage in potential adaption. That
being said, features like built-in quorum, expiring signatures, and
other mechanisms can't easily be replicated with GnuPG, or its
brethren, in their current form.

I can see merit in both extending the PGP world to cover these aspects
and in creating a new infrastructure.

I am willing to bet that feature velocity will be higher outside of
the PGP ecosystem as the installed base could be a disadvantage in
this context. Also, some mechanisms are not designed for anything
exceeding a certain scale.


While this is not an endorsement of any particular project or path
forward, I can say that the general functionality is highly needed.
Years ago, I implemented a data store for a financial customer with
third-party commercial hashsum timestamping services; that was not
very pleasant at all. The functionality in and as of itself would be
useful in a _lot_ of regards.


Richard


Re: Notary/TuF & GPG (& Harbor)

Richard Hartmann
 

On Tue, Jun 20, 2017 at 6:03 PM, Alexis Richardson via cncf-toc
<cncf-toc@...> wrote:

Thanks Patrick & Docker people for Notary pres. I personally found it very
useful & educational, having avoided package signing myself as much as
possible ;-)

I would love to understand how a GPG person would make the case for sticking
with just that.
Speaking as a Debian Developer, most of my work in that regard is
underpinned by GnuPG. A lot of the functionality mentioned could be
built with GnuPG and installed base and integration in many, many
workflows and systems is a huge advantage in potential adaption. That
being said, features like built-in quorum, expiring signatures, and
other mechanisms can't easily be replicated with GnuPG, or its
brethren, in their current form.

I can see merit in both extending the PGP world to cover these aspects
and in creating a new infrastructure.

I am willing to bet that feature velocity will be higher outside of
the PGP ecosystem as the installed base could be a disadvantage in
this context. Also, some mechanisms are not designed for anything
exceeding a certain scale.


While this is not an endorsement of any particular project or path
forward, I can say that the general functionality is highly needed.
Years ago, I implemented a data store for a financial customer with
third-party commercial hashsum timestamping services; that was not
very pleasant at all. The functionality in and as of itself would be
useful in a _lot_ of regards.


Richard


Re: Zoom

Camille Fournier
 

To be clear I dialed in but it was totally unclear how to unmute myself. I own a phone with a mute button perhaps there's a default setting we could fix to not default phone to mute

On Jun 20, 2017 11:58 AM, "Eduardo Silva" <eduardo@...> wrote:
actually there is phone-only option Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)

On Tue, Jun 20, 2017 at 9:55 AM, Camille Fournier via cncf-toc <cncf-toc@...> wrote:
Zoom is cool but I need something phone-only that doesn't mute me in a fashion where I don't control it myself. Can we fix config default or move to something else?

C

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc




--
Eduardo Silva
Open Source, Treasure Data
http://www.treasuredata.com/opensource

 


Re: Notary/TuF & GPG (& Harbor)

alexis richardson
 

That's good info.

Keen to learn more from the community about this use case and project!


On Tue, 20 Jun 2017, 18:05 Solomon Hykes, <solomon.hykes@...> wrote:
Notary has also been shipping to enterprise customers as part of Docker EE. Good to know Vmware has followed suit. If enterprise adoption is a point of evaluation we can put together a few case studies.

On Tuesday, June 20, 2017, Mark Peek via cncf-toc <cncf-toc@...> wrote:

Harbor is an open source enterprise registry built on top of Docker distribution. It adds enterprise features such as RBAC, LDAP/AD support, auditing, Notary, and other features (follow link below). While standalone, it is also being shipped with the vSphere Integrated Containers product.

 

https://github.com/vmware/harbor

 

My apologies if there was confusion on my Notary/Harbor comment on the call. The Notary team was asked about the number of github stars and/or the broader community. The point I was trying to make in support is since Notary is included into Harbor (with over 2k stars) and shipping to enterprise customers, the Notary project has more scope than just their own repo.

 

Mark

 

From: Alexis Richardson <alexis@...>
Date: Tuesday, June 20, 2017 at 9:03 AM
To: Alexis Richardson via cncf-toc <cncf-toc@...>
Cc: Patrick Chanezon <patrick.chanezon@...>
Subject: Notary/TuF & GPG (& Harbor)

 

Hi all 

 

Thanks Patrick & Docker people for Notary pres.  I personally found it very useful & educational, having avoided package signing myself as much as possible ;-)

 

I would love to understand how a GPG person would make the case for sticking with just that.

 

I would love to hear more from Mark about Harbor as a broader use case for Notary.

 

alexis

 

 

 


Re: Notary/TuF & GPG (& Harbor)

Solomon Hykes
 

Notary has also been shipping to enterprise customers as part of Docker EE. Good to know Vmware has followed suit. If enterprise adoption is a point of evaluation we can put together a few case studies.


On Tuesday, June 20, 2017, Mark Peek via cncf-toc <cncf-toc@...> wrote:

Harbor is an open source enterprise registry built on top of Docker distribution. It adds enterprise features such as RBAC, LDAP/AD support, auditing, Notary, and other features (follow link below). While standalone, it is also being shipped with the vSphere Integrated Containers product.

 

https://github.com/vmware/harbor

 

My apologies if there was confusion on my Notary/Harbor comment on the call. The Notary team was asked about the number of github stars and/or the broader community. The point I was trying to make in support is since Notary is included into Harbor (with over 2k stars) and shipping to enterprise customers, the Notary project has more scope than just their own repo.

 

Mark

 

From: Alexis Richardson <alexis@...>
Date: Tuesday, June 20, 2017 at 9:03 AM
To: Alexis Richardson via cncf-toc <cncf-toc@...>
Cc: Patrick Chanezon <patrick.chanezon@...>
Subject: Notary/TuF & GPG (& Harbor)

 

Hi all 

 

Thanks Patrick & Docker people for Notary pres.  I personally found it very useful & educational, having avoided package signing myself as much as possible ;-)

 

I would love to understand how a GPG person would make the case for sticking with just that.

 

I would love to hear more from Mark about Harbor as a broader use case for Notary.

 

alexis

 

 

 


Re: Notary/TuF & GPG (& Harbor)

Mark Peek
 

Harbor is an open source enterprise registry built on top of Docker distribution. It adds enterprise features such as RBAC, LDAP/AD support, auditing, Notary, and other features (follow link below). While standalone, it is also being shipped with the vSphere Integrated Containers product.

 

https://github.com/vmware/harbor

 

My apologies if there was confusion on my Notary/Harbor comment on the call. The Notary team was asked about the number of github stars and/or the broader community. The point I was trying to make in support is since Notary is included into Harbor (with over 2k stars) and shipping to enterprise customers, the Notary project has more scope than just their own repo.

 

Mark

 

From: Alexis Richardson <alexis@...>
Date: Tuesday, June 20, 2017 at 9:03 AM
To: Alexis Richardson via cncf-toc <cncf-toc@...>
Cc: Patrick Chanezon <patrick.chanezon@...>
Subject: Notary/TuF & GPG (& Harbor)

 

Hi all 

 

Thanks Patrick & Docker people for Notary pres.  I personally found it very useful & educational, having avoided package signing myself as much as possible ;-)

 

I would love to understand how a GPG person would make the case for sticking with just that.

 

I would love to hear more from Mark about Harbor as a broader use case for Notary.

 

alexis

 

 

 


Re: Zoom

Richard Hartmann
 

On Tue, Jun 20, 2017 at 5:55 PM, Camille Fournier via cncf-toc
<cncf-toc@...> wrote:
Zoom is cool but I need something phone-only that doesn't mute me in a
fashion where I don't control it myself. Can we fix config default or move
to something else?
I called in over the German number. It kicked me out while blarring
gibberish first, but then allowed me to call in just fine. Other than
the one time I heard, well, blarring gibberish, and you couldn't hear
me, that was fine. The recording at the start told me to use *6 to
mute/unmute and I did that several times without issue.

All that being said, I would personally prefer something that runs
in-browser on Linux; Hangouts is quite nice in this regard. But
obviously, I am mainly sitting on the peanut gallery in this context.


Richard


Notary/TuF & GPG (& Harbor)

alexis richardson
 

Hi all 

Thanks Patrick & Docker people for Notary pres.  I personally found it very useful & educational, having avoided package signing myself as much as possible ;-)

I would love to understand how a GPG person would make the case for sticking with just that.

I would love to hear more from Mark about Harbor as a broader use case for Notary.

alexis




Re: Zoom

Chris Aniszczyk
 

I'm not sure what the problem was Camille on your end but I'll investigate why you couldn't un mute yourself.

Thanks for your patience, we are still learning the ins and outs of Zoom.

On Tue, Jun 20, 2017 at 11:56 PM Camille Fournier via cncf-toc <cncf-toc@...> wrote:
Zoom is cool but I need something phone-only that doesn't mute me in a fashion where I don't control it myself. Can we fix config default or move to something else?

C
_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc
--
Cheers,

Chris Aniszczyk
http://aniszczyk.org
+1 512 961 6719


Re: Zoom

Eduardo Silva
 

actually there is phone-only option Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)

On Tue, Jun 20, 2017 at 9:55 AM, Camille Fournier via cncf-toc <cncf-toc@...> wrote:
Zoom is cool but I need something phone-only that doesn't mute me in a fashion where I don't control it myself. Can we fix config default or move to something else?

C

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc




--
Eduardo Silva
Open Source, Treasure Data
http://www.treasuredata.com/opensource

 


Zoom

Camille Fournier
 

Zoom is cool but I need something phone-only that doesn't mute me in a fashion where I don't control it myself. Can we fix config default or move to something else?

C


Re: openmetrics next steps

Richard Hartmann
 

On Tue, Jun 20, 2017 at 5:34 PM, Alexis Richardson <alexis@...> wrote:

Please talk to the GH project owner who has "openmetrics".
Those requests are proxied by GH these days, but I will try.


For help & next steps, you can follow up with Lee & Ken via email - ccd.
Will do.


You can find the Kubernetes Instrumentation SIG at
https://github.com/kubernetes/community/tree/master/sig-instrumentation
Fabian is listed as a lead and he's in on this effort as well. Still,
I will make them officially aware.


Richard


openmetrics next steps

alexis richardson
 

Richard

Thanks!  

Please talk to the GH project owner who has "openmetrics".

For help & next steps, you can follow up with Lee & Ken via email - ccd.

You can find the Kubernetes Instrumentation SIG at https://github.com/kubernetes/community/tree/master/sig-instrumentation

a





TOC Agenda for 6/20/17

Chris Aniszczyk
 

Here's the deck: https://goo.gl/moEKQp

Also as a reminder, we are trying out Zoom conferencing for TOC calls now, this is a better system IMHO and easier for our Chinese community too!

Time: June 20 800AM-900AM (Pacific)

https://zoom.us/j/263858603

Or Telephone:

   Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)

   +1 855 880 1246 (US Toll Free)

   +1 877 369 0926 (US Toll Free)

   Meeting ID: 263 858 603

   International numbers available: https://zoom.us/zoomconference?m=ddKUsXGa2tGOHvCl4ccI0juqU7TZaCov

--
Chris Aniszczyk (@cra) | +1-512-961-6719


News from Kubernetes leadership summit

alexis richardson
 

CNCF community,

The Kubernetes project is at full tilt.

Please see below a summary of the recent Leadership Summit, a
gathering of mostly technical folk driving this project. Apologies if
some hyperlinks are missing - please refer to Brian's post @
https://groups.google.com/forum/#!topic/kubernetes-dev/PpgLgkffr3o

At the CNCF we want many such projects - all learning from each other.
Help make that happen: As you can see the project is breaking the
bounds of even modern tools and structures. There are many
opportunities to help - please speak up here, or contact the relevant
project leads.

alexis



---------- Forwarded message ----------
From: 'Brian Grant' via Kubernetes developer/contributor discussion
<kubernetes-dev@...>
Date: Mon, Jun 12, 2017 at 8:18 PM
Subject: Leadership summit summary and outcomes
To: "kubernetes-dev@..." <kubernetes-dev@...>


A group of O(100) of us met on Friday, June 2, at Samsung in San Jose.
We're working on getting notes from the meeting checked into github.
In the meantime, I thought I'd give a summary. Others who attended are
welcome to follow up with their takeaways.

Tim (@thockin) presented an overview of the state of the project.
After covering the great progress we've made, we talked about having
reached an inflection point in the project. There was broad consensus
among those present that the project needs to increase focus on:

Finishing features/APIs, especially table-stakes ones, such as
Deployment, Ingress, RBAC, encrypted Secrets (as opposed to adding net
new concepts)
Architectural layering, modularity, project boundaries
Stability, predictability, fixing bugs, paying down technical debt
Easier "on ramps": user docs, examples, best practices, installers,
tools, status, debugging
Contributor experience, tooling, and testing
Governance
Conformance

We discussed the need to refresh the roadmap assembled in November,
which was presented by Aparna and Ihor, along with some interesting
data, such as penetration of container orchestrators (~7%) and which
SIGs have the most open issues (Node and API machinery).

Brandon (@philips) and I presented more of the motivation for the
Governance proposal, and solicited nominations for the Steering
Committee. Please, please, please do comment on the governance
proposal, even if just to LGTM, and seriously consider running for the
Steering Committee. We asked SIGs to start working on their charters.
I also spoke about the role of CNCF with respect to the project.

I presented my architecture roadmap proposal, and received positive
feedback. It put the extension mechanisms underway, such as API
aggregation, into context. One outcome was the mandate to form SIG
Architecture. An Extensibility Working Group was also discussed, but
perhaps the Architecture SIG could serve the role of driving the
needed extension mechanisms forward.

The discussion about code organization mostly centered around the
effort to scale the project to multiple github repos and orgs. Github
provides exactly 2 levels of hierarchy we need to use both
effectively. By multiple metrics kubernetes/kubernetes is the most
active repo on Github. All of Github's mechanisms (e.g., permissions,
notifications, hooks) are designed to support small, focused repos.
Every other project of comparable scale is comprised of many repos
(e.g., Nodejs has ~100 and CloudFoundry has ~300). The
kubernetes/kubernetes commit rate peaked in July 2015, when the
project was 10x smaller, and most commits on the project are already
outside kubernetes/kubernetes.

Additionally, there is a desire to at least start new functionality
outside the main repo/release. Since Kubernetes is an API-centric
system and since we're using the API machinery for component
configuration as well, the API machinery needs to be made available to
other repos in order for any significant development to be feasible
outside kubernetes/kubernetes. We're using Service Catalog
(https://github.com/kubernetes-incubator/service-catalog) as a driving
use case for this. We've also started serious work on moving out
kubectl, which is at least as important symbolically as it is
technically, and have stopped accepting new cloudprovider
implementations.

The discussion about areas falling through the cracks focused on what
to do about them. There was consensus that some SIG needs to own the
build machinery. Proposals included SIG release, SIG testing, SIG
contributor experience, and SIG build (i.e., a new SIG). It was
suggested that whatever SIG owns the build should also own utility
libraries. In addition to strategies that have been discussed before
(e.g., accountability metrics, leaderboard, help wanted / janitors,
rotations), we discussed the idea of creating job descriptions for
more project/SIG roles, as has been done for the release team, as a
way to make it more clear to participating companies and individuals
what areas need to be staffed.

I'm looking forward to the notes from the SIG breakout, which was at
the same time as the "falling through the cracks" session. It sounds
like there were good discussions about SIG leadership, organization,
communication, consolidation, participation, and other topics.

Similar for the community effectiveness breakout, which discussed a
number of topics, including how to convert passive attendees to active
participants.

Look for the full summit notes over the next couple weeks, as well as
follow up on action items during the community hangout.

Thanks to Cameron for organizing the event, to everyone else who
helped with the summit, to Samsung for hosting it, and to everyone who
participated.

--Brian

--
You received this message because you are subscribed to the Google
Groups "Kubernetes developer/contributor discussion" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to kubernetes-dev+unsubscribe@....
To post to this group, send email to kubernetes-dev@....
To view this discussion on the web visit
https://groups.google.com/d/msgid/kubernetes-dev/CAKCBhs4MYHjS%3DhJTDSHCQWCtUcubOun9MKnreY5rcqerwy_GkQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


IMPORTANT - CNCF TOC Goals and Operating Principles - v0.2

alexis richardson
 

Broadening beyond TOC to add CNCF GB & Marketing.


CNCF community,

PLEASE review this doc whose purpose is to summarise the thinking of
the TOC concerning project selection, governance, and other frequently
requested topics.

https://docs.google.com/document/d/1Yl3IPpZnEWJRaXSBsTQ22ymQF57N5x_nHVHvmJdAj9Y/edit

This is important - please do engage. Currently this document is a
draft. Since the TOC operates by vote, these principles may in future
become written precedent.

alexis



On Mon, May 15, 2017 at 4:43 PM, Alexis Richardson <alexis@...> wrote:
Hi

Out of a desire to start writing down more how CNCF works, and what
our principles are, Brian, Ken and I pulled some ideas into a doc:

https://docs.google.com/document/d/1Yl3IPpZnEWJRaXSBsTQ22ymQF57N5x_nHVHvmJdAj9Y/edit

Comments are solicited.

Please don't be too harsh - this is just the first iteration.

alexis

6161 - 6180 of 7167