Date
21 - 34 of 34
[VOTE] In-toto for incubating
|
Lachlan Evenson
+1 NB
|
|
|
|
Steve Lasker
+1 non-binding
|
|
|
|
Yusuf Hadiwinata
+1 NB
Best Regards,
Yusuf Hadiwinata Sutandar
VP - Operation & Services
PT. Biznet Gio Nusantara
GPG:
86C2DE58
+====================+
+====================+
Biznet Gio Compliance List:
PCI-DSS | SOC Type 2 | ISO 27001 | ISO 9001 | ISO 27701 | ISO 27017 | ISO 27018
From: cncf-toc@... <cncf-toc@...> on behalf of stevenlasker via lists.cncf.io <stevenlasker=hotmail.com@...>
Sent: Thursday, 10 February 2022 6:23 To: cncf-toc@... <cncf-toc@...> Subject: Re: [cncf-toc] [VOTE] In-toto for incubating +1 non-binding
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should
not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
|
|
|
|
Jim Bugwadia
+1 non-binding On Wed, Feb 9, 2022 at 6:57 PM Yusuf Hadiwinata <yusuf@...> wrote:
|
|
|
|
+1 non-binding
toggle quoted message
Show quoted text
On Wed, Feb 09, 2022 at 11:30:35PM -0800, Jim Bugwadia via lists.cncf.io wrote:
+1 non-binding |
|
|
|
Erin Boyd
+1 binding On Tue, Feb 8, 2022 at 2:21 PM Amye Scavarda Perrin <ascavarda@...> wrote:
|
|
|
|
Sambhav Kothari
+1 NB
|
|
|
|
Alena Prokharchyk
+1 binding
toggle quoted message
Show quoted text
-alena
|
|
|
|
Richard Hartmann
+0 binding
Still getting up to speed for TOC, sorry. Some questions: Debian is not a company. I couldn't find Lukas on Debian Developer search[1] nor Debian Maintainer search[2]. In a section below, Debian was removed and replaced with "New York University". Not a blocker, but being a Debian Developer myself, I feel compelled to mention it. Debian packages[3][4] for in-toto are from 2021-03-12, skipping 1.1.0, 1.1.1, and the recent 1.2.0 releases[5]. Commit history graph[6] shows a distinct slowdown starting 2020. Does this mean the project has reached/is approaching feature completeness? Is the "every 3 months release cadence" starting with 1.2.0? Recent PRs were largely janitorial and/or from bots[7]. Along similar lines, the three example PRs[8][9][10] are dated middle of last year. Is there a timeframe for Future Plans & ITEs[11]? I know from my own DDs that velocity can be deceiving, and that it can also be compensated by extremely wide adoption. Yet, I do not currently get a strong feeling of high velocity nor of very wide adoption. At the same time, I realize I am very late to the game in this DD process. Having joined TOC just before a week of illness makes me the late-comer with questions & vote. I explicitly do not want to block anything with incomplete information. As such, my current vote is +0 as per above. Depending on answers, I would be happy to switch to +1. Best, Richard [1] https://db.debian.org/ [2] https://nm.debian.org/public/findperson/ [3] https://qa.debian.org/developer.php?login=lukas.puehringer%40nyu.edu [4] https://tracker.debian.org/pkg/in-toto [5] https://github.com/in-toto/in-toto/tags [6] https://github.com/in-toto/in-toto/graphs/contributors [7] https://github.com/in-toto/in-toto/pulls?q=is%3Apr [8] https://github.com/in-toto/in-toto/pull/462 [9] https://github.com/in-toto/in-toto/pull/456 [10] https://github.com/in-toto/in-toto/pull/466 [11] https://docs.google.com/document/d/1zoOdI_xygcY3Ta1LzTFfAjW8vhvR6lcAqQRlzYNo91k/edit#heading=h.hdo9ytubuszq |
|
|
|
Santiago Torres Arias <santiago@...>
Hi Richard.
+0 bindingI'm somewhat sad to read this reaction, considering we're an open source project that is *not* backed by a company (one of the few around here in fact). Although there are other users/communities we work with, I wanted to single out the long-standing work we've done with Debian dating back to 2015. search[1] nor Debian Maintainer search[2]. In a section below, DebianBeing a DD yourself, maybe you know Holger Levsen? https://github.com/orgs/in-toto/people/h01ger He's been coaching us in doing the packaging for the Debian ecosystem, including a transport for APT[1]. Which I believe is also used by QubesOS. It is also part of the reproducible builds project to check cross-build reproducibility (see integration with rebuilderd). https://reproducible.seal.purdue.wtf/ https://github.com/kpcyrd/rebuilderd Naturally, it is hard for me to make a statement to what level Debian is involved, without feeling like I'm putting words on people's mouths. However, I do believe that members of the Debian community have always been participating and helping us out (mostly as a part of a shared goal of build reprodicubility, as it is crucial for software supply chain security). Personally, I was surprised to see your positive attitude for reproducible builds on another project's (which is good to see it mentioned!) vote but glossed over the in-toto bits as part of the effort (I'm don't bleieve there are other CNCF projects listed here): https://reproducible-builds.org/who/projects/ Commit history graph[6] shows a distinct slowdown starting 2020. DoesIn a sense, yes, the Python implementation is being used in production, so we are wary to do major overhauls. We have adopted the attitude to use the golang implementation to test out new features and then port them back to the python one. I can also say that we had various degrees of developer turnover once the pandemic started... Is the "every 3 months release cadence" starting with 1.2.0?No, this has been a committment we've done and/or around version 1.0. We have lagged a couple of times, I agree. Recent PRs were largely janitorial and/or from bots[7]. Along similarThis is true, I'm not entirely in control on velocity. Overall, we get high fluctuation on it, depending on how features get approved, new integrations pop up, etc. I wish I had a better answer to this. Is there a timeframe for Future Plans & ITEs[11]?Overall, yes. Not sure if you've seen the roadmap reviews. We have also moved to a monthly community meeting time where we discuss ITE status and vote to increase velocity. We're starting to see a lot of implementations (e.g., witness) that are bringing up new features. As usual, we're in a tightrope between ensuring everybody is heard in terms of feature additions (so as to not overlap), and allow people to play with things to see what works. Yet, I do not currently get a strong feeling of high velocity nor of As such, my current vote is +0 as per above. Depending on answers, II do appreciate your perspective. And I've be happy to answer questions or rephrase answers as needed. Cheers! -Santiago [1] https://packages.debian.org/sid/x32/utils/apt-transport-in-toto On Thu, Feb 17, 2022 at 09:00:52PM +0100, Richard Hartmann wrote: |
|
|
|
Brandon Lum
+1 nb On Thu, Feb 17, 2022 at 3:54 PM Santiago Torres Arias <santiago@...> wrote: Hi Richard. |
|
|
|
Richard Hartmann
Thank you for the quick & detailed response.
Also, again, I am still getting up to speed with this new hat on. On Thu, Feb 17, 2022 at 9:30 PM Santiago Torres Arias <santiago@...> wrote: Sorry, for being unclear; the DD doc referred to Debian as a company.Debian is not a company.I'm somewhat sad to read this reaction, considering we're an open source The rest was me trying to drill into what specific relationship exists. It would still be good to bump the version shipped with Debian, IMO. apt-transport-in-toto[1] is current. Being a DD yourself, maybe you know Holger Levsen?For two decades, yes; I reached out-of-band. https://github.com/orgs/in-toto/people/h01gerThat org membership is non-public and he's not listed in MAINTAINERS. Personally, I was surprised to see your positive attitude forThat wasn't mentioned in the the DD doc and I missed it when looking through the repo; sorry. To make it explicit: Any project building reproducibly gets extra points for being serious in my book. (I'm don't bleieve there are other CNCF projects listed here):With my Prometheus hat on, I have tried to get Prometheus onto that list for years but didn't make huge progress. With my Grafana hat on: Same. In a sense, yes, the Python implementation is being used in production,Thanks; I was going from DD doc & homepage. In absolute numbers, not relative contributions over time, the Go version looks similar to the Python for the last 1-2 years. Is [2] the correct repository to look at? I can also say that we had various degrees of developer turnover onceMore than understandable; I know how it is. Public documentation should manage expectations and arguably underpromise. Overall, yes. Not sure if you've seen the roadmap reviews. We have alsoI didn't see them no. Do you have a direct link to an overview? I do appreciate your perspective. And I've be happy to answer questionsAs the DD doc is done and voting period already ongoing, I am not sure how much use it is to go back and change it. I am too new in my TOC role to have any opinion on this. For the moment, I still feel more comfortable with +0 but want to emphasize that this is _not_ a -1. Again, thanks for the quick & detailed reply, best, Richard |
|
|
|
Lukas Puehringer
Hi Richard,
toggle quoted message
Show quoted text
Thank you for the thorough review and detailed comments! And thanks for the nudge about the Debian releases, I just pushed an up-to-date downstream release to mentors [1]. Regarding our relationship to Debian and Reproducible Builds, we’ve been regulars at Debconfs and RB Summits since the inception of the in-toto project (see e.g. [2], [3]), and quite a few in-toto related projects have benefited from our involvement with the community, most notably [4],[5],[6]. It is true that I personally am not a Debian Developer, but I have worked together with the DD Holger Levsen in the past to prepare and upload the downstream releases. And here is a link to the latest organization-wide “Roadmap review” document, which Santiago mentioned: There is definitely more going on in the broader in-toto ecosystem, than in the reference implementation, due to the maturity the latter has reached [7]. Let me know if you have questions about any of the resources I shared. I’m happy to provide more details (also off-list). Kind regards, Lukas
|
|
|
|
Richard Hartmann
+1 binding.
I still have some thoughts around overall velocity, but after talking to h01ger off-list, I am confident in changing my vote. The rest of this email is more about Debian than CNCF, feel free to skip. On Tue, Feb 22, 2022 at 12:19 PM Lukas Puehringer <lukas.puehringer@...> wrote: Regarding our relationship to Debian and Reproducible Builds, we’ve been regulars at Debconfs and RB Summits since the inception of the in-toto project (see e.g. [2], [3]), and quite a few in-toto related projects have benefited from our involvement with the community, most notably [4],[5],[6].Thanks for those. After leading DebConf15 I kinda burned out wrt them, so I missed this. It is true that I personally am not a Debian Developer, but I have worked together with the DD Holger Levsen in the past to prepare and upload the downstream releases.Totally fine; as you probably know, DDs take an _extremely_ close look onto any claims re Debian doing/saying/being anything specific due to how often it was used as a reference and not always in the best of faith. As a nit, shipping manpages with Linux packages would be preferable, but I know a lot of projects don't. Ones I should probably be writing manpages for myself included. Thanks for the detailed responses from the in-toto crowd, best, Richard |
|
|
