Date 21 - 34 of 34
[VOTE] In-toto for incubating
Yusuf Hadiwinata Sutandar
VP - Operation & Services
PT. Biznet Gio Nusantara
Biznet Gio Compliance List:
PCI-DSS | SOC Type 2 | ISO 27001 | ISO 9001 | ISO 27701 | ISO 27017 | ISO 27018
From: cncf-toc@... <cncf-toc@...> on behalf of stevenlasker via lists.cncf.io <stevenlasker=hotmail.com@...>
Sent: Thursday, 10 February 2022 6:23
To: cncf-toc@... <cncf-toc@...>
Subject: Re: [cncf-toc] [VOTE] In-toto for incubating
+1 non-bindingThe information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
toggle quoted message Show quoted text
On Wed, Feb 9, 2022 at 6:57 PM Yusuf Hadiwinata <yusuf@...> wrote:
+1 non-bindingtoggle quoted message Show quoted text
On Wed, Feb 09, 2022 at 11:30:35PM -0800, Jim Bugwadia via lists.cncf.io wrote:
toggle quoted message Show quoted text
On Tue, Feb 8, 2022 at 2:21 PM Amye Scavarda Perrin <ascavarda@...> wrote:
+1 bindingtoggle quoted message Show quoted text
Still getting up to speed for TOC, sorry. Some questions:
Debian is not a company. I couldn't find Lukas on Debian Developer
search nor Debian Maintainer search. In a section below, Debian
was removed and replaced with "New York University". Not a blocker,
but being a Debian Developer myself, I feel compelled to mention it.
Debian packages for in-toto are from 2021-03-12, skipping 1.1.0,
1.1.1, and the recent 1.2.0 releases.
Commit history graph shows a distinct slowdown starting 2020. Does
this mean the project has reached/is approaching feature completeness?
Is the "every 3 months release cadence" starting with 1.2.0?
Recent PRs were largely janitorial and/or from bots. Along similar
lines, the three example PRs are dated middle of last year.
Is there a timeframe for Future Plans & ITEs?
I know from my own DDs that velocity can be deceiving, and that it can
also be compensated by extremely wide adoption. Yet, I do not
currently get a strong feeling of high velocity nor of very wide
adoption. At the same time, I realize I am very late to the game in
this DD process. Having joined TOC just before a week of illness makes
me the late-comer with questions & vote. I explicitly do not want to
block anything with incomplete information.
As such, my current vote is +0 as per above. Depending on answers, I
would be happy to switch to +1.
Santiago Torres Arias <santiago@...>
+0 bindingI'm somewhat sad to read this reaction, considering we're an open source
project that is *not* backed by a company (one of the few around here in
fact). Although there are other users/communities we work with, I wanted
to single out the long-standing work we've done with Debian dating back
search nor Debian Maintainer search. In a section below, DebianBeing a DD yourself, maybe you know Holger Levsen?
He's been coaching us in doing the packaging for the Debian ecosystem,
including a transport for APT. Which I believe is also used by
QubesOS. It is also part of the reproducible builds project to check
cross-build reproducibility (see integration with rebuilderd).
Naturally, it is hard for me to make a statement to what level Debian is
involved, without feeling like I'm putting words on people's mouths.
However, I do believe that members of the Debian community have always
been participating and helping us out (mostly as a part of a shared goal
of build reprodicubility, as it is crucial for software supply chain
security). Personally, I was surprised to see your positive attitude for
reproducible builds on another project's (which is good to see it
mentioned!) vote but glossed over the in-toto bits as part of the
effort (I'm don't bleieve there are other CNCF projects listed here):
Commit history graph shows a distinct slowdown starting 2020. DoesIn a sense, yes, the Python implementation is being used in production,
so we are wary to do major overhauls. We have adopted the attitude to
use the golang implementation to test out new features and then port
them back to the python one.
I can also say that we had various degrees of developer turnover once
the pandemic started...
Is the "every 3 months release cadence" starting with 1.2.0?No, this has been a committment we've done and/or around version 1.0. We
have lagged a couple of times, I agree.
Recent PRs were largely janitorial and/or from bots. Along similarThis is true, I'm not entirely in control on velocity. Overall, we get
high fluctuation on it, depending on how features get approved, new
integrations pop up, etc. I wish I had a better answer to this.
Is there a timeframe for Future Plans & ITEs?Overall, yes. Not sure if you've seen the roadmap reviews. We have also
moved to a monthly community meeting time where we discuss ITE status
and vote to increase velocity. We're starting to see a lot of
implementations (e.g., witness) that are bringing up new features. As
usual, we're in a tightrope between ensuring everybody is heard in terms
of feature additions (so as to not overlap), and allow people to play
with things to see what works.
Yet, I do not currently get a strong feeling of high velocity nor of
As such, my current vote is +0 as per above. Depending on answers, II do appreciate your perspective. And I've be happy to answer questions
or rephrase answers as needed.
On Thu, Feb 17, 2022 at 09:00:52PM +0100, Richard Hartmann wrote:
toggle quoted message Show quoted text
On Thu, Feb 17, 2022 at 3:54 PM Santiago Torres Arias <santiago@...> wrote:
Thank you for the quick & detailed response.
Also, again, I am still getting up to speed with this new hat on.
On Thu, Feb 17, 2022 at 9:30 PM Santiago Torres Arias <santiago@...> wrote:
Sorry, for being unclear; the DD doc referred to Debian as a company.Debian is not a company.I'm somewhat sad to read this reaction, considering we're an open source
The rest was me trying to drill into what specific relationship
exists. It would still be good to bump the version shipped with
apt-transport-in-toto is current.
Being a DD yourself, maybe you know Holger Levsen?For two decades, yes; I reached out-of-band.
https://github.com/orgs/in-toto/people/h01gerThat org membership is non-public and he's not listed in MAINTAINERS.
Personally, I was surprised to see your positive attitude forThat wasn't mentioned in the the DD doc and I missed it when looking
through the repo; sorry.
To make it explicit: Any project building reproducibly gets extra
points for being serious in my book.
(I'm don't bleieve there are other CNCF projects listed here):With my Prometheus hat on, I have tried to get Prometheus onto that
list for years but didn't make huge progress.
With my Grafana hat on: Same.
In a sense, yes, the Python implementation is being used in production,Thanks; I was going from DD doc & homepage.
In absolute numbers, not relative contributions over time, the Go
version looks similar to the Python for the last 1-2 years. Is  the
correct repository to look at?
I can also say that we had various degrees of developer turnover onceMore than understandable; I know how it is. Public documentation
should manage expectations and arguably underpromise.
Overall, yes. Not sure if you've seen the roadmap reviews. We have alsoI didn't see them no. Do you have a direct link to an overview?
I do appreciate your perspective. And I've be happy to answer questionsAs the DD doc is done and voting period already ongoing, I am not sure
how much use it is to go back and change it. I am too new in my TOC
role to have any opinion on this.
For the moment, I still feel more comfortable with +0 but want to
emphasize that this is _not_ a -1.
Again, thanks for the quick & detailed reply,
Hi Richard,toggle quoted message Show quoted text
Thank you for the thorough review and detailed comments! And thanks for the nudge about the Debian releases, I just pushed an up-to-date downstream release to mentors .
Regarding our relationship to Debian and Reproducible Builds, we’ve been regulars at Debconfs and RB Summits since the inception of the in-toto project (see e.g. , ), and quite a few in-toto related projects have benefited from our involvement with the community, most notably ,,.
It is true that I personally am not a Debian Developer, but I have worked together with the DD Holger Levsen in the past to prepare and upload the downstream releases.
And here is a link to the latest organization-wide “Roadmap review” document, which Santiago mentioned:
There is definitely more going on in the broader in-toto ecosystem, than in the reference implementation, due to the maturity the latter has reached .
Let me know if you have questions about any of the resources I shared. I’m happy to provide more details (also off-list).
I still have some thoughts around overall velocity, but after talking
to h01ger off-list, I am confident in changing my vote.
The rest of this email is more about Debian than CNCF, feel free to skip.
On Tue, Feb 22, 2022 at 12:19 PM Lukas Puehringer
Regarding our relationship to Debian and Reproducible Builds, we’ve been regulars at Debconfs and RB Summits since the inception of the in-toto project (see e.g. , ), and quite a few in-toto related projects have benefited from our involvement with the community, most notably ,,.Thanks for those. After leading DebConf15 I kinda burned out wrt them,
so I missed this.
It is true that I personally am not a Debian Developer, but I have worked together with the DD Holger Levsen in the past to prepare and upload the downstream releases.Totally fine; as you probably know, DDs take an _extremely_ close look
onto any claims re Debian doing/saying/being anything specific due to
how often it was used as a reference and not always in the best of
As a nit, shipping manpages with Linux packages would be preferable,
but I know a lot of projects don't. Ones I should probably be writing
manpages for myself included.
Thanks for the detailed responses from the in-toto crowd,
|21 - 34 of 34|