 Hey folks Hey for a church and K done. Hi. How's it going guys? Justin said he probably Justin Cormack said he probably won't make it Just okay, and some other stuff We had a quick chat this morning and I'll update folks Do we know Justin Capos is coming this is moving we were discussing at the R. No, I Well, he already gave me the feedback last week. It wasn't so much Discussing the PR is just taking the scenarios that he wrote up last week and Reformatting them and putting them in I'd asked him to if he wanted to do the PR himself And he was suggesting you know, he's just really busy and it was fine if I just took his content and Re-framed it as the PR because the his content couldn't be merged as is there was some stuff that shuffled underneath him Got it so I wanted to give him the option to kind of owning the PR so it had his name to it and he says it's it's no big deal. So just go wait a couple of minutes for others to join But I think the couple folks in the the other zoom I just came from the Okay. Yeah, I was just posting the link on there Jump over there. Can somebody jump over there and just say hey, we're over here I'll do that. Thank you. I'm just putting the meeting notes in here. So give me a second March 2nd. Wow. All right, let me know when whoever popped over to let others know this back Right. Thank you, Radoo So I do just put the link in there for the notes just for everybody Let's see So who wasn't that popped over just so I make sure the person that volunteered gets back That's me I'm sorry. Who is that Brandon? Oh, hey, thanks Brandon. No worries All right. Why don't we we don't have a rich agenda today? So if others have other content When you take The better part of a day for an off an onsite off site off to be on Things get a little backed up, but I do have a couple of updates. So Let me go through here. Where was I just doing that? If anybody has anything else, please pop it on the agenda and we can talk about that as well Um, so last week we had some of folks Here we've been popping back and forth across the lake. This time it was over at the AWS offices And the notes are in here in just below from last week We spent most of the time Really kind of focusing on what is the name of the things that we want to to Sign and how do we refer to them? So that was the Biggest set of items And you could see kind of the the notes that are in there that kind of surrounded that I don't say we came to closure on it per se We were coming up with basically two options And when I refer to a name I actually What I'm referring to is how do we You know, when you think of an image or any artifact in a registry It's a made up of the domain name for the registry Some kind of org Representation and or could be a company or an individual registry and of course, we know there's two different types. There's the Unique name is in the registry url Such as a acr and I I always forget what I think it's acr also does this Where the domain name is actually part of what makes it unique and then other registries Which I believe is gcr and docker hub where the first note of the namespace is what makes it unique And that's what GitHub registry actually does as well And then you have some kind of path That can be varying levels of depth depending on the registry as well And then there is the repo and a tag And in fact, if we look at the artifacts, let me just bring it up and I'll paste it in here Notary project Under requirements We have definitions and terms And oh, let's try to come over here Just I'll paste it in here That what we've done is we just try to break that up for the sake of You know common syntax and the We have this thing at the top But just because I kind of made it alphabetic and definitions and terms Where their repo and tag is the thing we would kind of refer to the thing Like the ubuntu 14.04 Image that's kind of how we refer to it. And then what namespace that's in Is relative to each registry We had a basically what it came down to is A debate of do we need that name to be locked? So people when they say the ubuntu 14.04 Image that that's what it means Or do we need to support workflows where it might be 14.04? dash dev dash prod dash So forth And if we do make that Renameable then we need the name of some sort inside the manifest as another Another I don't want to say annotation but it's another element Which we might want to do anyway and there was some Conversation of the name could actually be a name that has nothing to do with the registry It's just a name, you know a reverse tns kind of look up So where we left off was hopefully Sam was going to have some time to write this up before he takes a well-deserved vacation And we will basically have some conversation around those two things Oh sam's actually here sam. Did you want to speak to that? I don't see a mic on him. I'll give him a minute to jump on but basically If he has a chance we were going to write that up before he's I guess I've taken some vacation and we'll go from there We wanted to basically have something written up to have the next several conversations before we try to make any proposals one way or the other So that was the main meat of the conversation We also had the CNAP folks give a presentation on some of the stuff that they've been doing Which I think aligned pretty well with the work we had had done so far. So I saw it all You know very supportive and in the same direction There were some questions around certain elements, but I think we were and it wound up in the same page and Radu you can speak up to anything that I'm missing there Because I think with Trishank we were discussing something about the way the route Signing certs and so forth were covered. I think we agreed that the The scenario would be covered in the when we move into the design that you can have something signed with the route moved it Into different repo into different registries and repos. Yeah, the only outstanding Discussion item that we are taking for notary v2 is how we do delegations right now in notary And that's something that we're going to open an issue for this week on the requirements repo. Thanks Okay So that was the majority of it I don't know if there's anything else per se Is anybody else has anything else? We were talking about the next steps from there And there was two me Work items and just scrolling around here. I might know it's a second so, um Like I said, so Sam took the note to I see Sam typing out a phone number. I'm guessing he was he was late because we missed something there. So thank you, Sam Uh that we will Merge in the scenarios that Justin Kapos had provided on some of the security aspects Uh, and I was going to work on those this morning, but I'll get to those later today and Sam to write up the things we just talked about on the naming parts the um, so that was that Uh, so that's the first item for last week's onsite And I think those that were filed in to have the patience for forking remotely on that Any other topics on that before I move on to the sbom conversation? Uh, so the sbom stuff and I'm I'm making a deliberate point of doing the software bill of materials With the lower case. So to be more generic So that we are not necessarily Uh Lining or endorsing or anything at this point with one particular implementation because there's a couple of different efforts going on There is a definite, you know work group. Uh, that's referred to as the 3ts bomb work group with a upper all upper case and they're making some pretty good progress across the various clouds and groups involved and The intono folks have been working there as well So the the main part that I've been just trying to make sure Is uh, there's a doc I refer to called separation of concerns Whereas uh, just kind of using the standard terminology there is from a notary project I'm hoping we're focused on signing things and not really caring what the things are And by signing things We can say that the thing that came out of the registry is what it claims to be until you don't trust The entity that signed the thing that that you're looking at And when I say don't trust the entity, you know, I might be a trustable entity But the entity of or the key that it was signed with Was compromised in some fashion. In fact, that's the stuff that Justin Capos had written up that I'll merge into our Scenarios and then we were thinking about how to split them up into requirements and Um, the The threat threat model stuff. So we wanted to take that content and kind of split it up amongst those And then if the 3ts bomb happens to be a format that lots of people endorse and like Then they can push things into the registry and we'll know that it's a 3ts bomb And then other projects whether it be opa or other policy managers can leverage that because they're going to know what That format is But just to pick on another example, which may may align or may not. It doesn't really matter. The point is there'll be different formats and let's just say that Red hats format that they've been working on they decide to use that and that's perfectly fine as well From a notary we would just sign each one of those artifacts And then those projects are then enabled by having a common means into a registry So the conversations I've been having with k and um into that format k williams is more of Hey, are we still thinking that the output is um a document of some sort? And that s bomb would be a document that we would put in the registry alongside the things that it's Attesting it as an s bomb of and then notary would sign it And then the consumption of it would be able to Make sense of these various formats because they'll say that they are a 3ts bomb or red hat s bomb and so forth So that's again, just making sure that we're scoped and of course we're having the same conversations In the notary conversations is how far should we go on having specific annotations that Suggest it may or may not be a particular You know or some content they what's the amount of content we have in a manifest or in a notary content That doesn't that has the appropriate overlap and maybe not too much overlap and say look that's really an s bomb and we should lean into that as well So that's again, that's kind of the scope there Any questions or other thoughts on that? It's not the quiet group today That's strange Hey Vincent, welcome back from vacation um And then the last one like I said, this was just a quick summary this week because we didn't have a particular Discussion this is more just giving a quick status of where we are in things One of the things we've been all been talking about is how can we make more progress on the other notary work? and When Justin popped on this morning saying that he didn't think he's going to make the call One of the things he was just kind of renewing that conversation of can we Um start to break off into separate groups. I'm hoping with The scenarios and we start to have the threat models in place That we can start to execute on like how are we going to do some of these things? How are we going to? move content between registries into uh air gapped environments and still know that we can trust them and If we're moving something into an air gap environment, what happens with the signature and when does the key and so forth get moved with it So that you can still validate that thing within the air gap environment And then there was the uh You know revocation conversations also and is that really part of notary is that part of key management? So those are all the kind of things that we want to be able to start making more progress on That's about as far as we've gotten the conversation Um, I had just asked him like if he had any other thoughts around who and when We could start those conversations. We Didn't get that far yet So that's kind of the next set of conversations I hope we'll get going is what are those individual working groups? And the forum is for people to jump on those and participate So that's that's basically where we're at on that one. Um I was hoping that we could have some Framing of that but that literally was a scrambling this morning of hey, what do we want to talk about? And we didn't you know, obviously didn't get that far. So I'm hoping we'll have more conversations on slack To you know start to iterate and some ideas around that and so people will know where they can focus their conversations So that what I'd say is probably in addition and one of those conversations will obviously be the naming stuff Uh, what do we find as a name and what's why do we think we need to do one way or the other? any other thoughts Or everybody's like hey, what's where's the group so I can get started already? Okay Is there an irc channel bridge to the uh slack from operation? Um, we did that with the open containers one. Um, we haven't done that with this one yet Um, I'm not the one that would have the knowledge to set that up um Just say the irc bridge and less matrix did something different Back in the day, there was an irc bridge to the cncf Slack, but it was like a third party plugin and they disabled third party plugins for security reasons. I don't know if now Matrix is an official thing But they had they had as a policy disabled third party plugins for the slack instance So I don't know if and whether that's viable possible I won't just landed on Vincent because he spoke last but does anybody want to take that up and If that I'm curious if people found um that integration being helpful or it's just like that's the place I work I'd like the information moved over Because I know we're doing it with the open containers. Anybody have any feedback on that? No, I Alexa did it for the open containers and he ended up doing it through some matrix plugin And uh, it might even might have even been a matrix Fronted bridge. I don't remember how how he wired that up Um, I I personally would prefer irc all day over slack. I don't think slack is a good place for communities per se But I know irc has like learning curves Do you think you'd be willing to set the bridge up for this too? I doubt Alexa would do it for this one. He's okay but It'd probably be worth asking him in the open containers channel. What what he did to set it up And because it does require something of this of the slack admins and that's like the cncf slack admins So it's a much bigger umbrella than oci Um, there was two uh, two other items. Um So sorry, I was already multitasking with something else. So is there an action item for somebody to Look into that? Uh, just to be clear. You were talking about Alexa um Yeah, um All right. Thanks. I know these are for a couple weeks. So it might be Behind but okay. Thanks. Okay. So I'm just sorry. Who's taking action on that just so we can Well, I will go ahead and ping him anyway. I sound like fintan was going to you as well, but Maybe one of us will hit Okay, was that ram? No, sir. Oh, thank you, sir. Sorry. I was just trying to figure out whose mic was open Thank you And I did just see the link that you posted. That's what I was actually starting to jump to um Was there some so uh sergeant posted the link on their toes the notary two oh stuff There was was there a new conversation there that you wanted to touch on? I'm just looking to see if there's any new notes in there Surge you would you would put a link in there for Justin's doc justin's google Was there a question you wanted to touch on or Well, I want to I mean that that's why I read last week to try and catch up I was wondering if there's a more up to date document or if that's Where we're all still at right now Yeah, so we started to put so there's the there's the documents of conversation and this is where We don't really have a great place to do all of this. So there's these google docs We've been having some conversation that we've been trying to take things That are coming to some consensus and putting them in the get repose. So let me just put that in there Notary project The quorum I'll just put this Here This is where we've been kind of capturing Um results, I guess if you will Uh Great, I'll look at that. Okay um And then uh, there was another one. What was the other? Sorry, give me a quick moment here Yeah, so we talked about the scenarios. So that's basically The current status um The only other elephant in the room is the whole uh meeting at kukon I don't have any update On a one way or the other I can i'm personally In the boat of my flight's booked everything's booked And if somebody makes a decision one way or the other i'll honor that I haven't made a personal decision of what i'll do Regardless we will have some sort of meeting online or otherwise So I don't really have anything to add to that conversation per se and that's Really about all we've got at this point So the the next steps like said are just to incorporate some of the feedback Um, and then start to outline some of the smaller working groups Though we can make more progress on actually doing some design work So if there's no other Questions or anything we call that a week anybody else With that I will we will see you guys next week. I'm I'm hoping we'll have more content by next week Uh and working that working steps for the next steps. Thank you everybody. Thanks a lot steve Thanks. Thanks Paul Thank you