diff options
-rw-r--r-- | archive/2021-06-21--meeting-minutes | 130 |
1 files changed, 130 insertions, 0 deletions
diff --git a/archive/2021-06-21--meeting-minutes b/archive/2021-06-21--meeting-minutes new file mode 100644 index 0000000..802061f --- /dev/null +++ b/archive/2021-06-21--meeting-minutes @@ -0,0 +1,130 @@ +Date: 2021-06-22, 1300 CEST +Meet: https://membarrier.verkligendata.se/sigsum +Chair: rgdd + +Agenda + * Hello + * Status round + * Discuss + * Next steps + +Hello + * rgdd + * ln5 + * kfreds + +Status round + * [rgdd] project name and abbreviation (decided) + * https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-project-name + * Full version: Signed Checksum Logging + * Short version: sigsum + * Website: www.sigsum.org + * [rgdd] sketch on how we work together (ongoing) + * https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-how-we-work-together + * [rgdd] planned tree head refactor (decided) + * format changes: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-tree-head-format + * timestamp verification: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-witness-timestamp-verification + * [ln5] siglog-witness-py v0.1.0 is tagged + * [rgdd] running tag v0.1.0 every minute (best effort) + * vk: 777528f5fd96f95713b8c2bb48bce2c83628e39ad3bfbd95bc0045b143fe5c34 + * [ln5] acquired domain names + * sigsum.org (decided) + * [rgdd] acquired twitter account (no intent to use right now, see discuss) + * https://twitter.com/sigsumproject + * [rgdd] started sketching on an ascii chart: system overview (ongoing) + * source: https://textik.com/#a2cb6ade2b580fc7 + * saved: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-system-overview-ascii + * (trying to figure out terminology and clarify system flows) + +Discuss + * Moving out from github and longer term project vision + * Near term (decided) + * Stay on github until end of vaccay, then move to a self-hosted setup + * Create and rename repositories on github as we see fit for now + * Grab sigsum or sigsumproject nick on github + * We will mirror here later on + * Defer decision on issues, ticketing system, mailing list, for now + * Long term? (ongoing) + * [ln5] https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-self-hosted-services + * we need to agree on where we are going + which steps are needed + * discussion round + * "reference implementation" + * this is how you can do a sensible tlog system + * strong threat model + * few features, minimal approach, bottomline, generic + * small diff to get transparent logging going + * will facilitate more complex tlog applications in the future + * free, open, inclusive, welcome people to be part of conversation, help people understand. + * A goto place when you want to talk/learn/use tlog applications. + * Not only about signed checksums, it is also about community + * "hub" + * mature operations + * "not so ambitious features, but ambitious deployment" + * logs + * witnesses + * Free and open source project, both in licence and governance + * Mullvad funded to get started and will continue to fund + * But should not have control of the project + * This nuance needs to be depicted right, relates to trustworthiness + * Transparency is key + * Project origin story + * How it started with ST + * How it evolved into the current governence, long-term vision + * The above document by ln5 is a good start + * Structure needs to be described in greater detail + * legal entity + * how do you become part of the team + * etc. + * Trustworthiness can be facilitated by being consistent + * No hard connection to ST, but ST is a use-case. We can describe and pitch in both directions, but sigsum logging and ST are distinct. + * services? + * something that we can operate on our own, but not too much overhead + * costs: agony, money + * important to start small + * the minimal thing that we can work with + * cgit, persist important documents + * ticketing, code review, etc., we do semi-manually for now + * code review: pads, irc, mail + * ticketing: "todo.md" + * (some people may think it is not modern enough, could result in people drop off. But could also attract people.) + * [kfreds] long-term vision, in general: want to have everything self-hosted, and would like to facilitate self-hosting for self and others. + * ln5 mentions [MeetBot](http://meetbot.debian.net/Manual.html) for meeting minutes in meetings on IRC + * Licence and copyright holder + * Trillian is Apache. Probably good to use the same for the log server. + * Not clear if we should use a different licence for, e.g., tooling. Why (not)? + * Open question. + * Copyright: "the sigsum project" + * Website + * redirect sigsum.org to github README? + * No, potential risk that github is perceived as our home + * ln5 will setup a webserver that is co-located with the log for now + * continue content discussion async + * rgdd will post a pad link on irc + * if we've got twitter, we should have presence in the Fediverse too + * mastodon.social is the canonical, but centralised heh, place to go (like we use matrix.org at the moment) + * we could have our main outlet in the Fediverse and just mirror (one-way!) to birdsite + * (Deferred, not discussed. Don't use twitter for now.) + +Next steps + * wrap up before vaccations + * make sure that rgdd can (re)start the PoC log + * minimal website + * migrate from system-transpareny project into sigsum-project on github + * move and rename: stfe -> sigsum-log-go + * move and rename: siglog-witness-py -> sigsum-witness-py + * add: sigsum + * archive + * website + * update documentation, "sigsum logging" + * migrade from irc/oftc #siglog -> irc/oftc #sigsum, bridge with Matrix + * rgdd is around part time during the summer to keep things going + +Other useful links + * [ln5] Google announced SLSA. Important key-word: provenance. + * https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html + * [bjoto] Ongoing discussion between Fedora and Sigstore + * https://lwn.net/SubscriberLink/859965/b14e4ebdc57b8285/ + * [rgdd] Melera preprinted "Hardware-Enforced Integrity and Provenance for Distributed Code Deployments". Another provenance format. + * https://arxiv.org/pdf/2106.09843.pdf + * [rgdd] Debian on ditching OpenPGP. Points towards Ed25515 with, e.g., signify. + * https://wiki.debian.org/Teams/Apt/Spec/AptSign |