aboutsummaryrefslogtreecommitdiff
path: root/archive/2021-06-21--meeting-minutes
diff options
context:
space:
mode:
Diffstat (limited to 'archive/2021-06-21--meeting-minutes')
-rw-r--r--archive/2021-06-21--meeting-minutes130
1 files changed, 130 insertions, 0 deletions
diff --git a/archive/2021-06-21--meeting-minutes b/archive/2021-06-21--meeting-minutes
new file mode 100644
index 0000000..802061f
--- /dev/null
+++ b/archive/2021-06-21--meeting-minutes
@@ -0,0 +1,130 @@
+Date: 2021-06-22, 1300 CEST
+Meet: https://membarrier.verkligendata.se/sigsum
+Chair: rgdd
+
+Agenda
+ * Hello
+ * Status round
+ * Discuss
+ * Next steps
+
+Hello
+ * rgdd
+ * ln5
+ * kfreds
+
+Status round
+ * [rgdd] project name and abbreviation (decided)
+ * https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-project-name
+ * Full version: Signed Checksum Logging
+ * Short version: sigsum
+ * Website: www.sigsum.org
+ * [rgdd] sketch on how we work together (ongoing)
+ * https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-how-we-work-together
+ * [rgdd] planned tree head refactor (decided)
+ * format changes: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-tree-head-format
+ * timestamp verification: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-witness-timestamp-verification
+ * [ln5] siglog-witness-py v0.1.0 is tagged
+ * [rgdd] running tag v0.1.0 every minute (best effort)
+ * vk: 777528f5fd96f95713b8c2bb48bce2c83628e39ad3bfbd95bc0045b143fe5c34
+ * [ln5] acquired domain names
+ * sigsum.org (decided)
+ * [rgdd] acquired twitter account (no intent to use right now, see discuss)
+ * https://twitter.com/sigsumproject
+ * [rgdd] started sketching on an ascii chart: system overview (ongoing)
+ * source: https://textik.com/#a2cb6ade2b580fc7
+ * saved: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-system-overview-ascii
+ * (trying to figure out terminology and clarify system flows)
+
+Discuss
+ * Moving out from github and longer term project vision
+ * Near term (decided)
+ * Stay on github until end of vaccay, then move to a self-hosted setup
+ * Create and rename repositories on github as we see fit for now
+ * Grab sigsum or sigsumproject nick on github
+ * We will mirror here later on
+ * Defer decision on issues, ticketing system, mailing list, for now
+ * Long term? (ongoing)
+ * [ln5] https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-self-hosted-services
+ * we need to agree on where we are going + which steps are needed
+ * discussion round
+ * "reference implementation"
+ * this is how you can do a sensible tlog system
+ * strong threat model
+ * few features, minimal approach, bottomline, generic
+ * small diff to get transparent logging going
+ * will facilitate more complex tlog applications in the future
+ * free, open, inclusive, welcome people to be part of conversation, help people understand.
+ * A goto place when you want to talk/learn/use tlog applications.
+ * Not only about signed checksums, it is also about community
+ * "hub"
+ * mature operations
+ * "not so ambitious features, but ambitious deployment"
+ * logs
+ * witnesses
+ * Free and open source project, both in licence and governance
+ * Mullvad funded to get started and will continue to fund
+ * But should not have control of the project
+ * This nuance needs to be depicted right, relates to trustworthiness
+ * Transparency is key
+ * Project origin story
+ * How it started with ST
+ * How it evolved into the current governence, long-term vision
+ * The above document by ln5 is a good start
+ * Structure needs to be described in greater detail
+ * legal entity
+ * how do you become part of the team
+ * etc.
+ * Trustworthiness can be facilitated by being consistent
+ * No hard connection to ST, but ST is a use-case. We can describe and pitch in both directions, but sigsum logging and ST are distinct.
+ * services?
+ * something that we can operate on our own, but not too much overhead
+ * costs: agony, money
+ * important to start small
+ * the minimal thing that we can work with
+ * cgit, persist important documents
+ * ticketing, code review, etc., we do semi-manually for now
+ * code review: pads, irc, mail
+ * ticketing: "todo.md"
+ * (some people may think it is not modern enough, could result in people drop off. But could also attract people.)
+ * [kfreds] long-term vision, in general: want to have everything self-hosted, and would like to facilitate self-hosting for self and others.
+ * ln5 mentions [MeetBot](http://meetbot.debian.net/Manual.html) for meeting minutes in meetings on IRC
+ * Licence and copyright holder
+ * Trillian is Apache. Probably good to use the same for the log server.
+ * Not clear if we should use a different licence for, e.g., tooling. Why (not)?
+ * Open question.
+ * Copyright: "the sigsum project"
+ * Website
+ * redirect sigsum.org to github README?
+ * No, potential risk that github is perceived as our home
+ * ln5 will setup a webserver that is co-located with the log for now
+ * continue content discussion async
+ * rgdd will post a pad link on irc
+ * if we've got twitter, we should have presence in the Fediverse too
+ * mastodon.social is the canonical, but centralised heh, place to go (like we use matrix.org at the moment)
+ * we could have our main outlet in the Fediverse and just mirror (one-way!) to birdsite
+ * (Deferred, not discussed. Don't use twitter for now.)
+
+Next steps
+ * wrap up before vaccations
+ * make sure that rgdd can (re)start the PoC log
+ * minimal website
+ * migrate from system-transpareny project into sigsum-project on github
+ * move and rename: stfe -> sigsum-log-go
+ * move and rename: siglog-witness-py -> sigsum-witness-py
+ * add: sigsum
+ * archive
+ * website
+ * update documentation, "sigsum logging"
+ * migrade from irc/oftc #siglog -> irc/oftc #sigsum, bridge with Matrix
+ * rgdd is around part time during the summer to keep things going
+
+Other useful links
+ * [ln5] Google announced SLSA. Important key-word: provenance.
+ * https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
+ * [bjoto] Ongoing discussion between Fedora and Sigstore
+ * https://lwn.net/SubscriberLink/859965/b14e4ebdc57b8285/
+ * [rgdd] Melera preprinted "Hardware-Enforced Integrity and Provenance for Distributed Code Deployments". Another provenance format.
+ * https://arxiv.org/pdf/2106.09843.pdf
+ * [rgdd] Debian on ditching OpenPGP. Points towards Ed25515 with, e.g., signify.
+ * https://wiki.debian.org/Teams/Apt/Spec/AptSign