archive/2021-06-21--meeting-minutes


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

Date: 2021-06-22, 1300 CEST
Meet: https://membarrier.verkligendata.se/sigsum
Chair: rgdd

Agenda
	* Hello
	* Status round
	* Discuss
	* Next steps

Hello
	* rgdd
	* ln5
	* kfreds

Status round
		* [rgdd] project name and abbreviation (decided)
			* https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-project-name
			* Full version: Signed Checksum Logging
			* Short version: sigsum
			* Website: www.sigsum.org
		* [rgdd] sketch on how we work together (ongoing)
			* https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-how-we-work-together
		* [rgdd] planned tree head refactor (decided)
				* format changes: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-tree-head-format
				* timestamp verification: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-witness-timestamp-verification
		* [ln5] siglog-witness-py v0.1.0 is tagged
			* [rgdd] running tag v0.1.0 every minute (best effort)
				* vk: 777528f5fd96f95713b8c2bb48bce2c83628e39ad3bfbd95bc0045b143fe5c34
		* [ln5] acquired domain names
			* sigsum.org (decided)
		* [rgdd] acquired twitter account (no intent to use right now, see discuss)
			* https://twitter.com/sigsumproject
		* [rgdd] started sketching on an ascii chart: system overview (ongoing)
			* source: https://textik.com/#a2cb6ade2b580fc7
			* saved: https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-system-overview-ascii
			* (trying to figure out terminology and clarify system flows)

Discuss
	* Moving out from github and longer term project vision
		* Near term (decided)
			* Stay on github until end of vaccay, then move to a self-hosted setup
			* Create and rename repositories on github as we see fit for now
				* Grab sigsum or sigsumproject nick on github
				* We will mirror here later on
			* Defer decision on issues, ticketing system, mailing list, for now
		* Long term? (ongoing)
			* [ln5] https://github.com/sigsum/sigsum/blob/4483a2f81e0bb2a4f1ac8cd02d2991c12ef8d556/archive/2021-06-21-self-hosted-services
				* we need to agree on where we are going + which steps are needed
				* discussion round
					* "reference implementation"
						* this is how you can do a sensible tlog system
						* strong threat model
						* few features, minimal approach, bottomline, generic
						* small diff to get transparent logging going
						* will facilitate more complex tlog applications in the future
					* free, open, inclusive, welcome people to be part of conversation, help people understand.
						* A goto place when you want to talk/learn/use tlog applications.
						* Not only about signed checksums, it is also about community
						* "hub"
					* mature operations
						* "not so ambitious features, but ambitious deployment"
						* logs
						* witnesses
					* Free and open source project, both in licence and governance
						* Mullvad funded to get started and will continue to fund
							* But should not have control of the project
						* This nuance needs to be depicted right, relates to trustworthiness
						* Transparency is key
							* Project origin story
							* How it started with ST
							* How it evolved into the current governence, long-term vision
								* The above document by ln5 is a good start
							* Structure needs to be described in greater detail
								* legal entity
								* how do you become part of the team
								* etc.
							* Trustworthiness can be facilitated by being consistent
					* No hard connection to ST, but ST is a use-case. We can describe and pitch in both directions, but sigsum logging and ST are distinct.
				* services?
					* something that we can operate on our own, but not too much overhead
					* costs: agony, money
					* important to start small
						* the minimal thing that we can work with
						* cgit, persist important documents
						* ticketing, code review, etc., we do semi-manually for now
							* code review: pads, irc, mail
							* ticketing: "todo.md"
							* (some people may think it is not modern enough, could result in people drop off. But could also attract people.)
					* [kfreds] long-term vision, in general: want to have everything self-hosted, and would like to facilitate self-hosting for self and others.
		* ln5 mentions [MeetBot](http://meetbot.debian.net/Manual.html) for meeting minutes in meetings on IRC
	* Licence and copyright holder
		* Trillian is Apache. Probably good to use the same for the log server.
		* Not clear if we should use a different licence for, e.g., tooling. Why (not)?
			* Open question.
		* Copyright: "the sigsum project"
	* Website
		* redirect sigsum.org to github README?
			* No, potential risk that github is perceived as our home
			* ln5 will setup a webserver that is co-located with the log for now
		* continue content discussion async
			* rgdd will post a pad link on irc
	* if we've got twitter, we should have presence in the Fediverse too
		* mastodon.social is the canonical, but centralised heh, place to go (like we use matrix.org at the moment)
		* we could have our main outlet in the Fediverse and just mirror (one-way!) to birdsite
		* (Deferred, not discussed.  Don't use twitter for now.)

Next steps
	* wrap up before vaccations
		* make sure that rgdd can (re)start the PoC log
		* minimal website
		* migrate from system-transpareny project into sigsum-project on github
			* move and rename: stfe -> sigsum-log-go
			* move and rename: siglog-witness-py -> sigsum-witness-py
			* add: sigsum
				* archive
				* website
		* update documentation, "sigsum logging"
		* migrade from irc/oftc #siglog -> irc/oftc #sigsum, bridge with Matrix
	* rgdd is around part time during the summer to keep things going

Other useful links
	* [ln5] Google announced SLSA.  Important key-word: provenance.
		* https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
	* [bjoto] Ongoing discussion between Fedora and Sigstore
		* https://lwn.net/SubscriberLink/859965/b14e4ebdc57b8285/
	* [rgdd] Melera preprinted "Hardware-Enforced Integrity and Provenance for Distributed Code Deployments". Another provenance format.
		* https://arxiv.org/pdf/2106.09843.pdf
	* [rgdd] Debian on ditching OpenPGP. Points towards Ed25515 with, e.g., signify.
		* https://wiki.debian.org/Teams/Apt/Spec/AptSign