October 18, 2021 Community Meeting

[SaschaSchwarze0]

• Please add a topic in this thread and add a link to the Github issue associated with the topic.
• Please make sure you give folks enough time to review/discuss the topic offline on Github before coming into the meeting
• (optional) Paste the image of an animal 😸

[SaschaSchwarze0]

We failed on getting the release finished. What do we do now?

[adambkaplan]

CII Best Practices #35

[adambkaplan]

Image signing and attestation for Shipwright Builds - shipwright-io/build#886

[imjasonh]

• Zoom for future community calls
  • public YouTube channel?
• SHIP 0020: Shipwright Image API #25 next steps

[gabemontero]

/label community

[openshift-ci]

@gabemontero: The label(s) /label community cannot be applied. These labels are supported: platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, downstream-change-needed, backport-risk-assessed, cherry-pick-approved

In response to this:

/label community

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gabemontero]

/kind community

[openshift-ci]

@gabemontero: The label(s) kind/community cannot be applied, because the repository doesn't have them.

In response to this:

/kind community

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[imjasonh]

We failed on getting the release finished. What do we do now?

• Goreleaser package management cli#47 is (seemingly) the only blocker for a cli release
• Make sure Dockerfile is not set to empty string cli#58 should also be included

[adambkaplan]

Minutes:

• Release process, needs improvement:
  • CLI not released, currently blocked on go-releaser PR
  • Build release - workflow created a draft release, not clear what the process is after that. Documentation on this needs improvement.
  • Current plan - update blog post to reference the go install process to get the CLI, update later to use the official binary.
• CII Best practices
  • Not a requirement for CDF graduation, but it doesn't appear adopting this will hurt
  • @adambkaplan started filling out in https://bestpractices.coreinfrastructure.org/en/projects/5315
  • Some items related to security need to be addressed (certifying that one knows how to write secure software is a loaded question). A course is available in the description.
• Image signing and attestation
  • We have a proof of concept to integrate cosign directly into shipwright to sign the container image.
  • Attestation != image signing. This indicates that "this process created the container image" and signs the document cryptographically.
  • Tekton chains supports TaskRun only right now. Perhaps this can be extended?
  • Consensus - we want first class support for image signing in Shipwright, independent of Tekton Chains.
  • Tekton Chains can handle the attestation - we can work with Tekton Chains working group to improve this for Shipwright (ex - attest the BuildRun in addition to the TaskRun). See Sign other types of artifacts tektoncd/chains#124
  • Another item - sign our own release images with cosign. Process needs some form of secret sharing for the project.
• Zoom for Shipwright - approved by the CDF.
  • Perhaps direct support for video recordings to YouTube?
  • @adambkaplan created a Shipwright Google account - need to configure bitwarden for maintainers so we can share credentials.
• Image API for Shipwright merged! Next step is to create a repo for the API and main controller