Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal for archiving notary repository #70

Open
yizha1 opened this issue Feb 28, 2024 · 10 comments
Open

Proposal for archiving notary repository #70

yizha1 opened this issue Feb 28, 2024 · 10 comments
Labels
Governance issues to improve governance posture

Comments

@yizha1
Copy link
Contributor

yizha1 commented Feb 28, 2024

The notary repository has experienced minimal activity in recent years. You can explore the repository insights for detailed information. CNCF devstats provides further data, for example, commits data. Furthermore, there have been security issues reported within the notary repository, some of which remain unresolved over a long period. For instance, issue #1695 remains open. Recently, a suspicious issue was raised and has not yet been addressed.

As the Notary Project continues to evolve, its specifications and the reference implementation, notation, serve as solutions for users to ensure the integrity and authenticity of container images, OCI artifacts, and blobs.

In accordance with the governance process, I propose archiving the notary repository. I invited community feedback on this proposal. Please express your support by commenting with a “+1.” Note that a supermajority (two-thirds) approval from Notary Project governance maintainers is required and the notary repository will be archived after 30 days' notice.

/cc:
Org maintainers: @notaryproject/notaryproject-org-maintainers
Governance maintainers: @notaryproject/notaryproject-governance-maintainers
notary project maintainers: @notaryproject/notaryproject-notary-maintainers

@yizha1 yizha1 changed the title Proposal for archiving notary sub-project Proposal for archiving notary repository Feb 28, 2024
@FeynmanZhou
Copy link
Member

+1 to archive the notary repository due to it remains inactive status for a long time. There are 270+ open issues and 50+ PRs opening for several years but no responses yet. The last official release v0.6.1 was Apr 11, 2018. Archiving this repo will avoid further confusions from new users.

@FeynmanZhou FeynmanZhou added the Governance issues to improve governance posture label Feb 28, 2024
@HuKeping
Copy link

HuKeping commented Mar 5, 2024

Has docker already shifted to use notation ?

@FeynmanZhou
Copy link
Member

Has docker already shifted to use notation ?

What I know is that Docker Hub now supports storing Notary Project signature

@HuKeping
Copy link

If we archive notary project, will it bring any troubules to those who are currently using notary?

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Mar 13, 2024

If we archive notary project, will it bring any troubules to those who are currently using notary?

@HuKeping
In general, archiving a repository will make it read-only for all users and indicate that it's no longer actively maintained. But all previous releases are still there and can be downloaded by users anytime. Maintainers can also unarchive repositories that have been archived in case the sub-project has enough active maintainers in the future.

Instead, it might be confusing to new users that a project has been inactive for a few years but it is not archived. This is not a healthy strategy that there is no security patch and no community support for the notary repo as a security project,

@AliSajid
Copy link

I stumbled into this issue as I was exploring the notary project. There are still blog posts linking to the notary project and the old notary github repo. If the repository was archived, i would have a better warning before I spent time exploring this. Thank you.

@yizha1
Copy link
Contributor Author

yizha1 commented Apr 9, 2024

@whalelines @kipz would you mind commenting on this proposal from Docker side and also the questions from @HuKeping in the comment #70 (comment).

@yizha1
Copy link
Contributor Author

yizha1 commented Apr 9, 2024

Hi @jonnystoten, would you mind commenting on this proposal? Thanks.

@justincormack
Copy link

Both Docker and Microsoft are still running it in production. We do have plans to transition customers, but this takes time.

@yizha1
Copy link
Contributor Author

yizha1 commented May 21, 2024

Both Docker and Microsoft are still running it in production. We do have plans to transition customers, but this takes time.

I appreciate you sharing this info, @justincormack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Governance issues to improve governance posture
Projects
None yet
Development

No branches or pull requests