November 4th, 2024 Community Meeting

[qu1queee]

• Please add a topic in this thread and add a link to the GitHub issue associated with the topic.
• Please make sure you give folks enough time to review/discuss the topic offline on GitHub before coming into the meeting
• (optional) Paste the image of an animal 😸

[qu1queee]

EDIT: Not able to join the meeting per a personal last minute thing

• Some administrative updates:

  • CNCF onboarding issue CNCF Onboarding Checklist #240 (comment) . Can we close? No, not yet, we still have some open items we must resolve, like linking the existing domain to our project in the Project Control center.
  • Public Calendar, new meeting invites, new mailing list, where we are? Currently blocked by the above, expect this to happen after.
  • Community Meetings agenda, with google docs or issues? I tested this. In terms of permissions, anonymous user do not represent a threat, as their changes can be opt-in/opt-out. I favor the single URL and a meeting template, instead of multiple GH issues and the need to create a new one(today) for each meeting

• Releases:

  • v0.14.0, Ship it! At this point, lets ensure this release happens before end of the year

• Discussions(pls contribute): Please contribute

  • Support authentication for FROM image references. build#1695
  • Enhancing the Refinement Meeting Process #253

• SHIP's: We have open SHIPs, pls provide an opinion on their urgency, state, etc

  • SHIP-0034: Label propagation #86
  • SHIP-0040: Add initial BBOMs SHIP document #212
  • Add "Prune intermediate container images" proposal #226

[SaschaSchwarze0]

Necessary items for v0.14:

• Tekton bump needs lgtm
• Kubernetes bump, min version will be 1.29 (1.28 had eol last week), 1.31 will be newest version. go.mod: 1.30 ? (is 1.29 atm)

[SaschaSchwarze0]

Karan: is it possible to move the refinement meeting as it is quite late in India?
-> Sascha: maybe even to a different day as attendance is usually low?

Adarsh:

• Website: decided on how the nav bar should look like, need at least one more meeting to finalize the design, will schedule it on Friday
• Governance.md for CNCF onboarding with rules, guidelines for new contributors, etc
  • Define project written Governance #243
  • Define Project Roles #244

SBOM ship:

• Adam: SPDX (different versions) vs CyclonDX, what is the state of the industry these days?
• Sascha: (1) strategy-generated SBOM vs after-the-facts generated SBOM from the container image, (2) format ^, do we need to even convert ?
  • Adam: we have a tool (https://github.com/containerbuildsystem/cachi2) to create a dependency list for different programming languages, it can merge SBOMs, unsure if it can convert
• Mahesh: what about signing
  • Mahesh: discussion was in context of SLSA compliance
    -> Adam/Sascha: Image signing is a different topic, both (signing and sbom) have their own complexities and should be separate ships
  • Adam: let's also distinguish what we need to do to make Shipwright SLSA compliance vs what we need to do for our customers to use Shipwright to become SLSA compliant

v0.14

• Adam: some bau bumps need to happen (like Tekton)
• Adam: do we want to stick to a coordinated release or can the operator come later ?
• Adam: should we have versioned docs in the future for the different maintained versions?
  • Sascha: we agreed on maintaining the latest release which means that once v0.14 comes out, we will not make an update on v0.13 anymore; documentation for different releases we should still bring forward
  • Adam: docs for v0.14 vs main
    -> we need an issue in the website repo for that -> Adam will open one
• Sascha: in general, how strict do we want to handle the "Tekton ships a new LTS -> Shipwright brings our a new build release" idea from [FEATURE] Establish a release cadence based on Tekton LTS releases build#1640 ?
  • Sascha: imo, we are ready for a release. SHIP-0039 for example is partly implemented but the implemented part works and can solve some use cases already.
  • Decision: we start the release after the Tekton and Kubernetes bumps are through

/done