estesp
commented
6 years ago I'll wade into these potentially treacherous waters re: notary. @jessfraz may have more than the use case that has been widely discussed here re: "turning off" Docker Content Trust because of the UX issue with locally built images (which hopefully we all can agree is not good from a "surprisingly unexpected behavior" for a security feature).
However, my problem with this in context of a CNCF "in or out" project discussion is that this (IMHO) reflects nothing on the design or implementation of notary as a TUF spec implementation. It reflects on the integration with Docker, which IMHO is not necessarily the way other use cases of notary client and server will or should operate. Docker, Inc. who manages the docker-ce project can take that as a "bug" that needs resolution, but why does that reflect on any use of notary as a standalone project?
I know of a few companies who are planning to get involved in notary (including my own company) because it is a CNCF project. Will we fix the Docker integration as part of that? I'm not sure that will be our focus as our use of notary doesn't get involved with local user use case of the docker-ce client. LinuxKit to my knowledge has a notary use case that does not involve the docker client binary either.
caniszczyk
I will leave this to you all as my last request before stepping aside from caring about this.
Please consider removing inception. It was described to me as being there mainly for things like "linkerd" so service meshes before service meshes were cool. Now service meshes are cool. Actually I can't stop hearing about service meshes. Everyone is drinking the service mesh koolaid.
Can you directly tie the service mesh awareness now to accepting linkerd? because I honestly think it was more Envoys release that caused service meshes to become A Thing ™️
I think the inception phase is just plain wrong. Open source is awesome because projects that are good and fill a real need get traction. Without a doubt they get traction by being open source and actually filling a need people have. Look at docker, or literally anything in the explore section of github https://github.com/explore. Projects get organic growth when they are good! I am not buying this whole "we need to put it in inception so people notice it" thing. That's quite frankly BS. If it doesn't have traction maybe that's because no one needs it.
Inception feels like an attempt to play god. Or become a startup incubator. This should not be the role of the foundation to bootstrap growth of random open source projects. Let the projects grow organically and when they have so much growth they cannot handle it, then let them join.
Not that I have a project with enough users, but if I did I'd honestly consider adding it to a real foundation like Software Conservancy and not Linux foundation derivative which are all 501(c)(6) which is a trade association (see https://www.irs.gov/charities-non-profits/other-non-profits/business-leagues)
In the words of Regina George "stop trying to make fetch happen". It will happen if it happens. Thanks.