Proposal for archiving notary repository

[yizha1]

The notary repository has experienced minimal activity in recent years. You can explore the repository insights for detailed information. CNCF devstats provides further data, for example, commits data. Furthermore, there have been security issues reported within the notary repository, some of which remain unresolved over a long period. For instance, issue #1695 remains open. Recently, a suspicious issue was raised and has not yet been addressed.

As the Notary Project continues to evolve, its specifications and the reference implementation, notation, serve as solutions for users to ensure the integrity and authenticity of container images, OCI artifacts, and blobs.

In accordance with the governance process, I propose archiving the notary repository. I invited community feedback on this proposal. Please express your support by commenting with a “+1.” Note that a supermajority (two-thirds) approval from Notary Project governance maintainers is required and the notary repository will be archived after 30 days' notice.

/cc: Org maintainers: @notaryproject/notaryproject-org-maintainers Governance maintainers: @notaryproject/notaryproject-governance-maintainers notary project maintainers: @notaryproject/notaryproject-notary-maintainers

[FeynmanZhou]

+1 to archive the notary repository due to it remains inactive status for a long time. There are 270+ open issues and 50+ PRs opening for several years but no responses yet. The last official release v0.6.1 was Apr 11, 2018. Archiving this repo will avoid further confusions from new users.

[HuKeping]

Has docker already shifted to use notation ?

[FeynmanZhou]

Has docker already shifted to use notation ?

What I know is that Docker Hub now supports storing Notary Project signature

[HuKeping]

If we archive notary project, will it bring any troubules to those who are currently using notary?

[FeynmanZhou]

If we archive notary project, will it bring any troubules to those who are currently using notary?

@HuKeping In general, archiving a repository will make it read-only for all users and indicate that it's no longer actively maintained. But all previous releases are still there and can be downloaded by users anytime. Maintainers can also unarchive repositories that have been archived in case the sub-project has enough active maintainers in the future.

Instead, it might be confusing to new users that a project has been inactive for a few years but it is not archived. This is not a healthy strategy that there is no security patch and no community support for the notary repo as a security project,

[AliSajid]

I stumbled into this issue as I was exploring the notary project. There are still blog posts linking to the notary project and the old notary github repo. If the repository was archived, i would have a better warning before I spent time exploring this. Thank you.

[yizha1]

@whalelines @kipz would you mind commenting on this proposal from Docker side and also the questions from @HuKeping in the comment https://github.com/notaryproject/.github/issues/70#issuecomment-1992118447.

[yizha1]

Hi @jonnystoten, would you mind commenting on this proposal? Thanks.

[justincormack]

Both Docker and Microsoft are still running it in production. We do have plans to transition customers, but this takes time.

[yizha1]

Both Docker and Microsoft are still running it in production. We do have plans to transition customers, but this takes time.

I appreciate you sharing this info, @justincormack.