Harbor Notary integration deprecation proposal - effective 2.6.0 or 2.7.0 (see below for full proposed timelines) - feedback welcome

[OrlinVasilev]

Hi everyone!

Here is a discussion to collect thoughts and issues around possible Notary deprecation from Harbor!
As we have in v2.5 cosign implantation, and Notary v1 not actively developed in the last 2 years!
No commits in the last 217 days (as of 30 March).

[qnetter]

In addition, Notary 1 uses the host name as part of its signature, so it breaks signing on replication.

[OrlinVasilev]

Forgot about that :)

[qnetter]

Based on the deprecation policy recently approved, the default timeline would be:

_10 August 2022 - Official introductory community meeting
24 August 2022 - Discussion and questions welcome at community meeting
07 September 2022 - Discussion concludes during community meeting
10 September 2022 - Vote concludes - 50%+1 of maintainers must vote yes (+1) or silently assent

If the proposal passes, the feature is deprecated in the next minor release, 2.7 - only catastrophic bugs that prevent Harbor from working at all or critical security flaws will be addressed - and the feature can be removed completely at any release beginning with 2.9 or its equivalent._

However, Since this deprecation was originally proposed in March but was not implemented because there was no process, we would like to fast-track the process and move to use only the 10 August meeting for final discussion.

@goharbor/all-maintainers - please vote between now and 13 August 2022 0000 UTC by commenting below whether to fast-track the proposal and target it at 2.6 (comment "2.6") or to follow the original schedule and target it at 2.7 (comment "2.7"). This is NOT the actual vote - if 2.6 wins, I will call another vote immediately, and if 2.7 wins, we will call the vote in September as the schedule requires.

[Vad1mo]

+1 for 2.6

[wy65701436]

2.6

[OrlinVasilev]

2.6

[steven-zou]

2.6

[ywk253100]

2.6

[hainingzhang]

2.6

[kofj]

2.6

[reasonerjt]

2.6

[qnetter]

Vote for deprecation starts immediately and ends at Sunday August 14 1700 UTC or when six votes for +1 (deprecate) or -1 (don't deprecate) by maintainers have been attained.

[Vad1mo]

+1

[wy65701436]

+1 for 2.6 to deprecate Notary.

[hainingzhang]

+1 for 2.6 to deprecate Notary.

[kofj]

+1 for 2.6 deprecates Notary.

[ywk253100]

+1 for 2.6 deprecates Notary.

[renmaosheng]

+1 for 2.6 to deprecate Notary.

[mmpei]

+1 for 2.6 to deprecate Notary.

[steven-zou]

+1 for 2.6 to deprecate Notary.

[qnetter]

A majority of Harbor maintainers have voted to deprecate the Notary integration feature in the 2.6.0 release, so it is hereby deprecated with the release of Harbor v2.6.0. This means that no fixes or enhancements will be delivered for v2.60. forward for the feature except for fixes to catastrophic failures - bugs which cause Harbor not to work at all -n and to critical security issues - vulnerabilities with CVSS scores of 9.0 or greater. The development team can begin to remove the feature in v2.8.0 (or its equivalent if the major version number changes) or later at their convenience. Users are encouraged to migrate their use of container signing and verification to the supported Sigstore Cosign technology as soon as possible.

[ChrisJBurns]

As a user of Harbor, this is great news and a great decision. The Cosign toolchain is a much more active and very progressive project for image signing and a multitude of other things - so focusing more of Harbor's future implementation towards that would be much appreciated by many I believe 👍

[thcdrt]

Hello, is there any migration procedure from notary to cosign ?