Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Istio / Technical Oversight Committee / 4 Oct 2021
Istio / Technical Oversight Committee / 4 Oct 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Technical Oversight Committee 2021/10/04

Description

Istio's Technical Oversight Committee for October 4th, 2021.
Topics:
- Nominating Ethan Jackson to Product Security Working Group - APPROVED
- Feature Freeze October 14th for 1.12

A

All right, let's do it.

B

How's everyone doing.

A

My pharmacy, how you didn't rush.

B

Hey good good, just dealing with a lot of diapers and stuff, so in recovery mode.

C

Well, I assume survey is the master of all that I.

B

Remember.

C

Talking about.

B

In one of the cube con, so maybe I'll solicit help from him.

A

Yeah you gotta go zone defense once you got more.

B

Uh-Huh all right.

B

Yeah still on the first one, so I'm good.

B

Let's get started.

C

Do we go through the weekly routine first job.

A

Yeah, let's scroll up and see what's in.

A

So we have stuff to talk about for 112.

D

um For 112 daniel grimm from red hat volunteered as well, I was following this in the 112 channel.

D

Awesome.

A

So daniel grimm.

D

uh Yeah he volunteered.

D

So I guess it probably needs formal approval, but um he's out until the 11th.

A

One hammer.

A

uh What company is daniel from.

D

uh Red hat.

C

Yeah he's a maintainer on the environment work group, so I definitely would support that been working with daniel before.

A

Anyone have any concerns, nope.

E

Oh, that sounds good.

A

um Do we need to do anything about I'm down at the docks for offline review? Do we need to do anything about the feature freeze, dock.

A

Jacob, what's the what's the status there.

D

um I mean it's just waiting on on uh approval from a toc, but that's the only thing I think blocking it at this point.

F

Jacob the future fees is on 14th october, so I'm not clear what is the starting and then.

D

um So there's been like recent discussion in as far as uh like what can be merged or should be merged after uh after the branch gets cut and kind of things of that nature.

D

um Sometimes there's a little bit of discussion that goes back and forth between the release, managers and and not- and this is just setting some of the expectations for um I guess- people that are writing code to uh to kind of meet before they they uh either try to cherry pick things back in or try to get features um in after a branch cut in particular.

A

Is this process documented somewhere in a markdown file? uh No, it's not that we can turn some. I think my preference would be to figure out how to have this somewhere that it's a file that we can just that has the process, because I don't like having process index because people don't know where to find it, and then it gets out of date.

D

Okay, I can add that to the seo repository and then assign everybody on toc to uh look over it.

A

Yeah that.

D

Would be my preference anyone else.

A

Opinions on that, that's okay,.

E

I would put on the wiki um with the we have like a page for each release and then we can just link to it from there. I already have one: that's a small blurb, that's how do I get my code into this release and we can just link to one doc instead of popping it.

A

That's not something we can stamp very easily, though right.

E

Now we can do a pr2, that's that's fine and just link to it from the with these wiki pages.

A

Yeah I just like the idea of being able to you know, send a pr as a way to change the process rather than having to create docs and then lose them, or just going and updating the wiki and losing it um yeah. I guess community is not the right place, so yeah yeah.

A

I mean wiki's fine.

E

Too,.

A

But that was my reasoning.

A

Other toc members any opinion.

B

And markdown sounds good to me.

A

Okay, jacob send us a send us a pr putting it somewhere and then yeah link to it from the wiki on releases.

A

All right lynne did you want to sit to see nominations.

C

Yeah this is the last week uh folks, uh if you're interested in uh filling in for brian.

D

Avery.

C

For the empty tlc seats, please reach out to us um the tlc, I think there's a toc steering asking questions slack on istio. So so far we have eric. Thank you for your interest reach out to us. So please, let us know.

A

Is justin on yeah justin you're here? Do you want to you want to nominate ethan on the pswg.

G

Yeah we have a um had some sort of like minor um reordering within uh restructuring within uh the teams, and so we have a data, plane team and he's the tl for it and just having him be involved in the product security working group, I think, would be would be helpful.

A

Anyone opposed.

B

uh Just fine one question will be previously: we had a lot of qualifications and stage, like I shouldn't say stages, but we had some qualifications and things turned down for who can join. Pswg looks like over the last few quarters, at least when I was uh you know. We don't really follow that process anymore.

B

Is that fair uh jacob- and I guess brian and I don't know who are the current- leads uh yeah go ahead.

D

um Yes, that's fair uh right now, um so uh the reason why um this was in part brought up is that uh over the last probably two to three months, we've had on average three to maybe four people attend the product security working group meetings. um So uh that's when we kind of brainstormed this, oh there's oliver as well. um That's where we were you know trying to solicit. You know. Is there anybody else that that could actually attend? That has a you know, a key. You know stake in actually um istio security.

D

uh So that's when justin kind of went out and found somebody within google that that actually would. um But yes, I don't believe they are an istio even member at this point, but I could be wrong uh justin uh do you have yeah.

G

I don't, I don't think they are uh the fair he's fairly new, so.

B

Yeah so I mean again, I understand the concerns and that we don't have enough people and we want to get people. I just want to make sure it's being fair to everyone right. So if new is new team members who have not worked on stu from other companies uh were to join pswg, which is a sensitive group, we would allow it going forward or not.

G

Is that criteria written down someplace? I haven't, I haven't seen that, but I haven't looked for it either. I didn't know it existed.

B

That's what I was saying just saying: we did write down something concrete when uh francois was here. I was the lead and I think I don't remember. Who was the third lead it just what I've seen is over the time. We didn't quite follow it, so I just want to make sure we either remove it or update it right. I was just asking where it is because I haven't seen it. I think it's one of those dogs in the product security working group drive. Is that correct jacob? I don't remember.

D

uh Yes, it is I'll I'll find it. I think we should update that because uh uh last week we also um brought up to tlc if we could solicit uh members of the early disclosure list uh if they had anybody um that could participate in that as well.

B

Yeah, so I mean I don't have any specific objections to ethan. I just want to make sure we are setting up the right, precedence and being fair going forward with everyone. Does that make sense? Other toc members like.

C

Yeah.

B

I.

G

Remember.

C

Seeing that document, I think it would be nice if that document is public instead of somewhere in or it's your drivers, that people don't have visibility to it. Unless people reviewed having to review that document, luis sorry.

H

That's fine, I mean, I think the you know, we've had cases in the past, where the pswg wanted exceptions to the rule to try and get participation.

H

um I think there was one person we approved before I'm trying to remember who it was who had significant.

D

Experience.

H

In this area, but wasn't technically a member of istio.

B

It was jack leetford or who did the ncc audit.

H

Yeah, so we have an expertise, issue right.

D

Is that what.

H

We're describing jacob right, where there's just not enough participation with expertise.

D

So it's kind of twofold one there's not enough. You know cyber security experts uh and then uh two uh just overall um engagement um and as far as you know, making sure the patches are ready uh and things of that nature. So so uh we need some worker bees. You know like myself uh as well as some people that actually, you know, can kind of dig in, and you know kind of assess some of these vulnerabilities as they're reported to us.

B

So nice, look, I see that you're looking at the same document that I have open, do you mind sharing it.

A

Oh yeah, I can show this. This is the the charter.

A

But here's what we had originally said the requirements were.

B

Yeah we started out with really strict requirements because the sensitivity issue, I think, over the time it got diluted because, as uh jacob said, lack of expertise and just lack of participation- and we had quite a bit of churn in this group.

B

I agree mandar.

B

And to be fair, most of the folks that we have added who didn't have who didn't meet this criteria and we made kind of an exception.

B

If I remember correctly, many of them are again out of the like they've just left the group, or they didn't contribute significantly.

I

Go ahead, yeah. Currently we um we have about like four to five people actively working on pswg like participating in every civil unities right, um but that's not enough. That's the issue um we need to like get more people engaged, so I I personally think um yeah. I I think other people also said either you have good experience with this deal or you have good expertise on securities.

I

If you qualify for one of them, that should be good enough to participate for pswg. um Of course you have to um like obey all those rules, um the special sensitivity um like rules inside this pswg. You have to agree on that, but other than that, I think it should be okay,.

G

So, for what it's worth it, the text is a little hard to read, based on like where proposal one is bulleted wise compared to proposal two and proposal three, but I think he would fall under proposal one if that's some of the criteria, but obviously he doesn't the three items above don't apply.

B

Oh, I see you're saying uh he's like yeah.

G

I think I remember.

B

Somebody mentioned he's a tech lead or a manager.

G

Right, yeah he's a he's, a tech lead I mean mandar is, is the manager, but um he would probably be. He could be involved in the coordinating of of resources. Since he's working closely with the people who are working on envoy for istio.

B

I'm good with it thanks for the clarification. Thank you.

J

Yeah, so I I think I think that he he will be a a great addition when we, when we need sort of qualified and motivated people, uh but as regards yeah. So I I think I think overall it would. It would be the right decision.

G

And by way of background, so he was, um I worked with him on open v switch. He was one of the core contributors open v switch, so he has experience in in open source, just not he's new to istio and uh and envoy.

B

Got it yeah since I brought it up, I'm good with it and if.

B

And if ethan you are on call by no means I meant to grill you, this was just to make sure you have the right people and in the right groups. So I approve.

A

Yeah, I think I I'm good with it. I think we should go back to this and try to you know clean up these proposals and make them more formal but yeah. I think I think we should um we should go and do that yeah. We should.

D

Make.

A

It easier for people yeah, okay,.

D

Okay, uh yeah and I'll I'll add it to the agenda so that we can kind of refine this charter um at the next meeting. So thanks.

A

And this this is in the in the drive. This is in the community or the.

E

Code: okay,.

A

Swg community drive right. I think it's the private one isn't it which so maybe we should actually, we probably should clean it up and then move it to the public one because yeah we don't you shouldn't.

D

Have to be a member.

A

To be able to see what the, what.

D

Their apartments.

A

Are to be a member.

B

Everyone else is good, I'm assuming.

H

Yeah, I'm fine with it.

A

Yeah john, do you want to take back over presenting? Thank you.

E

Yeah I am presenting, but I don't know how to make it automatically be the main so.

A

If you go back, does it give you a button to.

E

Re, I'm still sharing it's just not the main screen anymore. Unless you pin it.

A

No, I thought.

E

I thought.

A

There was a way to take back over now.

A

I think to take back over, you have to unshare and then reshare.

H

Unfortunately,.

A

Thank you.

A

Oh sweater or one pager on strategy.

F

We are really overdue.

A

Okay, I can add that to my list for this week, um anyone else want to help wrangle that.

A

Going once going twice all right: I've all enjoyed myself, okay, uh I'll I'll, try to have it into like actual draft form for next week. So we can discuss.

B

Yes, when I can help you, sorry if I wasn't just in it by the way.

H

Thanks.

F

Thank you.

A

Future freeze, speaking of future freezes.

F

Yeah, that's just fyi that the future freezes starting 14th october, followed by the testing on 19..

F

The testing has got very very simpler, just because most of that is automated now, so we have less of a churn and um another good news is um our weekly working group leads meeting have reduced to almost 80 percent, so we only meet close to the releases. So that's another good news that we have given 30 minutes back and it's working well with the channels um discussions and just meeting around the release. Time.

E

Any.

D

Features that.

E

Are at risk for the future freeze that we need to prioritize as toc or just working groups in general.

E

Did we get all the wasm stuff that we needed.

J

um Web assembly support. I I think that that pr is nearly in now or effective, it's either in or nearly again, and then there would be some follow. I think it there are some follow-up biases based on that that we expect as well.

E

Okay, we should just make sure the follow-ups get in before the freeze, especially if they're breaking changes. I think there was one that was a tiny api change, yep.

H

Mender, what about the rate limit api.

J

uh Completely with api did not get it. No, no yeah, I mean yeah, it's it, it's not the even the api itself is not in yet, so I don't think it's reasonable, not expected. Okay,.

F

We do not have any other topic, but quick thing. We had a steal con in february this year. Are you planning to have another one? I don't know any thoughts.

H

uh It hasn't come up yet in steering.

H

It should come up, but it has not yet.

H

I think there's going to be a lot of waiting to see what kubecon looks like this fall, whether they get in-person attendance, whether it's virtual.

F

You qcon is going on right, I think somewhere in l.a. I saw that on twitter.

H

Yeah, it's both in person and remote.

F

Right.

H

So I think a lot of people who run events are going to be watching that closely to see how well it does. I see I think.

F

If no other topic, I think we're good for today.

H

Yep yeah, okay, thanks folks, see ya.

F

Thank you.

A

Bye, everybody have a good week, bye.