Open Hour 2020-NOV-05
- Very positive feedback and turnout for the conference
- SaltConf20 videos should be available by this weekend
If anyone has content they would love to share with the community, inspired by SaltConf20 or otherwise, we’d love to hear! Please reach out to Janae on the Salt Community Slack, or via email: ???
- Randy Thompson said he’d love to talk and present more on Tiamat
- Fix for the memory leak planned, with point-release on November 18th
- There will be a community retrospective after the point release, during the Open Hour on Nov. 19th
- Blog Post
What’s the best release method going forward, for an open-source project?
This was a messy release due to discovering a new CVE in the process of preparing an initial release fixing some of the CVEs. There was also the timing around the acquisition, and on timelines where SaltStack provides CVE fixes early to SaltStack Enterprise customers so that they have time to apply fixes before public releases/announcements.
- Provide impacted libraries or components of Salt, without giving details on the nature of the CVE.
- This can help provide users of Salt a heads up on what to secure/review before release, to ensure best practices and security hardening is in place.
- Salt has leaned toward saying little before CVE release, in order to not tip off bad actors. This is a topic that is heavily debated. Salt has followed the philosophy that we only release public information once the fix is publicly released.
- With this release being
salt-apirelated, it may be a good idea to make/keep
salt-apias a separate, standalone project outside of
- In the world of tech today, there has become a large focus on using APIs.
salt-apishould be revisited, rewritten, and likely separated from
salt. Randy Thompson suggested a rewrite of it with FastAPI, or even a pop-focused approach to the development of it.
- How do we provide release candidates in a fashion that gains further adoption? The first major release, before point release, seems to be generally considered the Release Candidate. This leads to people waiting to upgrade until the point release, due to the expectation that the initial release will be buggy.
- We need more smoketests/functional tests. We have plenty of unit tests, but we don’t have easy ways to run the latest version of salt with several states, execution module calls, etc. in a demo/test salt environment that stands up with the latest and greatest.
- What is fuzzing was introduced against salt in tests to help reveal problems?
SaltStack has recently been acquired by VMware, and we are are deploying auditing tools created and used internally by VMware. VMware will be assisting, moving forward, with continual security audits, scans, and checks mandated by VMware. We now have full access to the internal security suite and teams internally at VMware, and this will result in better security posture with the Salt project.
SEP for an Advisory Board for Salt: SEP 27: Create Community Advisory Board
If people are interested in starting a new group like a Security Working Group, which could also collab with a Testing Working Group? Would you like to join a working group that is working on these sort of problems? Please reach out to firstname.lastname@example.org
Checkout the SaltStack community Google calendar for upcoming events and streams.
Do you want to get more involved in
salt and the SaltStack community? Get involved:
- SaltStack Working Groups project on GitHub
- SaltStack Community Wiki
- Salt’s Contributor Guide
- Join our Community Slack
- IRC on Freenode
- SaltStack YouTube channel
- SaltStackInc Twitch channel
- Docs clinic later today: Reviewing Documentation for Minion/Master Configuration Options, held by Derek Ardolf
- Will be streaming on SaltStackInc Twitch
- Nov. 12th Working Group
- Weekly docs working group rotates with Docs Clinic
- Checkout the SaltStack Documentation playlist on YouTube
All PRs in the SEPs repo represent open discussions on Salt Enhancement Proposals.