Gather information about graduation for Knative Project
nainaz opened this issue · comments
Requirements for Graduation of Knative Project
https://github.com/cncf/toc/blob/main/process/project_proposals.md#graduation-process
Example from Istio: PR: cncf/toc#1000
DD: https://docs.google.com/document/d/1y0WANWSeeWDnF8NZ6NvteTCXxg932uHNBS7VwaD3WRM/edit?usp=sharing
Example from KEDA: : PR for KEDA to become a CNCF Graduated project
DD: KEDA Graduation Due Diligence. Adopter interviews are at the end of the DD document in an appendix.
@aliok can you help us gather information and find us a sponsor?
Ideas for showing Growth:
More case studies
More contributions
More usage
More orgs on adopters.md
Got some guidelines from CNCF TOC, share them here hope will provide clarity for the Graduation sponsor process:
generally projects create a PR in the TOC repo, and a TOC member will step forward to sponsor.
If there's anything I can do to help guide you based on my experience with Istio, please let me know.
I would want to help the SC with this work.
Can we rename this ticket to something like "gather information about Knative project graduation"? And later we can create an umbrella task for each of the requirements?
I started working on understanding the requirements.
@craigbox your help would be very much appreciated, thanks for offering that. We will reach out for sure, once we gather more information about the unknown unknowns :)
@evankanderson know the status of Security Audit.
We had a meeting about 3 weeks ago with the LF administrators and the audit team, but I haven't heard further updates.
I'll check on it today or tomorrow.
Here's some content defining the process:
- Graduation State Criteria
- Have committers from at least two organizations.
- Have achieved and maintained a Core Infrastructure Initiative Best Practices Badge.
- Have completed an independent and third party security audit with results published of similar scope and quality as this example which includes all critical vulnerabilities and all critical vulnerabilities need to be addressed before graduation.
- (governance)
- Explicitly define a project governance and committer process.
- The committer process should cover the full committer lifecycle including onboarding and offboarding or emeritus criteria.
- This preferably is laid out in a GOVERNANCE.md file and references an OWNERS.md file showing the current and emeritus committers.
- (governance)
- Explicitly define the criteria, process and offboarding or emeritus conditions for project maintainers (those who may interact with the CNCF on behalf of the project).
- The list of maintainers should be preferably be stored in a MAINTAINERS.md file and audited at a minimum of an annual cadence.
- Have a public list of Project adopters for at least the primary repo (e.g., ADOPTERS.md or logos on the Project website). For a specification, have a list of adopters for the implementation(s) of the spec. Refer to FAQs for guidelines on identifying adopters.
- Due diligence document
Once we think we prepared everything above, we need to start the graduation process by following the steps in:
References:
I actually created a DD myself in the Knative Drive (SC directory) and put some content already: https://docs.google.com/document/d/1BOKa3Jls4w5gsEj5O4-Di0Mf1WCMeLdssG_PVPyF5do/edit
I have some questions in the doc as comments.
Once we answer these questions and reduce ambiguity, let's create separate tickets for each work item we need to do.
In summary, here are the missing parts:
✅ We need to apply for "Core Infrastructure Initiative Best Practices Badge"
@knative/steering-committee has anybody done anything around https://bestpractices.coreinfrastructure.org/en ?
Update: we already have it: https://bestpractices.coreinfrastructure.org/en/projects/5913
✅ We need to have a independent and third party security audit
Not sure if the fuzzing audit is enough.
There are some findings in this comment: #964 (comment)
@craigbox, @evankanderson any idea?
UPDATE: there will be another report by the end of September 2023.
UPDATE: We now have a new report, that's published.
✅ We need to merge #1390
This PR defines the process of offboarding contributors/approvers.
UPDATE: merged
✅ We might need a process for annual reviewing of SC+TOC members
These members keep their seats for 2 years and then there's a new election. However:
- we might need to shorten the length to 1 year
- OR
- we might need to define an annual process to check if they're still doing their duties.
@jberkus any opinion?
UPDATE: as this is a "should", we should not change our nicely working process. (thanks @craigbox)
✅ We need to resolve the issues from the incubation due diligence
There's one comment, but I am not sure if there's an actual issue: https://docs.google.com/document/d/1qPMyIBZ1tBk6WpEMPuLtTrjA6lvbrQ7DvCZb22S0llo/edit?disco=AAAAUnuaVKA
UPDATE: This is not an issue. This is just a statement that some documentation is good and it can be the base of a self-assessment. We don't need the self-assessment as we will have an independent audit.
🟡 Get a governance review assessment from TAG CS
This is not a CNCF requirement (yet, subject to change), but we need a governance review from TAG Contributor strategy.
This is NOT blocked by dissolving trademark committee (see below)
Issue: cncf/tag-contributor-strategy#514
🟡 Dissolve trademark committee
This is not a CNCF requirement, but it would be nice to get our governance review with this committee resolved.
Issue: #1399
I'd really like to eliminate the TMC before we apply for graduation. That's not a CNCF requirement, but it is an internal goal.
Also, since both Ali and I are involved in the project, we'll need to wait for Dawn to come back for a governance review (August).
Istio had already had a professional audit before joining the CNCF, but it was more than 18 months ago, and a second audit was recommended. Our second audit focused primarily on fuzzing. I would imagine that this audit should be fine, but your TOC sponsor can comment. (It looks like this audit was the result of your CNCF engagement, so if they say it isn't general purpose enough, I would be asking the TOC to update the CNCF on requirements because it was commissioned in part to meet this requirement.)
Regarding your two-year cadence, I would note the language is should and not must; you could say that by design your SC seats seat two year terms, and you're OK with that.
Other things like TAG Security self-assessments (offered in the linked comment from the incubation DD), governance reviews, etc, are nice-to-haves, but I personally believe that the CNCF should codify them as requirements if they are to be so.
Other things like TAG Security self-assessments (offered in the linked comment from the incubation DD), governance reviews, etc, are nice-to-haves, but I personally believe that the CNCF should codify them as requirements if they are to be so.
Are these required for graduation @jberkus ? They're not written in any of these explicitly:
Are these required for graduation @jberkus ? They're not written in any of these explicitly:
TOC is basically a precedent-based organisation. If you apply and these aren't the law at the time, you won't be held to needing them. That said, they are good things to have and they may become part of the rules later on.
Created a ticket that might need a fix before graduation: #1407
UPDATE: this is just about showing rotations in https://knative.party/ . Not relevant for graduation. The security@knative.team is still working and we have active security folks watching that address.
CNCF can help with marketing of Knative's graduation, if we're there by KubeCon NA.
Look for "PR Support" in the page above.
/close
PR opened: cncf/toc#1245. Data collection is over.
Closing this task.
@aliok: Closing this issue.
In response to this:
/close
PR opened: cncf/toc#1245. Data collection is over.
Closing this task.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.