private-distributors-list: add DaoCloud

Question

private-distributors-list: add DaoCloud

pacoxu opened this issue a year ago · comments

Actively monitored security email alias for our project: kubernetes-security@daocloud.io

1. Be an actively maintained and CNCF-certified distribution of Kubernetes components.
DaoCloud is in the list of https://www.cncf.io/certification/software-conformance/

and we also maintain an opensource project kubean(which is a kubespray operator). It is listed in Certified Kubernetes - Installer part of the page above.

2. Have a user base not limited to your own organization.
Yes

3. Have a publicly verifiable track record up to the present day of fixing security issues.

We tried to extend the kubernetes long-term support at https://github.com/klts-io/kubernetes-lts. And we will try to help in WG-LTS after the workgroup is revived.
We have submitted several CVEs to hackone. One of them is https://hackerone.com/reports/867699 by Kebe from Daocloud.

4. Not be a downstream or rebuild of another distribution.
No.

5. Be a participant and active contributor in the community.
https://k8s.devstats.cncf.io/d/9/companies-table?orgId=1
DaoCloud ranks top 10 in kubernetes community contributions in history, and top 5 if only counting recent 3 years.

Some of the active contributors from DaoCloud in the community:

@pacoxu member of Kubernetes Steering Committee; kubeadm maintainer; sig-node reviewer; release signal team lead;
@wzshiming kwok(sig-scheduling & sig autoscaling sponsored subproject) maintainer; sig node reviewer.
@kerthcet sig scheduling approver and kueue approver, also working wg-serving & LWS & kube-scheduler-wasm-extension.
@mengjiao-liu wg-structured-logging chair, sig instrumentation reviewer, sig-doc zh approver & en reviewer
@windsonsea @my-git9 sig doc zh approver； @Zhuzhenghao @kinzhi are SIG-DOC-ZH reviewers
@yankay kubespray(subproject) maintainer; we also have @cyclinder @ErikJiang two kubespray reviewers
@carlory is now SIG Storage and CSI Reviewer.

Besides code contributions, we also organized several KCD and KCS in China including KCS China 2023, KCD Beijing 2021&2023, KCD Shanghai 2021&2024, KCD Chengdu 2022 and KCD Shenzhen 2023.

@Iceber who is CNCF ambassador and containerd/clusterpedia/wasmcloud maintainer, lead the organization of recent several KCDs.
Most of the SIG maintainer talks in KubeCon China 2023 are by DaoClouder, including SIG-Scheduling, SIG-Node, SIG-Instrumentation, Kubespray, KWOK sessions.

BTW, we also try to maintainer kube lts version in https://github.com/klts-io/kubernetes-lts for an extended period, and it is open-source and only focus on high value CVEs currently.

6. Accept the Embargo Policy.

Yes.

7. Be willing to contribute back.

yes

8. Have someone already on the list vouch for the person requesting membership on behalf of your distribution.
VMware and Microsoft below.

kubernetes/k8s.io#5361: add kubernetes-security@daocloud.io to https://github.com/kubernetes/k8s.io/blob/main/groups/committee-security-response/groups.yaml

More information can be found in https://github.com/DaoCloud, https://www.daocloud.io/en/ and https://docs.daocloud.io/en/.

Paco Xu commented a year ago

ack

Paco Xu · Answer 1 · Fri May 26 2023 17:56:00 GMT+0800 (China Standard Time)

/cc @puerco @ritazh

Lubomir I. Ivanov · Answer 2 · Fri May 26 2023 19:42:16 GMT+0800 (China Standard Time)

DaoCloud ranks top 10 in kubernetes community contributions.

+1 to be added

@neolit123 (VMware)

Rita Zhang · Answer 3 · Thu Jun 01 2023 00:45:19 GMT+0800 (China Standard Time)

+1

@ritazh (Microsoft)

Paco Xu · Answer 4 · Fri Nov 17 2023 18:51:32 GMT+0800 (China Standard Time)

@kubernetes/security-response-committee any update?

Mo Khan · Answer 5 · Fri Nov 17 2023 19:02:12 GMT+0800 (China Standard Time)

@kubernetes/security-response-committee any update?

I haven't forgotten, just haven't had time to update distributor requirements.

Paco Xu · Answer 6 · Mon Jan 29 2024 13:34:33 GMT+0800 (China Standard Time)

Updated some new approvers/reviewers in Kubernetes Community from DaoCloud.

Paco Xu · Answer 7 · Thu Feb 01 2024 17:11:01 GMT+0800 (China Standard Time)

@kubernetes/security-response-committee ACK

Kubernetes Triage Robot · Answer 8 · Wed May 01 2024 17:32:44 GMT+0800 (China Standard Time)

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Paco Xu · Answer 9 · Wed May 01 2024 19:23:40 GMT+0800 (China Standard Time)

/remove-lifecycle stale
still valid in progress

Paco Xu · Answer 10 · Thu May 09 2024 13:22:24 GMT+0800 (China Standard Time)

I haven't forgotten, just haven't had time to update distributor requirements.

@enj do we have any new requirements for being in the private distributor list? So I can evaluate them and add them to our action items.