Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gather information about graduation for Knative Project #1367

Closed
nainaz opened this issue May 30, 2023 · 20 comments
Closed

Gather information about graduation for Knative Project #1367

nainaz opened this issue May 30, 2023 · 20 comments
Assignees

Comments

@nainaz
Copy link
Contributor

nainaz commented May 30, 2023

Requirements for Graduation of Knative Project
https://github.com/cncf/toc/blob/main/process/project_proposals.md#graduation-process

Example from Istio: PR: cncf/toc#1000
DD: https://docs.google.com/document/d/1y0WANWSeeWDnF8NZ6NvteTCXxg932uHNBS7VwaD3WRM/edit?usp=sharing

Example from KEDA: : PR for KEDA to become a CNCF Graduated project

DD: KEDA Graduation Due Diligence. Adopter interviews are at the end of the DD document in an appendix.

@nainaz nainaz converted this from a draft issue May 30, 2023
@nainaz
Copy link
Contributor Author

nainaz commented May 30, 2023

@aliok can you help us gather information and find us a sponsor?

@nainaz nainaz moved this to 🆕 New in Steering Committee Backlog May 30, 2023
@nainaz nainaz moved this from 🆕 New to 🏗 In progress in Steering Committee Backlog Jun 5, 2023
@nainaz
Copy link
Contributor Author

nainaz commented Jun 5, 2023

Ideas for showing Growth:
More case studies
More contributions
More usage
More orgs on adopters.md

@pymhq
Copy link
Member

pymhq commented Jun 5, 2023

Got some guidelines from CNCF TOC, share them here hope will provide clarity for the Graduation sponsor process:

generally projects create a PR in the TOC repo, and a TOC member will step forward to sponsor.

@craigbox
Copy link
Contributor

craigbox commented Jun 6, 2023

If there's anything I can do to help guide you based on my experience with Istio, please let me know.

@aliok
Copy link
Member

aliok commented Jul 4, 2023

I would want to help the SC with this work.

Can we rename this ticket to something like "gather information about Knative project graduation"? And later we can create an umbrella task for each of the requirements?

I started working on understanding the requirements.

@aliok
Copy link
Member

aliok commented Jul 4, 2023

@craigbox your help would be very much appreciated, thanks for offering that. We will reach out for sure, once we gather more information about the unknown unknowns :)

@nainaz nainaz changed the title Applying to Graduation of Knative Project Gather information about graduation for Knative Project Jul 17, 2023
@nainaz
Copy link
Contributor Author

nainaz commented Jul 17, 2023

@evankanderson know the status of Security Audit.

@evankanderson
Copy link
Member

We had a meeting about 3 weeks ago with the LF administrators and the audit team, but I haven't heard further updates.

I'll check on it today or tomorrow.

@craigbox
Copy link
Contributor

@aliok
Copy link
Member

aliok commented Jul 20, 2023

Here's some content defining the process:

  • Graduation State Criteria
    • Have committers from at least two organizations.
    • Have achieved and maintained a Core Infrastructure Initiative Best Practices Badge.
    • Have completed an independent and third party security audit with results published of similar scope and quality as this example which includes all critical vulnerabilities and all critical vulnerabilities need to be addressed before graduation.
    • (governance)
      • Explicitly define a project governance and committer process.
      • The committer process should cover the full committer lifecycle including onboarding and offboarding or emeritus criteria.
      • This preferably is laid out in a GOVERNANCE.md file and references an OWNERS.md file showing the current and emeritus committers.
    • (governance)
      • Explicitly define the criteria, process and offboarding or emeritus conditions for project maintainers (those who may interact with the CNCF on behalf of the project).
      • The list of maintainers should be preferably be stored in a MAINTAINERS.md file and audited at a minimum of an annual cadence.
    • Have a public list of Project adopters for at least the primary repo (e.g., ADOPTERS.md or logos on the Project website). For a specification, have a list of adopters for the implementation(s) of the spec. Refer to FAQs for guidelines on identifying adopters.
    • Due diligence document

Once we think we prepared everything above, we need to start the graduation process by following the steps in:

References:

@aliok
Copy link
Member

aliok commented Jul 20, 2023

I actually created a DD myself in the Knative Drive (SC directory) and put some content already: https://docs.google.com/document/d/1BOKa3Jls4w5gsEj5O4-Di0Mf1WCMeLdssG_PVPyF5do/edit

I have some questions in the doc as comments.

Once we answer these questions and reduce ambiguity, let's create separate tickets for each work item we need to do.

In summary, here are the missing parts:

✅ We need to apply for "Core Infrastructure Initiative Best Practices Badge"

@knative/steering-committee has anybody done anything around https://bestpractices.coreinfrastructure.org/en ?

Update: we already have it: https://bestpractices.coreinfrastructure.org/en/projects/5913


✅ We need to have a independent and third party security audit

Not sure if the fuzzing audit is enough.

There are some findings in this comment: #964 (comment)

@craigbox, @evankanderson any idea?

UPDATE: there will be another report by the end of September 2023.
UPDATE: We now have a new report, that's published.


✅ We need to merge #1390

This PR defines the process of offboarding contributors/approvers.

UPDATE: merged


✅ We might need a process for annual reviewing of SC+TOC members

These members keep their seats for 2 years and then there's a new election. However:

  • we might need to shorten the length to 1 year
  • OR
  • we might need to define an annual process to check if they're still doing their duties.

@jberkus any opinion?

UPDATE: as this is a "should", we should not change our nicely working process. (thanks @craigbox)


✅ We need to resolve the issues from the incubation due diligence

There's one comment, but I am not sure if there's an actual issue: https://docs.google.com/document/d/1qPMyIBZ1tBk6WpEMPuLtTrjA6lvbrQ7DvCZb22S0llo/edit?disco=AAAAUnuaVKA

UPDATE: This is not an issue. This is just a statement that some documentation is good and it can be the base of a self-assessment. We don't need the self-assessment as we will have an independent audit.


🟡 Get a governance review assessment from TAG CS

This is not a CNCF requirement (yet, subject to change), but we need a governance review from TAG Contributor strategy.

This is NOT blocked by dissolving trademark committee (see below)

Issue: cncf/tag-contributor-strategy#514


🟡 Dissolve trademark committee

This is not a CNCF requirement, but it would be nice to get our governance review with this committee resolved.

Issue: #1399

@aliok
Copy link
Member

aliok commented Jul 20, 2023

cc @jberkus @craigbox
Anything I missed above?

@jberkus
Copy link
Contributor

jberkus commented Jul 21, 2023

I'd really like to eliminate the TMC before we apply for graduation. That's not a CNCF requirement, but it is an internal goal.

Also, since both Ali and I are involved in the project, we'll need to wait for Dawn to come back for a governance review (August).

@craigbox
Copy link
Contributor

craigbox commented Jul 21, 2023

Istio had already had a professional audit before joining the CNCF, but it was more than 18 months ago, and a second audit was recommended. Our second audit focused primarily on fuzzing. I would imagine that this audit should be fine, but your TOC sponsor can comment. (It looks like this audit was the result of your CNCF engagement, so if they say it isn't general purpose enough, I would be asking the TOC to update the CNCF on requirements because it was commissioned in part to meet this requirement.)

Regarding your two-year cadence, I would note the language is should and not must; you could say that by design your SC seats seat two year terms, and you're OK with that.

Other things like TAG Security self-assessments (offered in the linked comment from the incubation DD), governance reviews, etc, are nice-to-haves, but I personally believe that the CNCF should codify them as requirements if they are to be so.

@aliok
Copy link
Member

aliok commented Jul 21, 2023

Other things like TAG Security self-assessments (offered in the linked comment from the incubation DD), governance reviews, etc, are nice-to-haves, but I personally believe that the CNCF should codify them as requirements if they are to be so.

Are these required for graduation @jberkus ? They're not written in any of these explicitly:

@craigbox
Copy link
Contributor

craigbox commented Jul 23, 2023

Are these required for graduation @jberkus ? They're not written in any of these explicitly:

TOC is basically a precedent-based organisation. If you apply and these aren't the law at the time, you won't be held to needing them. That said, they are good things to have and they may become part of the rules later on.

@aliok
Copy link
Member

aliok commented Jul 28, 2023

Created a ticket that might need a fix before graduation: #1407

UPDATE: this is just about showing rotations in https://knative.party/ . Not relevant for graduation. The [email protected] is still working and we have active security folks watching that address.

@aliok
Copy link
Member

aliok commented Aug 14, 2023

CNCF can help with marketing of Knative's graduation, if we're there by KubeCon NA.

https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/program/project-opportunities/#description-of-opportunities

Look for "PR Support" in the page above.

@aliok
Copy link
Member

aliok commented Jan 19, 2024

/close
PR opened: cncf/toc#1245. Data collection is over.
Closing this task.

@knative-prow knative-prow bot closed this as completed Jan 19, 2024
Copy link

knative-prow bot commented Jan 19, 2024

@aliok: Closing this issue.

In response to this:

/close
PR opened: cncf/toc#1245. Data collection is over.
Closing this task.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in Steering Committee Backlog Jan 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

No branches or pull requests

6 participants