-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add in-toto governance review (#740)
* add in-toto governance review Signed-off-by: Bill Mulligan <[email protected]> * spelling and grammar Co-authored-by: Josh Berkus <[email protected]> Signed-off-by: Bill Mulligan <[email protected]> * spelling and wording suggestions Co-authored-by: Emily Fox <[email protected]> Signed-off-by: Bill Mulligan <[email protected]> * fix: spelling Co-authored-by: Trishank Karthik Kuppusamy <[email protected]> Signed-off-by: Bill Mulligan <[email protected]> * fix: spelling Co-authored-by: Emily Fox <[email protected]> Signed-off-by: Bill Mulligan <[email protected]> --------- Signed-off-by: Bill Mulligan <[email protected]> Co-authored-by: Josh Berkus <[email protected]> Co-authored-by: Emily Fox <[email protected]> Co-authored-by: Trishank Karthik Kuppusamy <[email protected]>
- Loading branch information
4 people
authored
Dec 9, 2024
1 parent
2e98366
commit 66b88b8
Showing
1 changed file
with
118 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| # Governance Review Template | ||
|
|
||
| What follows is a governance review and assessment for the in-toto project. This review is carried out by members of the Governance Working Group of TAG Contributor Strategy. The review may have been done because of a change in maturity level for the project, at the request of the TOC, or as a request by the project itself. If requested by the project, the review will be provided to the project maintainers. Otherwise, the review will be submitted to the TOC for their follow-up. | ||
|
|
||
| Governance reviews contribute to the health and sustainability of the CNCF projects. By providing guidance on effective governance practices, TAG Contributor Strategy aims to ensure that projects operate efficiently, encourage diverse participation, and uphold the values of the CNCF. The governance review process is designed to be constructive and supportive, aiming to assist projects in refining their governance models and addressing any challenges they may face. | ||
|
|
||
| Projects may ask TAG Contributor Strategy for assistance in resolving any issues uncovered by the review. The TAG is available via our [Slack channel](https://cloud-native.slack.com/archives/CT6CWS1JN), [email](https://lists.cncf.io/g/cncf-tag-contributor-strategy), [GitHub](https://github.com/cncf/tag-contributor-strategy), or by joining our weekly meetings (listed on the [CNCF public calendar](https://www.cncf.io/calendar/)). | ||
|
|
||
| ## Summary and Assessment | ||
|
|
||
| Status: Mostly Satisfactory | ||
|
|
||
| in-toto has evolved from a specification with a few implementations to also including other sub-projects. During this evolution, the project also evolved to a steering committee style governance which is still in its first term. Individual sub-projects are driven by maintainers. | ||
|
|
||
| ### Executing the Assessment | ||
|
|
||
| This assessment was conducted by Bill Mulligan (Isovalent) in October 2024 based on this [commit](https://github.com/in-toto/community/tree/69d51d13ac9bb28d9b58ce263a276d73d698c98d). | ||
|
|
||
| ### Critical Items | ||
|
|
||
| The following issues have been identified that need to be resolved before [project milestone or other requirement]: | ||
|
|
||
| **Sub-projects** | ||
| Multiple subprojects are not listed on the [README](https://github.com/in-toto/community/blob/main/README.md#subprojects) in the community repo including archivista and witness. | ||
|
|
||
| ### Points of Excellence | ||
|
|
||
| The project made a smooth evolution to a steering committee and publicly voted to add new sub-projects. | ||
|
|
||
| ### Areas for Improvement | ||
|
|
||
| Over the next year, the project should work on the following issues to improve its governance, these are considered non-blocking: | ||
|
|
||
| **Roadmap** | ||
| The [roadmap](https://github.com/in-toto/community/blob/7b104e9d8c660bac05e789c4d0c218b8d5fdbdf7/ROADMAP.md) has not been updated since 2023 and should be updated to include 2024 and 2025. | ||
|
|
||
| **Election** | ||
| The 2025 election is coming soon. The [election schedule](https://github.com/in-toto/community/blob/3da1c4ed10c78ab47523ddda9625fd9e3f4043be/STEERING-COMMITTEE.md) should be updated with the details. The project should also consider staggering terms to allow for continuity. | ||
|
|
||
| **Linking Governance** | ||
| archivista and witness have maintainers, but do not link back to the overall project governance. | ||
|
|
||
| **Meeting Minutes** | ||
| Meeting minutes have been moved out of the Github [repo](https://github.com/in-toto/community/tree/main/community-meetings) and to [hackmd](https://hackmd.io/Czv1Si4jQkieo_qByoMkPQ). This should be updated in the repo so people know how to join the community meeting. | ||
|
|
||
| **Contributor Guides** | ||
| There is an overall contributor [guide](https://github.com/in-toto/community/blob/main/CONTRIBUTING.md). Many of the implementations and sub-projects could benefit from more detailed contributing guides to get new contributors started, [witness](https://github.com/in-toto/witness/blob/main/CONTRIBUTING.md) is the best example of this. | ||
|
|
||
| ## Review | ||
|
|
||
| ### Governance Description | ||
|
|
||
| it-toto switched to a steering committee style of governance roughly two years ago. The steering committee is made of 5 members from both academia and industry. Individual sub-projects also have maintainers who manage merging code into the repo. | ||
|
|
||
| ### Discoverability | ||
|
|
||
| #### Governance Location | ||
|
|
||
| All governance documents are in the community [repo](https://github.com/in-toto/community/tree/main) which is easy to find on Github. | ||
|
|
||
| #### Governance Discovery Completeness | ||
|
|
||
| Governance documentation is found in many repos however is currently missing from archivista and witness. | ||
|
|
||
| ### Documentation Content | ||
|
|
||
| | Governance Area | Coverage | Documents | Finding Notes | | ||
| |:----------------|:--------:|:------:|:--------------| | ||
| | Project Purpose | Complete | https://github.com/in-toto/community/blob/main/README.md | Purpose is very high level, it may be helpful to write a project vision to make it clear what is in and out of scope for the project | | ||
| | Maintainer List | Complete | https://github.com/in-toto/community/blob/main/STEERING-COMMITTEE.md | The steering committee is not up to date with the CNCF project maintainers csv. Elections are also coming soon. | | ||
| | Code of Conduct | Complete | https://github.com/in-toto/community/blob/main/CODE-OF-CONDUCT.md | | | ||
| | Contributor Guide | Partial | https://github.com/in-toto/community/blob/main/CONTRIBUTING.md | The project has a general contributing guide, however many of the implementations do not. [witness](https://github.com/in-toto/witness/blob/main/CONTRIBUTING.md) is the best example with a guide on how to set up the development environment. | | ||
| | Contributor Ladder | Partial | https://github.com/in-toto/community/blob/main/GOVERNANCE.md#project-roles | There are currently only contributors and maintainers. It may be helpful to lay out additional steps between them so people can "climb the ladder". | | ||
| | Maintainer Lifecycle | Partial | https://github.com/in-toto/community/blob/main/GOVERNANCE.md#maintainers | The project does a good job laying out what it takes to become a maintainer, but does not have any mechanism for removal or stepping down. It would also be good to include a section for emeritus maintainers. | | ||
| | Decision-making | Complete | https://github.com/in-toto/community/blob/main/GOVERNANCE.md#decision-making | The decision making process is straight forward with lazy consensus being the fall back. | | ||
| | Code and Docs Ownership | Complete/Partial/Missing/Unknown | *LINKS* | | | ||
| | Security Reporting and response | Partial| https://github.com/in-toto/in-toto/blob/develop/SECURITY.md | The security file currently lists a personal email as a point of contact. It would be better to turn this over to the project. It is also not clear who is responsible for security response. | | ||
| | Communication and Meetings | Partial | https://hackmd.io/Czv1Si4jQkieo_qByoMkPQ | The meeting minutes have moved out of Github and to hackmd. The repo should be updated. | | ||
|
|
||
| #### Sub-projects, plugins, and related | ||
|
|
||
| The project includes the following sub-projects, plugins, and other notable divisions: | ||
|
|
||
| | Area | Ownership and Operation | Standing Bodies | Project Alignment | Notes | | ||
| |:-----|:-----------------------:|:---------------:|:------------------|:---| | ||
| |attestation| https://github.com/in-toto/attestation/blob/main/MAINTAINERS.md | N/A | Complete | | | ||
| |in-toto-golang| https://github.com/in-toto/in-toto-golang/blob/master/MAINTAINERS.md | N/A | Complete | | | ||
| |in-toto-java| https://github.com/in-toto/in-toto-java/blob/master/MAINTAINERS.txt | N/A | Complete | | | ||
| |in-toto-rs| https://github.com/in-toto/in-toto-rs/blob/master/MAINTAINERS.txt | N/A | Complete | | | ||
| |witness| https://github.com/in-toto/witness/blob/main/MAINTAINERS.md | N/A | Complete | governance.md is missing | | ||
| |go-witness| https://github.com/in-toto/go-witness/blob/main/MAINTAINERS.md | N/A | Complete | governance.md is missing | | ||
| |archivista| https://github.com/in-toto/archivista/blob/main/MAINTAINERS.md | N/A | Complete | governance.md is missing | | ||
| |attestation-verifier|https://github.com/in-toto/attestation-verifier/blob/main/CODEOWNERS| N/A | Complete | governance.md is missing | | ||
|
|
||
|
|
||
| ### Operation | ||
|
|
||
| #### Transparency and freshness | ||
|
|
||
| Transparency for a project is exemplified in the public documentation, record, and communications, allowing observers and contributors to monitor the project's adherence to their stated governance. Freshness indicates governance activities mirror the documented governance for the project, and have been reviewed or updated recently. | ||
|
|
||
| The project's governance documentation and activities are transparent including the vote for the first steering [committee](https://github.com/in-toto/community/issues/5) and adding [sub-projects](https://github.com/in-toto/community/issues/18). The election [schedule](https://github.com/in-toto/community/tree/main/elections) should be updated for the coming elections in the spring. | ||
|
|
||
| #### Governance Drift | ||
|
|
||
| The project does not experience governance drift. | ||
|
|
||
| #### Ownership | ||
|
|
||
| The project's ownership evaluation did not leverage Sheriff, the CNCF GitHub permission auditing tool. | ||
|
|
||
| ### Maintainer List(s) | ||
|
|
||
| The project's maintainer list to the [CNCF](https://github.com/cncf/foundation/blob/main/project-maintainers.csv) is not current with the members of the steering committee. Individuals on the maintainer [list](https://github.com/in-toto/community/blob/3da1c4ed10c78ab47523ddda9625fd9e3f4043be/STEERING-COMMITTEE.md) do appear to match the requirements of maintainership in accordance with the project's documented requirements. The maintainer affiliations (employers) reflect Balanced diversity. | ||
|
|
||
| ### Previous Reviews | ||
|
|
||
| N/A |