Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Add first draft of CloudEvents review #509

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
210 changes: 210 additions & 0 deletions governance/reviews/cloudevents-08-29-2023.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,210 @@
# CloudEvents Governance Review

What follows is a governance review and assessment for the _CloudEvents project. This review is carried out by members of the Governance Working Group of TAG Contributor Strategy. The review may have been done because of a change in maturity level for the project, at the request of the TOC, or as a request by the project itself. If requested by the project, the review will be provided to the project maintainers. Otherwise, the review will be submitted to the TOC for their follow-up.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
What follows is a governance review and assessment for the _CloudEvents project. This review is carried out by members of the Governance Working Group of TAG Contributor Strategy. The review may have been done because of a change in maturity level for the project, at the request of the TOC, or as a request by the project itself. If requested by the project, the review will be provided to the project maintainers. Otherwise, the review will be submitted to the TOC for their follow-up.
What follows is a governance review and assessment for the _CloudEvents_ project. This review is carried out by members of the Governance Working Group of TAG Contributor Strategy. The review may have been done because of a change in maturity level for the project, at the request of the TOC, or as a request by the project itself. If requested by the project, the review will be provided to the project maintainers. Otherwise, the review will be submitted to the TOC for their follow-up.


Projects may ask TAG Contributor Strategy for assistance in resolving any issues uncovered by the review. The TAG is available via our [slack channel](https://cloud-native.slack.com/archives/CT6CWS1JN), [email](https://lists.cncf.io/g/cncf-tag-contributor-strategy), [GitHub](https://github.com/cncf/tag-contributor-strategy), or by joining our weekly meetings (listed on the [CNCF public calendar](https://www.cncf.io/calendar/)).

## Summary and Assessment

Status: Needs Work

CloudEvents is mostly executing well on fair and effective governance of the CloudEvents specification and its releases. Governance is nonpartisan, sophisticated, and appropriate to the publication of a spec used by multiple other cloud native projects.

However, governance documentation and transparency is poor. While most items that should be in governance docs are present, they are in neither ordered nor organized into the files that one would expect them to be in. There are also multiple parts to their governance, including subprojects, with no clear high-level explanation of how these parts relate to each other. The subprojects are in a poor state of leadership.

None of the individual issues with clarity, organization, or transparency of governance would be by itself a blocker to graduation. However, taken together, TAG-CS regards the problems as prohibitive. The project should work to address at least some of the high priority problems with project governance before being voted on for Graduation.

### Executing the Assessment

This assessment was [requested by contributor Doug Davis](https://github.com/cncf/tag-contributor-strategy/issues/478) as part of CloudEvents' application to Graduate.

Josh Berkus performed the first review on August 28, 2023.

### Must-Fix Items

The project should fix some (but does not need to fix all) of the issues below before Graduation:

* Disorganization of governance documents
* Clarity of governance documents
* Need for complete governance summary
* Implement full Admin lifecycle
* Return SDKs to maintained status

### Points of Excellence

The following aspects of governance are exemplary, and can be referenced as examples for other projects to copy:

* The [List of Implementations](https://github.com/cloudevents/spec/blob/main/docs/open-source.md) is a very useful resource, particularly for Specification projects
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use commit hashes in the links to the files in GitHub? The reviews are done using snapshots in the time.

* CloudEvents has [specific guidelines](https://github.com/cloudevents/spec/blob/main/docs/SDK-GOVERNANCE.md) for how to run its subprojects, called SDKs. While the execution on these has been lagging, the documentation is very helpful and an example for other projects with SDKs.

### Areas for Improvement

Over the next year, the project should work on the following issues to improve its governance, these are considered non-blocking:

* Provide greater detail on project participants, in order to make them approachable by new contributors
* Add cross-linking, TOCs, and other indexing to governance documentation
* Implement a lifecycle for SDKs that makes their maintenance, certification, and update status clear
* Figure out a way to track voting meetings that is more transparent and auditable

## Review

### Governance Description

CloudEvents is a specification project, and as such has a different structure than most code projects in the CNCF. Leadership of the project is divided into three areas:

**Admins**: There are four Admins, who are in charge of project administration, including permissions, ensuring regular operation, calling meetings, and similar functions. The Admins are the maintainers of the project by CNCF definition.

**(Voting) Members**: an amorphous, but well-tracked, group consisting of all regular participants in specifications meetings. These members vote on actual changes to the spec and the roadmap according to very detailed voting rules, including per-company vote limits.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**(Voting) Members**: an amorphous, but well-tracked, group consisting of all regular participants in specifications meetings. These members vote on actual changes to the spec and the roadmap according to very detailed voting rules, including per-company vote limits.
**(Voting) Members**: an amorphous, but well-tracked, group consisting of all regular participants in specifications meetings. If there is ever the need for a formal vote, then these members are the ones who have "voting rights". It is worth nothing though, for regular activity (such as approving changes to the specifications), any person in the community can comment, review and ask for changes to PRs. All open comments on PR need to be addressed prior to the PR merging. In this sense, any member of the community (voting member or not) has the ability to block a PR from being merged. It is only if there are irreconcilable differences of opinion that a formal vote will be taken. The goal is to achieve consensus. As a result, there have only been a handful for formal votes, due to a difference of opinion, during the entire lifetime of the project.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's all good information, but it belongs in your governance docs, rather than in this review.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


**SDK Maintainers**: the identified owners of each of the language SDKs. See Subprojects for more about these.

While the Admins are the "senior" body in CloudEvents, their powers over Voting Members are strictly limited in order to ensure the neutrality of specification votes.

### Discoverability

#### Governance Location

Governance files are all located in the [Documentation directory](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md) of the primary specification repository.

#### Governance Discovery Completeness

The Governance files that are present are easily found from the main repository. The main governance file is also linked from the website menus. They are also linked from the main spec README.

Governance files are not generally interlinked, nor do they seem to refer to each other at all; it's up to the individual contributor to figure out which files apply to their role. This could be improved a great deal as part of a general governance cleanup.

Many bits of governance documentation are found in different files than one would conventionally expect them to be found. Contributor information is found in Governance or Maintainers files; decision making requirements in Contributors files.

### Documentation Content

<!--- Provide the commit of the file under evaluation as a point-in-time reference to this review. --->

The following table details the governance areas expected for a project. Coverage is indicated by Complete, Partial, and Missing.
* Complete - the content of the governance documentation is fully detailed and does not leave any question to the reader.
* Partial - the content of the governance documentation is missing some information and would leave the reader with questions or some level of misunderstanding.
* Missing - the documentation is absent, wholly undiscoverable, or woefully inadequate in meeting the objectives of that governance content. The reader cannot act on the content that is available.
* Unknown - status cannot be assessed at this time

| Governance Area | Coverage | Documents | Finding Notes |
|:----------------|:--------:|:------:|:--------------|
| Project Purpose | Complete | [README](https://github.com/cloudevents/spec) | |
| Maintainer List | Partial | [OWNERS](https://github.com/cloudevents/spec/blob/main/OWNERS), [Spreadsheet](https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0) | See discussion above |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a link to the #voting section in the GOVERNANCE.md doc should be added, but I'm not sure what's missing.

| Code of Conduct | Complete | Uses link to CNCF CoC | |
| Contributor Guide | Partial | [CONTRIBUTING](https://github.com/cloudevents/spec/blob/main/docs/CONTRIBUTING.md) | See discussion above |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what's missing here. See comments on the next two lines too.

| Contributor Ladder | Partial | [GOVERNANCE](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md) | Several roles exist, but qualifications and advancement are not explained |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you elaborate on what might be missing from the #membership section of the GOVERNANCE.md doc?

| Maintainer Lifecycle | Missing | | How to become, or retire, a Voting Member is not explained anywhere |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the #voting section in the GOVERNANCE.md file covers this. Is there something missing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, ok. Can we move that section? It's in a wierd and non-obvious place. Putting it where you define voting members would be better.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how to tweak it. Under the membership section we point to #voting (specifically on the "voting member" definition), we point to #voting in the Meetings section and the voting section immediate follows the PR section.

| Decision-making | Complete | [GOVERNANCE](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md), [SDK Governance](https://github.com/cloudevents/spec/blob/main/docs/SDK-GOVERNANCE.md) | Nonlinear, but explained in exacting detail |
| Code and Docs Ownership | Complete | [OWNERS](https://github.com/cloudevents/spec/blob/main/OWNERS), plus each repo | |
| Security Reporting and response | Missing | | A security team exists but is not documented |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the main README has a "Security Concerns" section with info on how to report security concerns. Is that not sufficient?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not according to CNCF standards, no. There needs to be a body that can handle confidential reports of undisclosed security holes. This probably isn't required for the specification (but security folks would need to decide that), but is definitely necessary for the SDKs.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've gone with the assumption that since the spec doesn't introduce any new security mechanisms (beyond whatever transport level security is already defined by other spec or tools), it's pretty much out of our concern. Meaning, any security issue raised wouldn't really be a CE issue - it would be on the transport security mechanism used. Additionally, we've had security reviews (on the spec and SDKs) and no one has expressed any concerns.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@PushkarJ , @achetal01, @sublimino can one of your sign off on this? This is really a TAG-Security requirement.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional context wrt to specs, if the spec is hosting community SDKs or reference implementations in the org level repo or project repos, discoverability of a security reporting mechanism needs to be discoverable and accessible. For OpenFeature, they were changed to be directed to a single security.md with a reporting policy described.

The intent of this was to ensure that if a researcher or reporter needed to report an issue, they didn't spend forever hunting for it. Commonly, the security.md file integrated with GitHub makes this process simpler (thanks to a lot of community work)

| Communication and Meetings | Partial | [GOVERNANCE](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md) | meeting process, no calendar. should link to SDK comms info |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main README points to the CNCF calendar: https://www.cncf.io/calendar/ and we're listed on there.

Added some text to the main README telling people to check the README of each SDK for its comm stuff. I'd prefer not to duplicate it in the main repo to avoid it getting out of sync or requiring multiple PRs when things change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of the SDKs have meeting/comms info, but some don't.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just checked them all and they all seem to have a section like this: https://github.com/cloudevents/sdk-javascript#community which one do you think I missed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you've filled in the missing ones, I need to do a re-check and then I can update this.


#### Sub-projects, plugins, and related

<!--- If the project has subprojects, plugins, or other divisions define them here. For each, is ownership and operation of clearly described? Are any standing committees/teams fully described, including listing their members? Does it conform to, align, and is it within scope of the governance expectations of the project? --->

The project includes the following sub-projects, plugins, and other notable divisions:

| Area | Ownership and Operation | Standing Bodies | Project Alignment | Notes |
|:-----|:-----------------------:|:---------------:|:------------------|:---|
| SDK-Java | Partial | Complete | Partial | Currently a WIP project |
| SDK-Csharp | Partial | Complete | Partial | |
| SDK-Javascript | Partial | Complete | Partial | |
| SDK-Rust | Missing | Complete | Partial | No maintainers listed |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

| SDK-Powershell | Missing | Missing | Partial | No maintainers, no meetings or channel |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

| SDK-PHP | Partial | Complete | Partial | No maintainers listed |
| SDK-Ruby | Partial | Complete | Partial | No maintainers listed |

Language-specific Software Development Kits (SDKs) exist as subprojects of CloudEvents. These are largely autonomous of the main spec project in a governance sense. There is a [template for SDK governance](https://github.com/cloudevents/spec/blob/main/docs/SDK-GOVERNANCE.md) and other guidance docs, but SDK projects are largely left on their own after creation. This leads to some problems:

* Some SDKs have gone completely unmaintained
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the definition of "maintained"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"has a maintainer".

Copy link

@duglin duglin Sep 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah ok - I opened a PR for each SDK to align on common governance docs - see this PR for how the SDKs will now do it: cloudevents/spec#1226

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now completed for all SDKs

* There are no processes for SDK archiving or SDK Maintainer offboarding
* No SDK roles are defined other than "maintainer"
* Certification of SDKs is not up to date
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which certification are you referring to ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Compliance with versions of the spec. Several SDKs are not current.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://github.com/cloudevents/spec/blob/main/cloudevents/SDK.md#feature-support they all support v1.0 - which is sufficient since we're still in the v1.0.x track.

* SDK repos do not appear to have OWNERS files or other administrative automation
* It's impossible to tell if SDKs are well governed since they have no minutes or video of their monthly meetings
* There's no defined governance relationship between other bodies and the SDKs or between maintainers of different SDKs
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which "other bodies" are you thinking of?
Do we have to have a relationship across SDKs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Admins and voting members.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you elaborate on what you're looking for beyond what in this section: https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#membership

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't have to have a relationship, but if you don't you want to spell it out: "SDKs are completely autonomous from other groups." There's some practical considerations to declaring that though, and it might not be acceptable to the TOC. For example:

  • how do SDKs get removed/archived because of abandonment?
  • who verifies that SDKs comply with the spec?
  • who handles security reports against SDKs?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened cloudevents/spec#1229 to address this.


This means that CloudEvents is in a position where the state of their SDKs appears to be poor, and the core project cannot do anything meaningful to improve that. We suggest that this could be remedied by putting the SDKs clearly under the Admins, with defined requirements on activity, maintainership, maintainer replacement, archiving, and emeritus status. We also suggest adopting some form of administrative automation for the SDK projects.

### Operation

<!--- Review the project repositories, issues, Pull Requests (PRs), documents, videos, and communications to determine answers to the following questions. In some cases, have chats or interviews with project members. --->

#### Transparency and freshness

<!--- Are governance activities transparent and monitorable? Are the governance documents up to date? Do they accurately reflect current project participants, code and subproject status, etc? --->

Transparency for a project is exemplified in the public documentation, record, and communications, allowing observers and contributors to monitor the project's adherence to their stated governance. Freshness indicates governance activities mirror the documented governance for the project, and have been reviewed or updated recently.

Transparency: The project has attempted to add every process and procedure to written governance files. Meetings and votes are well-documented, aside from the SDKs. As a spec project, CloudEvents is clearly trying to be fully transparent. However, governance documentation is confusingly organized to the point of impenetrability; there is no way that a casual observer or contributor would be able to participate in, or even monitor, the project's activities and decisions without direct mentoring. For example, lists of Admins and Voting members include minimal information and can be hard to decipher. This problem could be solved with a refactor of the governance documentation and adding some things like a high-level explanation of the project's organization and a public calendar. This opaqueness appears to be purely a documentation problem and not an execution problem.

Freshness: CloudEvents has updated their governance docs multiple times in the project history. The last batch of governance updates was 8 months ago.

#### Governance Drift

<!--- Are the governance activities being carried out? Are community meetings (if any) happening? Are required elections and votes taking place? Are official communications channels accessible, staffed and responsive? Are they being used? Are questions and proposed updates/changes to governance (if any) being transparently discussed and addressed? -->

Governance Drift can occur when the executed and observable governance of a project deviates from the documented governance of the project.

Governance drift for CloudEvents cannot be determined because the written governance is too hard to decipher.

#### Ownership

The main project uses OWNERS files which appear to match declare roles elsewhere. At this time, we cannot audit actual Github permissions.

The SDKs do not appear to have any controls on permissions, and as such are likely very out of sync with project roles.

### Maintainer List(s)

CloudEvents' three types of leaders need to be evaluated separately.

#### Admins

The list of Admins is current, and appears well-balanced, with four admins representing four different organizations. However, admins are listed only by GH handle, with no affiliation, contact information, or history; listing full information on each admin would enhance transparency. The Admins were set up as roles-for-life, with only one change of admin since the project was founded in 2018. There are no defined processes for removing an admin for inactivity, nor any expectation that new Admins will be recruited.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We describe the process for add/removing admins in the #admins section of the GOVERNANCE.md doc.
Correct we don't remove admins due to inactivity since most of them are inactive per the definition of the role - and we like it that way. There really isn't much for them to do, aside from run the weekly calls, and that's normally done by just one of them - with another person being their usual backup (e.g. for vacations).

It's not so much "role for life" as it's just a very minimal role and people can ask to be added, or removed, whenever they want.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but you already have the problem that an admin has effectively left the project without resigning as an admin. So there needs to be some documented way to handle that.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is, someone can open a PR to remove them: https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#admins


Since, at this time one of the four admins (Ken Owens) is no longer active in the project per Devstats and meeting tracking, it would benefit Cloud Events to document a full Admin lifecycle including recruitment, promotion, qualifications, and emeritus status. Documenting this and following it would help ensure that the project retains a continuously active leadership.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we need some more text around this, but it's a bit misleading to call it "leadership" since they really only act after approval from the group. They're more like secretaries.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That isn't clear from the documentation; on a reading from the docs the admins are treated as Maintainers. Who are the Maintainers, but the CNCF definition? Can we make that clear?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#admins
says:

Since the role of an 'Admin' is mainly administrative...

And there's also this text under the definition of admin:

Admins are Members of the group but have the ability to perform administrative actions on behalf of the group. For example, manage the website, github repos and moderate the meetings. Their actions should be done with the knowledge and consent of the group. They also have the ability to merge/close PRs, but only per the group's approval.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it's nice to think of the admins as servants of the voting members, but the admins actually have quite a bit of power over the project. As such, they need to have a clearly defined lifecycle, just like we require regular code projects to have a clearly defined lifecycle for their maintainers.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still confused. We define how admins can be added and removed - that's the lifecycle: https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#admins It's not clear to me what's missing.


#### Voting Members

In contrast to the admins, voting members are defined by their activity through participation in spec meetings, ensuring that the list of voting members is always relatively current. This makes it quite an easy route to get involved in the project, and prevents staleness. The list of voting members is tracked through a [spreadsheet](https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0), which raises some issues around transparency and auditability (for example, who owns that spreadsheet?). Balance is ensured by voting rules which do not permit employees of the same company from voting more than once.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our governance doc now says: An Admin will be responsible for updating the spreadsheet.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where's the spreadsheet stored? In whose account? The Projects staff can help you with putting it in a CNCF-owned account. We really don't want it to get deleted if someone changes jobs.


Materially, the three active admins are also the three most consistent Voting Members. On average, 5-8 additional members participate in voting meetings.

#### SDK Maintainers

SDK maintainers are not current. See Subprojects above.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


### Evolution

<!--- How has the project's governance evolved over time? Is the project steadily refining/advancing its governance as the project grows and resolves issues? --->

Governance evolution is the observable changes and improvements the project makes to its governance over the project's lifespan. It is expected that changes will occur over the project's life and that such changes are iterative, tested, and adjusted.

Major milestones in the project's governance over time include:

* Governance created with project founding in 2018
* Overhaul of governance files for joining CNCF in 2020

Areas of potential future development include:

* Complete reorganization of governance documentation for clarity and completeness.
* Adoption of a full Admin lifecycle that encourages turnover.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure we want to encourage turnover just for the sake of turnover.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You already have turnover, but you haven't acknowledged it.

Copy link

@duglin duglin Sep 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But you seem to be asking for us to encourage it - I don't see value in that. It happens, yes. But why should we try to force it? We document how it CAN happen here: https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#admins

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a good idea to encourage it, yes. Not only to people leave, they burn out as well. If you're not doing anything to recruit new admins, then you won't get any, and pretty soon you'll be exercising the line in the governance that says what to do when the last admin leaves.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one feels like a very subjective thing. We have a process that's working, no one is complaining, we have at least 3 admins to cover stuff.... I don't see an issue. Swapping in new folks "just because" could only make things worse because it means we'll get people who might not actually want to do it beyond the initial "fake" prestige they think it'll give them and they'll half-ass it. Then the entire process runs the risk of falling apart because the folks who really do want to do it have been pushed out.

* Develop and execute a plan to return the SDKs to maintained status.

### Governance Findings Table
<!--- Add additional rows as necessary. For each finding described above, it should also be included here with further detail. --->

| Finding Title | Importance | Description | Links | Notes & Impact |
|:------------- |:----------:|:------------|:------|:---------------|
| Disorganized Governance Docs | High | Governance documentation is disorganized and impenetrable to newcomers | [Docs folder](https://github.com/cloudevents/spec/tree/main/docs) | This includes both the set of different docs and their lack of relation to each other, together with the ad-hoc organization of material in each document |
| Unclear Governance Docs | High | Governance documentation contains many notes and fragments, without explanitory material to make it comprehensible | [Governance](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md) |
| No Project Architecture | High | Docs do not explain the parts of the project governance and how they relate to each other; there is no high-level orientation. | [Docs folder](https://github.com/cloudevents/spec/tree/main/docs) | This exacerbates the issue with the docs being disorganized |
| Docs do not cross-link | Medium | Gov docs lack links to other gov docs, the CoC, etc. | [Docs folder](https://github.com/cloudevents/spec/tree/main/docs) | |
| No Admin Lifecycle | Medium | No real process for admin recruitment and retirement | https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md | Has already lead to inactive admins |
| SDKs unmaintained | High | 4 of 7 SDKs have no listed maintainers | [See SDK repos](https://github.com/cloudevents) | No governance defined way for project to rescue these |
| Secure Voting Members Sheet | Low | Voting Memebers spreadsheet needs to be auditable, CNCF-owned | [sheet](https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0) | |

### Previous Reviews

| Date | Requested By | Reason | Link |
|:-------|:--------------|:------------------------------------------:|:---------------------|
| 2023-08-30 | Project | Project Graduation | https://github.com/cncf/toc/pull/996 |