Clarify graduation submission requirements/review #1013
Conversation
|
It's worth noting that I think a similar process can be used for sandbox and incubator proposal, in particular when it comes to the DD analysis as I think that's probably one of the bigger work items in the process. Shift that to the project to gather. |
| 1. Names of organizations that have current/active maintainers with the | ||
| maintainer GitHub IDs (should have at least 2 orgs): | ||
| * ???org (@???githubID, ...) |
There was a problem hiding this comment.
Or should we point to the maintainer overview of the given project to avoid stale information? In theory this should be well-documented for a graduation project
There was a problem hiding this comment.
Good idea - I decided to do both... URL to maintainer doc AND the current list of orgs who have maintainers. I think having today's # of orgs is a good bit of info for the TOC to have w/o having to follow a link to see it.
|
|
||
| ### * Have completed an independent and third party security audit with results published of similar scope and quality as [this example](https://github.com/envoyproxy/envoy#security-audit) which includes all critical vulnerabilities and all critical vulnerabilities need to be addressed before graduation. | ||
| ## Graduation Information |
There was a problem hiding this comment.
We should also add links to the required reviews, if any are mandatory
There was a problem hiding this comment.
I modified the security audit bullet to make it so we can add more reviews under there as needed - then they're all in one spot. Are there other reviews I should add?
There was a problem hiding this comment.
- TAG security was once required (but turned out external audit was enough) - Proposal for KEDA to become a CNCF Graduated project #925 (comment)
- TAG Contributor strategy was required for KEDA - Proposal for KEDA to become a CNCF Graduated project #925 (comment)
There was a problem hiding this comment.
for TAG Contrib... let's see if we can create the list of requirements that the TAG used and then add them to this doc/PR. I've added a commit with some stuff from KEDA's review - see if anything is missing.
Signed-off-by: Doug Davis <[email protected]>
|
Adding @craigbox as we had similar chats recently for Istio |
Signed-off-by: Doug Davis <[email protected]>
| * ???name : ???quote | ||
|
|
||
|
|
||
| ## Due Diligence |
There was a problem hiding this comment.
I disagree with the need for any due diligence at the graduation phase, unless there is any suggestion that a project may have regressed since entering the CNCF and may not continue to meet the incubation criteria. That process could well happen with an incubating project and should be addressed by project review and/or the archival process, and need not be duplicated by graduation.
I take this position based on the expressed ideals that "[the] incubation level is the point at which we expect to perform full due diligence on projects", and that the stated intention of graduation is a signal to the market that the software is ready for the early majority, not just early adopters.
An exception would be that if a project intends to join at Graduated, which has not yet happened but is explicitly mentioned as a possibility. In that case, I would hope that the processes for "join at Incubation" and "demonstrate readiness for Graduation" were non-duplicative and could just both be followed.
There was a problem hiding this comment.
I'm ok with removing it if the TOC would like that. I included it because:
1 - as you suggested, a project may want to join the CNCF at the graduated level
2 - since part of my goal is to reduce the amount of time for the TOC to review any pertinent information about a project, I wanted to put everything in one spot, even if that info was originally provided at a lower stage.
3 - worst case people could just copy the info from the info previously provided
I'll leave it to the TOC to decide if including this here is useful or not - I'll do whatever speeds up their graduation review process.
|
I should point out that ideally I'd like to remove, not add, questions to the form that applicants need to fill out because it seems like many of the questions (while interesting) should not be used to determine if a project is "graduation worthy". I say this because the answers are often transient or misleading. For example, "commit stats". For a younger project there could look really good, but once the project is very mature it may not look as good. But that doesn't mean the project isn't worthy... it could just mean it's stable. And in fact, too many commits could be a sign of being buggy. Plus, would a project lose it's "graduated status" if the answers to those questions suddenly changed? I doubt it. So, those questions shouldn't really be used to gauge graduation readiness. And while I'm at it... there's part of me that even questions the need for the 3 levels at all since projects don't seem to be able to be demoted if things change (beyond being archived). Why should a once-good-but-now-not-so-good project remain at "graduated" status while newer projects that are wildly popular might be stuck at "incubator" stage? The status doesn't really provide the true value to the community who might view it as a way to gauge a project's worthiness. It's potentially very misleading and will only get worse as the entire Cloud Native community matures and project slowly fad in popularity. As a result, I often wonder if there should only be one "bar"... either a project is a CNCF project or not. A project meets certain criteria (probably similar to what we have for incubator) and once they meet that then they're in. Very low bar and no more politics or games to worry about... just focus on the project being successful. But that might be a topic for a different day... |
|
PTAL at #992 and #997. @duglin, it might be a good idea to attend the upcoming meeting if you can. I think I'm in favour of your bar criteria, with
and then a set of badges which can be renewed semi-frequently based on "number of companies contributing", "diversity of governance", "when the last security audit was done", etc. |
|
@duglin we missed you at the task force presentation to the TOC today. Given your involvement with the group and the consensus the group achieved, do you believe this PR to be overcome by the group's deliverable/recommendations? I realize the work is not "complete" in that the changes are not reflected in the TOC repo. |
|
As I'm not involved in the group any more I'll have to wait until the TOC repo changes are made before I can say for sure. The main things I'll be looking for are:
|
|
That is reasonable. We'll leave this PR open, and I'll try to ensure those points you highlighted are covered or addressed by the resulting consensus reflected in the PR(s) to document those changes. |
|
Closing this PR as overcome by the recent changes to the TOC repo. Related issue to capture project feedback on this process: #1293 |
As I look at the graduation process for CloudEvents and KEDA it appears that the current process might need a bit of tweaking to help speed things up. Some observations/suggestions, from an outsider's point of view:
To that end, this PR proposes a change to the graduation process:
My ask, if this direction seems reasonable, is that the TOC members propose additional items to the application template in this PR so that it eventually includes all information they will need to make their decision. I believe that aside from speeding up the process, it will also increase the transparency of the the process.
/cc @tomkerkhove