Add clarification to CNCF graduation criteria #992
Comments
|
related #907 Some things to consider when updating:
|
|
Slightly related, during Cilium's graduation process, we have also found that the document structure is different than in the repo, we based ours off of Argo and Flux. The general structure is
|
|
Would it be helpful to create a DD template related to https://github.com/cncf/toc/blob/main/process/due-diligence-guidelines.md? |
|
As a maintainer going through a proposal now, that would definitely be useful and can be hosted on Google Docs thanks to #980 |
|
One more item to clarify on the graduation criteria: We might want to clarify expectations here. |
|
Thanks all for the good comments/suggestions! Everyone, you are welcome to share your questions/frustration about the application to the graduation process and provide suggestions! |
|
It is also currently not documented in the TOC repo if a TAG Security review is required. https://github.com/cncf/tag-security/tree/main/assessments |
Would some sort of overview security review make more sense as part of an incubation requirement? The TOC already asks projects that are applying for graduation to have undergone a third-party security review. |
|
Agreed; we now have to go through 2 security reviews. |
|
Looking at the process for this TAG Security review; this is going to take another bunch of weeks as well. If this is a strong requirement, then I believe both the external + TAG review should be merged to optimize the time of all parties (CNCF + TAG + Security vendor + Maintainers). |
|
Another one I start seeing pop up on #997 are:
|
|
cross posting the comment on security reviews from the PR here: #997 (comment)
|
As follow-up, and I'll quote @TheFoxAtWork from cncf/tag-security#1030:
So let's clarify this in the criteria as this was a bit of a confusing aspect for a proposing project. |
|
@tomkerkhove yes, we need to clarify this in the criteria. |
|
I think it would be worthwhile to have more definition around the need for, or use of, a due diligence document, at the graduation stage. The process for incubation is well understood, and experience generally maps to that published guidance. A proposal and Due Diligence are both clearly stated as being required, and both a template and guidelines for due diligence are provided. (The graduation criteria states that the incubation phase is where "full" due diligence is done, but the proposal documentation says that "a majority" of due diligence happens at the incubation stage.) The documented process for graduation phase only directly refers to the requirement for a proposal, and provides a template which lists six "criteria", with the seventh being that the TOC vote on whether the six are met. That word may not have been chosen deliberately, but it means "a principle or standard by which something may be judged or decided", and so suggests to me that graduation is a matter of meeting the defined criteria. If the TOC is looking at things that are not in the criteria, then I am in strong support of updating the criteria to match. For example, the proposal guidelines state "The proposal addresses how the project has grown since incubation and any concerns from incubation DD in addition to the standard graduation requirements." Must a project have grown since incubation? Is this now part of the criteria? If there is a requirement to publish a new due diligence document in order for a project to graduate, could that requirement please be added concretely, and a template provided? |
|
@craigbox I agree with your points. We will consider your input when updating the document |
|
other considerations from various discussions to be evaluated as part of this:
|
|
Tying graduation to a “healthy distribution of commit author company/organization diversity” may signal a change of intentionality about the way CNCF presents its projects which I think warrants larger discussion. Modern open source is almost all written by people who are paid to do so. For the top company to have <40% of the commits to a project, you would realistically need to have at least three equal-sized contributors to the project. That counts out having a project that is largely maintained by a single vendor being a “Graduated” project, and thus receiving the full-throated recommendation of the CNCF. Worse, as Liz points out, a perverse incentive for a vendor would be to drop their contribution in order that other contributors catch up, or to “launder” their commits through another organization. Many graduated projects don’t come close to the 40% bar today. Would they be asked to give up their status? For example:
From #997:
This is a reality of all software, and open source itself is commonly offered as a hedge against this eventuality. A thought exercise: should the CNCF recommend that people use gRPC, which is developed and depended on by one of the five largest companies in the world, or should it prefer an alternative which is maintained equally by one person from three different companies, in their evenings? This change would also rule out much governance based on maintainership, which is generally conferred on those who have contributed the longest/the most. I think a lot of the debate here is because of how the CNCF positions and promotes its projects. Right now, I interpret “incubating” and “graduated” as the CNCF presents them: “a signal by CNCF as to what sorts of enterprises should be adopting different projects”. Companies are founded with all their code submitted to the CNCF Sandbox as soon as possible. Projects want to be graduated. If the opinion of this TOC is that, to be recommended to pragmatists, a project must have diverse authorship and maintainership, then I believe that would necessitate a major change in the CNCF’s focus, to being an organization which helps projects achieve this bar. Alternatively, why not consider moving away from a single track? Participants come and go over time, so it does not make sense to have recommendation status be a lifetime achievement. For example, what about simply having “CNCF Projects”, and publishing their current security status and company contribution diversity somewhere as tags or badges? |
|
I like the idea of "publishing current security status and company contribution diversity somewhere as tags" to the graduation projects. We can get such information for each project during its annual review. But we still need some high bars for a project to be marketed as a CNCF-endorsed mature project with good support when a user adopts it. These project maturity levels are useful to end users when they evaluate whether to adopt a project or not. |
|
Are "sandbox" and "incubating" (or their renamed equivalents) good enough indicators of "immature" and "mature"? |
|
interesting question. This is a fundamental change that may impact many existing projects in different maturity statuses as well as those projects in the TOC review pipeline to change status. Let's discuss this in the TOC meeting tomorrow. |
|
Any progress on this? Are we discussing this issue further? |
|
Hi @prithvi1307 ! This work is going to be executed under the TAG CS issue linked above (cncf/tag-contributor-strategy#366). Additional feedback, suggestions, call outs, and interest in participation are being captured on that issue. The TOC is currently working on defining the scope of the group and once we have that the TAG CS issue will be updated. Apologies for the delay in resolving this issue, we're juggling several items in our backlog with the availability we have currently. Did this answer your question? |
|
@TheFoxAtWork is there a set of regularly scheduled meetings that we can attend to see (and be part of) the conversations? Aside from one call shortly after the initial TOC meeting we had a long time ago I haven't noticed any other discussions but I may have missed some threads. |
|
No meetings scheduled as of yet. The conversations thus far are only what is on the TAG CS issue and among the TOC. The comments on the TAG CS issue are the capture of observations as TOC members engage with projects conducting activities (such as Due Diligence). |
|
I guess this can be closed with #1263 right? |
|
Yes thank you @xmulligan ! |
Current CNCF graduation criteria do not lay out everything the TOC looks at. For example, TOC will ask the project leads to reach out to TAG-security for a security check and get their recommendation/input, but this is not documented in the graduation criteria or graduation DD. TOC is also discussing whether to leverage TAG Contributor Strategy's expertise to help review the project's governance to make sure it is open and neutral. Without clearly spelling out these, there could be confusion among the project maintainers. We have seen some stumbling along this application journey. To set the project maintainers up well for the graduation review process and avoid potential insistency/controversy about the evaluation/approval/rejection result, it is worth adding such clarification to the graduation criteria/DD document. Thoughts?
The text was updated successfully, but these errors were encountered: