Measure Project Progress

[nyemade-uversky]

Description

This issue's purpose is to track the Dapr project's progress towards CNCF graduation (i.e., CNCF graduated project status), and the companion issue to #107. This issue will be updated as the project progresses forward and serve as a record of completed tasks towards that purpose.

All requirements are taken from CNCF project page where graduation criteria is listed.

Quick Tracker:

To graduate from sandbox or incubating status, or for a new project to join as a graduated project, a project must meet the incubating stage criteria plus:

• (1) Have committers from at least two organizations.
• (2) Have achieved and maintained a Core Infrastructure Initiative Best Practices Badge.
• (3) Have completed an independent and third party security audit with results published of similar scope and quality as the following example (including critical vulnerabilities addressed): https://github.com/envoyproxy/envoy#security-audit and all critical vulnerabilities need to be addressed before graduation.
• (4) Explicitly define a project governance and committer process. This preferably is laid out in a GOVERNANCE.md file and references an OWNERS.md file showing the current and emeritus committers.
• (5) Have a public list of project adopters for at least the primary repo (e.g., ADOPTERS.md or logos on the project website). For a specification, have a list of adopters for the implementation(s) of the spec.
• (6) Receive a supermajority vote from the TOC to move to graduation stage. Projects can attempt to move directly from sandbox to graduation, if they can demonstrate sufficient maturity. Projects can remain in an incubating state indefinitely, but they are normally expected to graduate within two years.

Detailed Tracking Table

Req. #	CNCF Graduation requirements	Links	Dapr Satisfies requirement	Why Dapr Does or Doesn't satisfy requirements	Proof of satisfied requirement
1	Have committers from at least two organizations.		YES	(1) Dapr STC guidelines promote multi-org contributions, (2) CNCF DevStats shows contributor commits from multiple orgs.	(1) Dapr STC Guidelines (2) CNCF DevStat PRs by contributor
2	Have achieved and maintained a Core Infrastructure Initiative Best Practices Badge.	Best Practices Badge
3	Have completed an independent and third party security audit with results published of similar scope and quality as the following example (including critical vulnerabilities addressed): https://github.com/envoyproxy/envoy#security-audit and all critical vulnerabilities need to be addressed before graduation.	Security Audit
4	Explicitly define a project governance and committer process. This preferably is laid out in a GOVERNANCE.md file and references an OWNERS.md file showing the current and emeritus committers.
5	Have a public list of project adopters for at least the primary repo (e.g., ADOPTERS.md or logos on the project website). For a specification, have a list of adopters for the implementation(s) of the spec.		YES	Dapr project publicly publishes a list of adopters	ADOPTERS.md
6	Receive a supermajority vote from the TOC to move to graduation stage. Projects can attempt to move directly from sandbox to graduation, if they can demonstrate sufficient maturity. Projects can remain in an incubating state indefinitely, but they are normally expected to graduate within two years.
7
8

[msfussell]

Dapr is not being consider for graduation in the immediate time frame, at least not for 2023