In-toto Graduation DD - TOC evaluation #1522
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TheFoxAtWork
approved these changes
Jan 20, 2025
|
Linking to the mailing list notification for public comment on this project: https://lists.cncf.io/g/cncf-toc/message/8742 |
Signed-off-by: Ricardo Aravena <[email protected]> Signed-off-by: Ricardo Aravena <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Why: * it was requested the TOC describe used competencies for their work to better inform candidates * it was requested the TOC explicitly state minimum throughput for Due Diligence This change address the need by: * Adding explicit throughput on line 39 for accountability * Establish initial competencies at line 47 Signed-off-by: Emily Fox <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Emily Fox <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Emily Fox <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Emily Fox <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Kevin Wang <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Kevin Wang <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Kevin Wang <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Co-authored-by: Emily Fox <[email protected]> Signed-off-by: Kevin Wang <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Kevin Wang <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Kevin Wang <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Why: * the TOC has fielded feedback from maintainers and TOC members, implemented changes to address issues, and needs to update our docs to reflect this. This change address the need by: * re-writing the triage to align with current process * calling out the adopter form for adopter interview collection * detail process for projects not yet ready to move * linking the adopter interview form in the process/README * updating process/README to inform on triaging and not-ready applications Signed-off-by: Emily Fox <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Emily Fox <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: lianmakesthings <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: leonrayang <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Bob Killen <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Emily Fox <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
WIP update to emily's comment Signed-off-by: Lin Sun <[email protected]>
more updates Signed-off-by: Lin Sun <[email protected]>
more updates Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Ricardo Rocha <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Add a link to the template to ensure user review the moving level evaluation guideline Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Co-authored-by: Emily Fox <[email protected]> Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Lin Sun <[email protected]>
adding more info related to audit and maintainers Signed-off-by: Lin Sun <[email protected]>
address more comments on active maintainers and security audit. Signed-off-by: Lin Sun <[email protected]>
Signed-off-by: Davanum Srinivas <[email protected]> Signed-off-by: Lin Sun <[email protected]>
As per the discussion in the TOC meeting of 2025-01-07 (https://youtu.be/dTzpAw6lUT0?t=1627), add a set of questions to the adopter interview template that will allow us to get a better picture of how adopters see and use these maturity levels. Signed-off-by: Ricardo Rocha <[email protected]> Signed-off-by: Lin Sun <[email protected]>
|
No code change, just correcting DCO using these 2 cmds: |
|
/vote |
Vote created@linsun has called for a vote on The members of the following teams have binding votes:
Non-binding votes are also appreciated as a sign of support! How to voteYou can cast your vote by reacting to
Please note that voting for multiple options is not allowed and those votes won't be counted. The vote will be open for |
colek42
reviewed
Jan 30, 2025
linsun
commented
Jan 30, 2025
correct typo Signed-off-by: Lin Sun <[email protected]>
|
/check-vote |
Vote statusSo far Summary
Binding votes (3)
|
| User | Vote | Timestamp |
|---|---|---|
| oswalpalash | In favor | 2025-01-29 20:11:29.0 +00:00:00 |
| jkjell | In favor | 2025-01-29 20:12:49.0 +00:00:00 |
| reylejano | In favor | 2025-01-29 20:13:19.0 +00:00:00 |
| mnm678 | In favor | 2025-01-29 20:16:11.0 +00:00:00 |
| MohawkMattDenny | In favor | 2025-01-29 20:17:07.0 +00:00:00 |
| JustinCappos | In favor | 2025-01-29 20:17:44.0 +00:00:00 |
| SantiagoTorres | In favor | 2025-01-29 20:30:45.0 +00:00:00 |
| kriscoleman | In favor | 2025-01-29 20:39:08.0 +00:00:00 |
| adrianmatpersaud | In favor | 2025-01-29 20:44:36.0 +00:00:00 |
| puerco | In favor | 2025-01-29 20:46:59.0 +00:00:00 |
| alanssitis | In favor | 2025-01-29 21:15:32.0 +00:00:00 |
| steiza | In favor | 2025-01-29 21:19:58.0 +00:00:00 |
| chinenyeokafor | In favor | 2025-01-29 21:23:07.0 +00:00:00 |
| trishankatdatadog | In favor | 2025-01-29 21:23:08.0 +00:00:00 |
| marcelamelara | In favor | 2025-01-29 21:24:27.0 +00:00:00 |
| arewm | In favor | 2025-01-29 21:38:21.0 +00:00:00 |
| matglas | In favor | 2025-01-29 21:53:06.0 +00:00:00 |
| mlieberman85 | In favor | 2025-01-29 22:43:52.0 +00:00:00 |
| dmorneau | In favor | 2025-01-29 23:29:24.0 +00:00:00 |
| ChaosInTheCRD | In favor | 2025-01-29 23:37:24.0 +00:00:00 |
| yzhang71 | In favor | 2025-01-30 0:08:41.0 +00:00:00 |
| vipulagarwal | In favor | 2025-01-30 0:20:16.0 +00:00:00 |
| tannerjones4075 | In favor | 2025-01-30 0:21:42.0 +00:00:00 |
| bobcallaway | In favor | 2025-01-30 0:26:04.0 +00:00:00 |
| adityasaky | In favor | 2025-01-30 1:18:35.0 +00:00:00 |
| RealHarshThakur | In favor | 2025-01-30 3:11:17.0 +00:00:00 |
| PradyumnaKrishna | In favor | 2025-01-30 4:09:27.0 +00:00:00 |
| r0b2g1t | In favor | 2025-01-30 7:53:52.0 +00:00:00 |
| nyrahul | In favor | 2025-01-30 9:17:20.0 +00:00:00 |
| rakshitgondwal | In favor | 2025-01-30 10:33:16.0 +00:00:00 |
| Horiodino | In favor | 2025-01-30 10:56:50.0 +00:00:00 |
| pxp928 | In favor | 2025-01-30 11:19:05.0 +00:00:00 |
| kommendorkapten | In favor | 2025-01-30 12:10:36.0 +00:00:00 |
| mlebeau303 | In favor | 2025-01-30 15:48:55.0 +00:00:00 |
| colek42 | In favor | 2025-01-30 15:49:58.0 +00:00:00 |
| kipz | In favor | 2025-01-30 15:58:47.0 +00:00:00 |
| brandtkeller | In favor | 2025-01-30 16:58:05.0 +00:00:00 |
| armarquez | In favor | 2025-01-30 17:41:25.0 +00:00:00 |
| wcrum | In favor | 2025-01-30 20:40:21.0 +00:00:00 |
mkbhanda
approved these changes
Jan 31, 2025
|
|
||
| ### Can you give us an overview of your organization and what it does? | ||
|
|
||
| [Lockheed Martins](https://www.lockheedmartin.com/en-us/contact.html) is a leading aerospace and defense company. |
There was a problem hiding this comment.
Suggested change
| [Lockheed Martins](https://www.lockheedmartin.com/en-us/contact.html) is a leading aerospace and defense company. | |
| [Lockheed Martin](https://www.lockheedmartin.com/en-us/contact.html) is a leading aerospace and defense company. |
| @@ -0,0 +1,107 @@ | |||
| # In-toto Adopter Interview - Lockheed Martins | |||
There was a problem hiding this comment.
Suggested change
| # In-toto Adopter Interview - Lockheed Martins | |
| # In-toto Adopter Interview - Lockheed Martin |
| @@ -0,0 +1,107 @@ | |||
| # In-toto Adopter Interview - Lockheed Martins | |||
|
|
|||
| Interviewee: Ian Dunbar-hall, Head of Open Source Program Office, Lockheed Martins | |||
There was a problem hiding this comment.
Suggested change
| Interviewee: Ian Dunbar-hall, Head of Open Source Program Office, Lockheed Martins | |
| Interviewee: Ian Dunbar-hall, Head of Open Source Program Office, Lockheed Martin |
| - The project has a wide range of interest across academic and cross different industries. | ||
| - The project [integrates](https://github.com/in-toto/friends?tab=readme-ov-file#project-integrations) with various other projects in the cloud native ecosystem such as GitHub, GitLab, GUAC, Tekton, etc. | ||
| - Implementation of the steering committee to capture adopters' voice in the project development and roadmap. | ||
| - The project is not only vendor neutral but also has a very diversed set of maintainers, adopters and integrators. |
There was a problem hiding this comment.
Suggested change
| - The project is not only vendor neutral but also has a very diversed set of maintainers, adopters and integrators. | |
| - The project is not only vendor neutral but also has a very diverse set of maintainers, adopters and integrators. |
| - Updating the list of subprojects in GitHub, found from the Governancy review. | ||
| - Provide an updated roadmap document in GitHub. | ||
| - Document the release process. | ||
| - Provide instructions of onboarding & offboarding members/roles in the community. |
There was a problem hiding this comment.
Suggested change
| - Provide instructions of onboarding & offboarding members/roles in the community. | |
| - Provide instructions for onboarding & offboarding members/roles in the community. |
|
|
||
| ### Adoption Evaluation: | ||
|
|
||
| The adopter interviews reflect the in-toto project is in use for the level which the project applied, which is CNCF graduation. It has a good range of adopters across different industries and vendors, including GitHub, DataDog, SLAS, Solarwinds, Lockheed Martins and more. Every adopter I interviewed is quite happy with in-toto. Highlight some of the project strengths I heard during adopter interviews: |
There was a problem hiding this comment.
Suggested change
| The adopter interviews reflect the in-toto project is in use for the level which the project applied, which is CNCF graduation. It has a good range of adopters across different industries and vendors, including GitHub, DataDog, SLAS, Solarwinds, Lockheed Martins and more. Every adopter I interviewed is quite happy with in-toto. Highlight some of the project strengths I heard during adopter interviews: | |
| The adopter interviews reflect the in-toto project is in use for the level which the project applied, which is CNCF graduation. It has a good range of adopters across different industries and vendors, including GitHub, DataDog, SLAS, Solarwinds, Lockheed Martin and more. Every adopter I interviewed is quite happy with in-toto. Highlighting some of the project strengths I heard during adopter interviews: |
|
|
||
| - [X] **Give a presentation and engage with the domain specific TAG(s) to increase awareness** | ||
|
|
||
| [Presentation](https://zoom.us/rec/share/H4AeeCUzrh7dVDzv7udMJmK-jWHvENmyWmcZvG4-1rZbVWUTn7RAByqKSfG3g9ya.OJnqcezJAXcGMce0?startTime=1721235498000) was given to the TAG security in July 2014, which was recorded in this [issue](https://github.com/cncf/tag-security/issues/1290). |
There was a problem hiding this comment.
Suggested change
| [Presentation](https://zoom.us/rec/share/H4AeeCUzrh7dVDzv7udMJmK-jWHvENmyWmcZvG4-1rZbVWUTn7RAByqKSfG3g9ya.OJnqcezJAXcGMce0?startTime=1721235498000) was given to the TAG security in July 2014, which was recorded in this [issue](https://github.com/cncf/tag-security/issues/1290). | |
| [Presentation](https://zoom.us/rec/share/H4AeeCUzrh7dVDzv7udMJmK-jWHvENmyWmcZvG4-1rZbVWUTn7RAByqKSfG3g9ya.OJnqcezJAXcGMce0?startTime=1721235498000) was given to the TAG security in July 2024, which was recorded in this [issue](https://github.com/cncf/tag-security/issues/1290). |
|
|
||
| - [X] **All project metadata and resources are [vendor-neutral](https://contribute.cncf.io/maintainers/community/vendor-neutrality/).** | ||
|
|
||
| No issues were found during due diligence, both code and documentation are vendor neutral. Vendor neutral is clearly mentioned twice in the governance doc. Based on the community meeting minutes, [contributor stats](https://intoto.devstats.cncf.io/d/5/companies-table?orgId=1&var-period_name=Last%20year&var-metric=contributions) and what adopters say about the project, in-toto is very diverse. It is one of the projects that started in academic and attracted a good range of interest from industries as well. |
There was a problem hiding this comment.
Suggested change
| No issues were found during due diligence, both code and documentation are vendor neutral. Vendor neutral is clearly mentioned twice in the governance doc. Based on the community meeting minutes, [contributor stats](https://intoto.devstats.cncf.io/d/5/companies-table?orgId=1&var-period_name=Last%20year&var-metric=contributions) and what adopters say about the project, in-toto is very diverse. It is one of the projects that started in academic and attracted a good range of interest from industries as well. | |
| No issues were found during due diligence, both code and documentation are vendor neutral. Vendor neutral is clearly mentioned twice in the governance doc. Based on the community meeting minutes, [contributor stats](https://intoto.devstats.cncf.io/d/5/companies-table?orgId=1&var-period_name=Last%20year&var-metric=contributions) and what adopters say about the project, in-toto is very diverse. It is one of the projects that started in academic and attracted a good range of interest from industry as well. |
|
|
||
| - [X] **Clearly defined and discoverable process to submit issues or changes.** | ||
|
|
||
| A contribution guide is placed at the top level [community repository](https://github.com/in-toto/community/blob/main/CONTRIBUTING.md). A security disclosure process is encoded on the a separate [SECURITY.md](https://github.com/in-toto/community/blob/main/SECURITY.md) file. |
There was a problem hiding this comment.
Suggested change
| A contribution guide is placed at the top level [community repository](https://github.com/in-toto/community/blob/main/CONTRIBUTING.md). A security disclosure process is encoded on the a separate [SECURITY.md](https://github.com/in-toto/community/blob/main/SECURITY.md) file. | |
| A contribution guide is placed at the top level [community repository](https://github.com/in-toto/community/blob/main/CONTRIBUTING.md). A security disclosure process is encoded in a separate [SECURITY.md](https://github.com/in-toto/community/blob/main/SECURITY.md) file. |
|
|
||
| ## Security | ||
|
|
||
| Note: this section may be augemented by a joint-assessment performed by TAG Security. |
There was a problem hiding this comment.
Suggested change
| Note: this section may be augemented by a joint-assessment performed by TAG Security. | |
| Note: this section may be augmented by a joint-assessment performed by TAG Security. |
|
@linsun thank you for your hard work on this! Huge effort by the entire community. Cc @trishankatdatadog @JustinCappos @SantiagoTorres |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the due diligence for in-toto to move to graduation status.
Project application issue: #1162
The in-toto project has completed the criteria that show its maturity at the applied graduation level. The adopter interviews reflect the in-toto project is in use for the graduation level with happy adopters.
This PR is now available for TOC review and public comment.