toggle quoted messageShow quoted text
For what it’s worth, I poked around in some dictionaries and thesauri, and am now even more convinced that you’re all right and Governance is not the best term. Succinct alternatives seem fairly hard to come by, but the best one I could find (in all of
2 minutes poking around) was (drumroll):
Definition: supervision, watchful care
Synonyms: control, inspection, surveillance, check, guardianship, …
Antonyms (opposites): neglect, mismanagement, ignorance,…
At this point I’m going to hand over further bike-shedding to the chartering process for this particular SIG :-)
I fully expect some of the SIG names to be wordsmithed by the TOC Liaison, Chairs and other interested parties of that SIG during the chartering process, where the more detailed scope of the SIG will be defined and fleshed out. I’d prefer to feed all
this input into that process, rather than hash it all out here, now.
As a general principle, when we crafted the initial draft names, we aimed for short names, sufficiently broad to cover the domain. As soon as we ended up with “X and Y and Z” type names, we tried to come up with a more succinct term that covered X and
Y and Z as well as all closely related fields. That’s why “Security” (too narrow), “Security and Policy” (too narrow and too verbose), and various others got chucked out. "Security and Compliance” is probably one of the better names I’ve heard, and probably
better than “Governance”, but lets hash all that out as part of the chartering process described above.
"Security and Compliance" is a good name. I would
not limit it just to "Security". Rapidly evolving cloud environments do require governance, and there is a broad range of policies that need to be automated - security, cloud
tagging, data filtering, cost management, GDPR, data provenance, bias checkers for AI, etc.
I suggest to update the SIG description to also include "policy compliance". One of the CNCF projects is
already providing capabilities around automated policy compliance beyond security:
This description may help to promote more work on automated policy compliance beyond security, which I think is very important. May be "Security
+1 to Security & Compliance over Governance
(Which will get abbreviated to SecComp and then everyone will think there’s a SIG on seccomp profiles. :)
On Feb 2, 2019, at 9:41 AM, Liz Rice <liz@...
Sure - regulations are what folks have to be in compliance with. So long as the SIG doesn't start writing more regulations :-)
On Sat, 2 Feb 2019 at 14:26, Alexis Richardson <alexis@...
On Sat, 2 Feb 2019, 14:24 Liz Rice, <liz@...
+1 that "Governance" isn't a great name for this security-related SIG. I'd suggest "Security and Compliance". In many cases end users are concerned not just with security but also with associated standards compliance (PCI, GDPR, FedRamp etc). I believe the
CNCF could add a lot of value by helping to establish what's necessary or best practice for meeting these compliance requirements.
I agree with Sarah, and this is where most people missunderstand policy - they think of it in terms of governance instead of a set of rules which provides constraints for a cluster. Could we change it to security & policy or even just Security
, or something else ?
Overall the doc looks great -- thanks Alexis for your editorial work and Quinton for moving this forward!
One small point on naming of a specific SIG:
authentication, authorization, auditing, policy enforcement
SPIRE, Open Policy Agent, Notary, TUF, Falco,
The word "governance" is often used to convey human processes of policy (e.g. how decisions are made, roles and responsibilities, etc.), and if I saw that in a list of SIGs, I probably wouldn't go looking there for security.
Also note that the "Governance" section of the same doc addressees those same kinds of human policy concerns (e.g. "SIGs must have a documented governance process that encourages community participation and clear guidelines to avoid biased decision-making."),
yet the topics for the SIG and list of projects are more about the software used to implement security and privacy, along with ensuring compliance (auditing, etc).
Also, note that some open source projects have a GOVERNANCE.md (or similarly named directory) to define project roles and decision-making process (examples:
Interested in what others think about this naming detail.
My apologies Diane – I just reread the Operating Model section and you’re right - it’s not sufficiently clear on the point you raised. I will add some wording to the effect of my email reply below.
If you are referring to this one sentence:
"The TOC makes use of this input to act as an informed and effective executive board to select and promote appropriate CNCF projects and practices, and to disseminate high quality information to end users and the cloud-native community in general." as the section
discussion the creation/instantiation/proposal process for new SIGs"
I'd like a bit more clarity. If someone from the community (outside of the TOC) wishes to propose a SIG, what it the process? Or is it just the purview of the TOC on know when a new SIG should be created - then that would be nice to have clarified further.
If there's another section of the document, that you feel clarifies this SIG instantiation/proposal process, please point me in the right direction. I'm just not finding it.
Thanks for your help,
I think that’s adequately covered in the doc - the TOC creates and approves SIG’s. If anyone believes we need to create more SIG’s, they should, by implication, ask the TOC to do that. The current intention is to keep the number of SIGs relatively small,
at least initially, and make sure they’re all highly effective before expanding the number of SIG's.
Quinton et al,
Would it be possible to ask for a section in the Operator Model on how one goes about proposing a new SIG and the process for getting it approved?
(or if there is documentation on this topic elsewhere, reference/link to it in an appendix)?
Director, Community Development
Greetings to the new TOC
Late last year Alexis kicked off a public discussion regarding forming CNCF SIG’s (initially referred to as Categories). Since then a few of us have collaborated on soliciting further input, addressing all the comments, and producing a finalish proposal
for consideration by the TOC.
Please give it a read and we can decide how to proceed at the next meeting this Tue, Feb 5
can you put this link into the main doc as a comment?
Following our initial discussion in Seattle, Quinton and I had a discussion on this. I captured the notes and applied them to the operating model. I decided to make a copy of the doc and apply the changes to operating
model section only - the current doc is hard to process due to the number of comments.
Here is the amended operating model content: https://docs.google.com/document/d/1ySri5jVrPaJjTJ_tZnDzcc4Xmcm4uKoUrHT6lVO6Pcw/edit#heading=h.6cl6hmsbz9fv
From: Alexis Richardson <alexis@...>
Sent: 09 January 2019 19:36
To: Erin Boyd; Sarah Allen
Cc: Bryan Cantrill; Chris Aniszczyk; Quinton Hoole; Alex Chircop; Matt Farina
Subject: CNCF TOC SIGs Doc
how's this doc looking? I daren't look. can we show the toc an update next week?
On Mon, Dec 10, 2018 at 5:35 AM Alexis Richardson <alexis@...
On Fri, 7 Dec 2018, 13:35 Erin Boyd, <eboyd@...
Please feel free to catch me on Slack.
On Wed, Dec 5, 2018 at 11:18 PM Alexis Richardson <alexis@...
Thank you Erin. Let's try and sync 1-1 during the week
On Thu, 6 Dec 2018, 00:42 Erin Boyd, <eboyd@...
I think I am speaking on a panel at this time.
I can collaborate in the document.
Sorry about that.
On Tue, Dec 4, 2018 at 11:46 AM Alexis Richardson <alexis@...
CNCF TOC meeting re SIGs Doc
meeting to discuss the Categories and SIGs doc
identify and divide up work tasks to clean up draft doc.
eg: we agree a new section plan and each take one section? or something
Mon Dec 10, 2018 3:30pm – 4:10pm Mountain Time - Denver
of the Sheraton Grand Seattle (map)
Or dial: +1 929-299-3513 PIN: 706587657#
Going (eboyd@...)? Yes
- No more
You are receiving this email at the account
eboyd@... because you are subscribed for invitations on calendar
To stop receiving these emails, please log in to
https://www.google.com/calendar/ and change your notification settings for this calendar.
Forwarding this invitation could allow any recipient to modify your RSVP response.
Director, Community Development
Red Hat OpenShift
Director, Community Development
Red Hat OpenShift
Zhipeng (Howard) Huang
IT Standard & Patent/IT Product Line
Huawei Technologies Co,. Ltd
Office: Huawei Industrial Base, Longgang, Shenzhen