Thanks for raising this Gareth.  This is an open issue for SIG Security where we have a growing number of individuals participating in assessments and an open issue to write up guidelines: https://github.com/cncf/sig-security/issues/156

Having guidance from the TOC would be very helpful to be able to reference, and I've written up a TOC issue here:

https://github.com/cncf/toc/issues/270

Sarah Allen

SIG-Security co-chair

On Thu, Aug 1, 2019 at 4:58 AM alexis richardson <alexis@...> wrote:

Thanks for posting this Gareth.

IMO it is better to be open about bias than to pretend it away.

We could state that documents coming from CNCF TOC & SIGs are marked
as "Authored by members of the CNCF community", and list all
contributors and affiliations.  This would be in contrast to documents
commissioned by the CNCF organisation which are published as official
CNCF docs, authored by the CNCF staff.






On Thu, Aug 1, 2019 at 9:22 AM Gareth Rushgrove
<gareth@...> wrote:
>
> Hi All
>
> On a couple of calls yesterday (SIG Security, and discussions about
> the proposed SIG App Delivery), the topic of bias or conflict of
> interest came up. In discussion we thought it worth bringing to the
> ToC, so here is an email.
>
> One of the things being discussed as part of the SIG App Delivery
> mission is "develop informational resources like guides, tutorials and
> white papers". SIG Security produces recommendations for projects and
> the ToC and is also looking at guidance. I'm sure other SIGs have in
> mind to do something similar.
>
> Part of the power of CNCF is it's a shared place for folks to
> genuinely work together. But I don't think we should deny or otherwise
> hide our bias, especially as we get into CNCF branded and published
> material. I think most people want to do the right thing, but having
> some guidance and discussion would help. Consider a few of the
> following:
>
> 1. Conducting a private security review of a product associated with a
> competitor
> 2. Guidance on <CNCF project> and <Cloud provider> written by <Cloud provider>
> 3. Tutorial on <CNCF project> which mentions <non-CNCF project>
> 4. Comparisons of <CNCF projects> and <non-CNCF projects>
> 5. Guidance on <CNCF project> which competes with <other CNCF project>
> 6. Guidance on <CNCF project> which competes with <non-CNCF project>
> associated with <authors employee>
> 7. Organising a <CNCF branded event> which competes directly with
> <CNCF member> event
>
> Non of these are simply good or bad, context always matters. A few
> things that could be discussed (not concrete suggestions, more to
> start a conversation.)
>
> 1. All guidance carries authors and contributors and their affiliations
> 2. Contributors sign some impartiality document (social more than legal)
> 3. Clear review process which explicitly takes in bias
> 4. No single-vendor content attributed to CNCF
>
> I think the ToC are probably _very_ aware of this sort of thing, but
> as CNCF SIGs expand, more folks probably need to consider the same
> things. I think CNCF affiliation is different from project
> affiliation. Doing that collectively would be good. What processes do
> we need in place? And are they SIG specific or more general? Is this
> something folks care about?
>
> Thanks
>
> Gareth
>
> --
> Gareth Rushgrove
> @garethr
>
> devopsweekly.com
> morethanseven.net
> garethrushgrove.com
>
>
>