Re: Comment on Increase Sandbox requirement to three sponsors from the TOC

alexis richardson


Great questions. I recommend you look at two paths to offer help -

1) Please get involved in SIG Security. And maybe connect with
Keycloak team and ask them what they plan to do next with the SIG, if

2) Have a look at the updated Sandbox process once it is published.
This is intended to clarify matters for the community!


On Mon, Jan 20, 2020 at 11:26 PM Vinod NA <vinod@...> wrote:

Hi Alexis,

I have contacted the TOC 6 months ago offering help in reviewing sandbox submission for which I have already reviewed the quality and used it in production for years. I didn't receive any response.

Could you please let the community know what quality metrics the TOC members are interested in, to get enthusiastic about the project? This will help the projects, especially that now they have to get 3 sponsors?



On Wed, Jan 15, 2020 at 12:02 AM Alexis Richardson <alexis@...> wrote:


Thanks for clarifying that. Normally when people say "partial" they
imply agency. I think you are saying that the Process is not clear
and (to your eyes) may be broken.

Can I ask please: are you aware that we stopped all new projects for
many months? That is why there is a backlog. We are trying to get
back on track. It is a lot of work, if you want to help.


On Tue, Jan 14, 2020 at 10:13 PM Vinod NA <vinod@...> wrote:

Hi Alex,

I am not accusing anyone. I am interested in more open-source projects joining the CNCF ecosystem and at the same time, improving the growth and health of those projects. I believe the current TOC process results in unfair treatment for open-source projects, and it makes some of them, wait more than a year to get TOC sponsors. I think the current TOC process is not following the CNCF principles mentioned below.

Thank you,


On Mon, Jan 13, 2020 at 2:13 AM Alexis Richardson <alexis@...> wrote:


Who are you accusing of being partial.


On Sun, 12 Jan 2020, 23:53 Vinod NA, <vinod@...> wrote:

Thank you very much to all who were courageous enough to speak about the partiality. At some point, I felt I was a mad person.

@Matt, thank you very much for your input. I hope that the TOC will consider it. I think most of the other foundations are focusing on two levels. In the following CNCF documentation, it’s directing the sandbox as “experimental" projects. And it also says “It is expected that some Sandbox projects may fail”.

IMHO I think too much red taping, unfair treatment should be avoided for the sandbox onboarding so that the process will align with the CNCF principles.

@Alexis, It’s good to know that your company has already reviewed the quality of the project and it's using it. Like Contour, other projects coming to CNCF may be also used by multiple other CNCF members and they might have also reviewed the quality. My kind request is to treat all incoming projects “fairly” and to put CNCF's interest first. I consider the TOC as a supreme court for the CNCF, I think that the TOC members should be like judges and make a judgment based on facts (keep their personal and professional interests aside).

My intention is only to propose improvements in the process so that this kind of partiality can be avoided in the future. I have mentioned it in the GitHub issue. The TOC members may have a different opinion and may consider that so far every submission is treated fairly and all submissions are completed in a fast manner, but as an individual who follows the TOC meeting recordings, presentations, TOC mailing list emails, I don’t have the same opinion. That’s why I have created a GitHub issue explaining issues at a high level, however, as the TOC couldn’t understand it, I have added more details and I've also included some examples. My intention wasn’t to hurt anybody’s feelings, I am really sorry if you have felt that way. But I do have the right to express my own opinion.

Feel free to comment your views on the GitHub issue ( ). I am not interested in spamming many people and that's why I was trying to avoid communication in the mailing list and focus on the GitHub issue.

@Liz, CNCF should be fair to all projects and at least let them know what they have to do to get "SPONSOR". Also, I think it would become a better experience for the projects if all the TOCs are aligned with the CNCF, TOC principles and process.

Sandbox projects waiting for TOC sponsors

( 7 Months )

( 8 Months )

( 9 Months )

( 1 Year )

( 1 Year and 6 months )

( 1 Year and 9 months )

Incubation projects waiting for TOC sponsors

( 3 Months )

Apologies if my words have hurt anyone. My intention was only to point out the unfair treatment and I am not suggesting that this may have happened intentionally. However, I do want to emphasize the flows in the existing process which lead to this type of issues.

On Fri, Jan 10, 2020 at 6:39 PM Liz Rice <liz@...> wrote:

I think it could be good to acknowledge the frustration.

Absolutely - acknowledged!

And believe me we really are working to try to address this. Getting the SIGs set up is intended to help us scale, and we are working to streamline the process, document it and make it more transparent, and set better time expectations.

As one example, the current suggestion we’re working on includes the project presentation for Sandbox being done to a SIG rather than to the whole TOC.

I really do feel bad for maintainers who have been trying to get attention to their projects while we’re working through this. Sorry.

Speaking of which, if you are waiting to progress your project’s proposal, please check its status on the backlog and let Amye know if anything looks wrong or is missing.

Liz Rice
@lizrice | | +44 (0) 780 126 1145

On 10 Jan 2020, at 15:23, Matt Farina <matt@...> wrote:

I think it could be good to acknowledge the frustration. There are open sandbox proposals that are many months old (including one from January a year ago). Sandbox projects are scheduled to demo in a TOC meeting as part of their process to find sponsors. Yet, the last public TOC meeting with quorum was in October. It's been a quarter since a meeting with quorum. If a sandbox project presents what sponsors will be there to see it?

When a project comes along that gets sponsors quickly, even without a demo, it's bound to be frustrating for people who are already frustrated while trying to work through the CNCF processes to find sponsors. I would be frustrated if I were going through this.

I would like to see changes, too.

While CNCF is different from Apache, the Apache Foundation does some rather nice things to help people. They've been around longer and have had time to put time into this. For example, going through their processes and getting help through it is all documented . It would be fantastic if the process, and how to get help, were documented more clearly. It's more than process documentation.

I also wonder, what would make a good CNCF project? I'm not sure that's entirely clear to everyone. If the basics were documented it would let potential projects self filter and it would give clarity to the process in the spirit of openness. Projects proposing themselves could show how they would be a good CNCF project to make it easier for TOC members to assess.

GitHub and devstats look at how quickly a project responds to issues and PRs. Developers like to know these things about projects. If the TOC and the supporting system around sandbox projects were to get easier and more efficient for everyone, I think, it would be a good thing.

Just my 2 cents.

- Matt Farina

On Fri, Jan 10, 2020, at 4:38 AM, Alexis Richardson wrote:


The reason I am happy to sponsor Contour is because my team has used it and think it is of a very high quality. I do not need to see a presentation to reach that decision. Regardless of what level the project applies for.

Your comments about the TOC members deciding to sponsor at Sandbox and then finding out the project is applying for incubation, and drawing some sinister conclusion, are mistaken and should be withdrawn.

You make a number of other comparisons with keycloak and other projects. These comparisons are incorrect.

If contour is to be accepted as a project it will follow a process and, so far, it is doing so. For example please note that TOC sponsorship provides no guarantee that a project will pass DD for incubation. In fact, at incubation level the purpose of sponsorship is to get permission to move to the DD stage.


On Fri, 10 Jan 2020, 01:26 Vinod NA, <vinod@...> wrote:

I also agree with Gerred about the recent submission. Many of you may have missed it as the project got sponsored super fast.

Every project coming to join the CNCF family should be treated fairly. The TOC should consider the fact that they are willing to donate their project to the CNCF foundation and not to other foundations.

Quoting Chris "TOC members are expected to act in the interest of CNCF and not their employers". I also think that TOC members should act in the interest of CNCF, not in their personal or their employer's interest. The TOC membership should uphold the CNCF and TOC principles.

I have seen different projects treated differently during their submission.

I am not against the following project joining CNCF and I believe more projects should join the CNCF family. I am just unhappy with the partiality.

For a recent submission, the TOC members got too excited and sponsored the project, without even any presentation and not completely reviewing the content of the pull request. Only after sponsoring, the TOC members have realized that the project is asking for an incubation maturity level and they thought it was a sandbox. I don't know what was the urgency to get this project sponsored, compared to the other ones which are waiting nearly a year and one even got rejected after not having a sponsor after a year. Now TOC has instructed the SIG-network to review it. I don't understand the purpose of this review. This is like a group of judges already made a judgment and then they're requesting the police officers to investigate it.

When Keycloak requested to join as a sandbox, the TOC was concerned about the governance and the team responded with their open governance and published ( ). Even though the project team has only asked for Sandbox maturity, the TOC was considering it like an Incubator/Graduation project. The project answered the questions and TOC didn't ask any further questions and didn't mention which CNCF or TOC principle Keycloak didn't meet, it was just rejected saying no "SPONSOR" after waiting a year.

Keycloak is already used by CNCF member companies. I don't think the decision to reject the project without even accepting it in the sandbox level is in the CNCF community's best interest.

More details will be added in this GitHub issue =

On Fri, 10 Jan 2020, 10:57 Liz Rice, <liz@...> wrote:

Sorry, I am missing something - which projects are proposing to skip the process? And (bearing mind the TOC have to sponsor / vote) do you see support from TOC members for them skipping the process?

Liz Rice
@lizrice | | +44 (0) 780 126 1145

On 10 Jan 2020, at 03:57, Gerred Dillon <hello@...> wrote:

Combining a few messages here -

The motivation for the increase makes sense. From a multi-vendor control standpoint, I will move to +1 NB on this particular issue.

That said, I'm sitting on a draft of collected thoughts, of which I will refine and post tomorrow - but in short I feel like change does need to be made, especially in light of other projects that proposed in the past days to skip the process demanded of projects included in the CNCF. This felt like a very clear violation of responsibility to the members that make up the CNCF, it's governing bodies, and those rely upon their decision making processes - and it's been made clear that without someone concerned about it, existing processes are potentially too easy to short-circuit.

On Thu, Jan 9, 2020 at 10:36 PM Matt Farina <matt@...> wrote:

To add a little more context...

The TOC is expanding from 9 to 11 members and a single company (or group of companies under the same umbrella) can have 2 members on it.

The current sandbox process only requires 2 TOC members to sponsor a project. This means a single company with two members is able to add any sandbox project they want.

The CNCF charter notes:

The Cloud Native Computing Foundation seeks to drive adoption of this paradigm by fostering and sustaining an ecosystem of open source, vendor-neutral projects

If the CNCF processes allows a situation for a single vendor to have the ability to add any sandbox projects they like is this enabling vendor neutrality and the charter would like?

An argument has been made it's not so the TOC sponsors should expand to 3 to require multiple organizations to be involved in sponsoring. This is what expanding to 3 TOC sponsors gives us.

Many projects are waiting almost a year to get a “Sponsor”, and others get rejected after a year without getting a “Sponsor”.

This must be frustrating for the people working on those projects.

I would like to see the TOC make some changes to address this problem. A clear documented processes and methodology. Something people on the projects can understand, follow, and depend on.

On Thu, Jan 9, 2020, at 11:42 AM, Vinod NA wrote:

-1 NB ( I am not in favor of sponsoring concept at all )

I think sponsoring will lead to "King Makers" situation which is against the TOC principle.

I don’t agree that the CNCF sandbox entry barrier is low. Many projects are waiting almost a year to get a “Sponsor”, and others get rejected after a year without getting a “Sponsor”.

I don’t fully agree with the concept that all sandbox projects should graduate. Sandbox then won’t be the ideal name for this stage then. Ideally, all projects should graduate and the CNCF should build sustainable ecosystems for it but there are many other factors that the TOC or CNCF can't control. Projects may go to archives from any stage. The "rkt " project is an example of it.

I agree that the TOC review shouldn’t be a tick-the-box exercise. TOC should make the judgment based on facts, not based on what they like or dislike. A TOC member won’t necessarily get enthusiastic about a project if he/she knows very well about that project's domain and technology stack. Also, the TOC does not pick a “winning stack” as per the TOC's operating principles document.

I have opened an issue in the TOC repo with more details, feel free to comment your thoughts there.

On Thu, 9 Jan 2020, 16:24 Liz Rice, <liz@...> wrote:

Hi Gerred,

I wanted to follow up with a few thoughts on your comment here.

Although the barrier to entry for Sandbox is intended to be low, we want to make sure that the projects that come in have a good chance of making it to incubation and graduation. Potential sponsors from the TOC should have confidence that the project is on the right path towards those criteria. It would be doing a disservice to a project if we were to accept it without that confidence.

Acceptance to the CNCF at any level should never be just a tick-the-box exercise. The TOC should always be able to exercise their judgement and discretion. At the Sandbox level, if there aren’t enough TOC members with the confidence and enthusiasm in a project to step forward as sponsors, then it doesn’t get accepted.

I hope that helps,

Liz Rice
@lizrice | | +44 (0) 780 126 1145

On 28 Dec 2019, at 06:07, Gerred Dillon <hello@...> wrote:

-1 non-binding

i'm not thrilled with how the sandbox has already changed without a controlled burn rate, i disagree with this motion without other changes to the sandbox process happening. kudo has already been given -1s on sandbox inclusion based on incubating/graduating requirements in private as negative votes for inclusion -- despite communication that these weren't requirements. sandbox is either inclusive or it's not, and i'd rather inclusion at this stage, given there are no marketing expectations or official endorsement of these projects by the CNCF.

On Fri, Dec 27, 2019 at 4:24 PM Thomas Mclennan <> wrote:

+1 non-binding

Join { to automatically receive all group messages.