Argo graduation progress


Blixt, Henrik
 

Members of the TOC

 

A little over a year ago, Argo applied to move to graduated status [0] and we have since diligently worked our way through the process, addressing comments and concerns that have been brought up. 

As per our sponsor’s (dims) request, I’m writing to let you know that the due diligence document [1] has been updated with responses to the questions raised and overall project progress thus far.  

 

Quick summary and highlights follow below. Further details and links are available in the DD document itself. 

 

Looking forward to continuing the process with our sponsors and the TOC.  

 

Community 

Though we already had a large and vibrant community a year ago, the growth since then has been outstanding and we have seen an influx of maintainers, contributors, users and vendors. 

• 350+ self-reported enterprise users. (Though we know that the actual number is significantly higher) 

• Multiple vendors with commercial platforms based on one or more Argo projects

• 40 maintainers from 11 companies + two independent

 

Growth

• One of the highest velocity (behind OpenTelemetry and K8s) and most adopted project with over 50% in prod or eval based on the last CNCF annual study

• ~25000 GitHub stars, up ~ 75% in just over a year. 

 

Security

This was one of the areas pointed out as needing more attention, and over the last year, we have targeted resolving tactical concerns and issues, as well as setting up and strengthening strategic processes and programs that will ensure a long-term focus on security.

• Completed two external security audits, one with Trail of Bits and one with Ada Logic, with recommendations and fixes implemented by the project. 

• Implemented 50+ fuzzers that now run as part of our upstream processes

• Enrolled and participate in the Internet Bug Bounty program to encourage external reviews and vetting

• Established an Argo Security SIG with regular meetings to discuss and address security strategy and current issues. 

• Solidified internal processes around triaging of incoming vulnerabilities and updated external guides on how to report issues

• More maintainers and contributors focused on security, leading to several self-discovered CVEs and other fixes

• Completed self-assessments with CNCF Security TAG. Joint review is on-going. 

 

Project Governance

• Refined voting and governance procedures, better aligned with other graduated CNCF projects to ensure project diversity and longevity.

• Established guidelines for creation and membership in Argo project SIGs such as SIG Security and SIG Marketing.

 

Argo project

 

[0] https://github.com/cncf/toc/pull/604

[1] https://docs.google.com/document/d/1R4WjMG9s9JX8onZvOzEFSjBBFAInurN8tSiAFLqj-FE/edit#heading=h.kd4eg2uz3lt0

 

Join cncf-toc@lists.cncf.io to automatically receive all group messages.