|
Re: Contour to CNCF sandbox
Gerred Dillon
What are the status of other Envoy-based projects in this space? With Contour asking to skip the SIG process established a few months ago for sandbox - notably recommended by those who are part of this thread - others are being asked to attain, do other ingress projects such as Ambassador have the opportunity to join the sandbox in the same way, or will they need to be part of SIG Network due diligence before becoming a topic for the TOC?
toggle quoted message
Show quoted text
If this group is establishing rules that benefit the larger community and foundation, they should apply to everyone - no matter who proposes it for inclusion, or who tries to skip existing protocol set forth for other projects over the holidays. On Jan 7, 2020, at 6:12 PM, Chris Aniszczyk <caniszczyk@...> wrote:
|
|
|
|
KubeCon + CloudNativeCon NA 2019 Conference Transparency Report
The latest conference transparent report is out, enjoy the read! Chris Aniszczyk (@cra) | +1-512-961-6719 |
|
|
|
Re: Comment on Increase Sandbox requirement to three sponsors from the TOC
Vinod
-1 NB ( I am not in favor of sponsoring concept at all ) I think sponsoring will lead to "King Makers" situation which is against the TOC principle. I don’t agree that the CNCF sandbox entry barrier is low. Many projects are waiting almost a year to get a “Sponsor”, and others get rejected after a year without getting a “Sponsor”. I don’t fully agree with the concept that all sandbox projects should graduate. Sandbox then won’t be the ideal name for this stage then. Ideally, all projects should graduate and the CNCF should build sustainable ecosystems for it but there are many other factors that the TOC or CNCF can't control. Projects may go to archives from any stage. The "rkt " project is an example of it. I agree that the TOC review shouldn’t be a tick-the-box exercise. TOC should make the judgment based on facts, not based on what they like or dislike. A TOC member won’t necessarily get enthusiastic about a project if he/she knows very well about that project's domain and technology stack. Also, the TOC does not pick a “winning stack” as per the TOC's operating principles document. I have opened an issue in the TOC repo with more details, feel free to comment your thoughts there. On Thu, 9 Jan 2020, 16:24 Liz Rice, <liz@...> wrote:
|
|
|
|
Comment on Increase Sandbox requirement to three sponsors from the TOC
Liz Rice
Hi Gerred,
toggle quoted message
Show quoted text
I wanted to follow up with a few thoughts on your comment here. Although the barrier to entry for Sandbox is intended to be low, we want to make sure that the projects that come in have a good chance of making it to incubation and graduation. Potential sponsors from the TOC should have confidence that the project is on the right path towards those criteria. It would be doing a disservice to a project if we were to accept it without that confidence. Acceptance to the CNCF at any level should never be just a tick-the-box exercise. The TOC should always be able to exercise their judgement and discretion. At the Sandbox level, if there aren’t enough TOC members with the confidence and enthusiasm in a project to step forward as sponsors, then it doesn’t get accepted. I hope that helps, Liz
|
|
|
|
[RESULT] Falco Incubation (APPROVED)
Amye Scavarda Perrin
The Falco project has been approved to the incubating maturity level: https://github.com/cncf/toc/pull/307 +1 binding TOC votes (7/9): Matt Klein: https://lists.cncf.io/g/cncf-toc/message/3922 Michelle Noorali: https://lists.cncf.io/g/cncf-toc/message/3931 Joe Beda: https://lists.cncf.io/g/cncf-toc/message/3952 Jeff Brewer: https://lists.cncf.io/g/cncf-toc/message/3963 Xiang Li: https://lists.cncf.io/g/cncf-toc/message/3967 Liz Rice: https://lists.cncf.io/g/cncf-toc/message/3968 Alexis Richardson: https://lists.cncf.io/g/cncf-toc/message/3970 +1 non-binding community votes: Ken Owens: https://lists.cncf.io/g/cncf-toc/message/3785 Farhad Arshad: https://lists.cncf.io/g/cncf-toc/message/3786 Roger Klorese: https://lists.cncf.io/g/cncf-toc/message/3787 Gaurav Garg: https://lists.cncf.io/g/cncf-toc/message/3788 Mark Stemm: https://lists.cncf.io/g/cncf-toc/message/3790 Radhika Puthiyetath: https://lists.cncf.io/g/cncf-toc/message/3791 Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/3792 Matthew Caya: https://lists.cncf.io/g/cncf-toc/message/3793 Chris Short: https://lists.cncf.io/g/cncf-toc/message/3794 Gareth Rushgrove: https://lists.cncf.io/g/cncf-toc/message/3800 Johan Tordsson: https://lists.cncf.io/g/cncf-toc/message/3801 Rishi Divate: https://lists.cncf.io/g/cncf-toc/message/3860 Jon Mittelhauser: https://lists.cncf.io/g/cncf-toc/message/3861 Iftach Schonbaum: https://lists.cncf.io/g/cncf-toc/message/3862 Kasper Nissen: https://lists.cncf.io/g/cncf-toc/message/3863 Siddharth Bhadri: https://lists.cncf.io/g/cncf-toc/message/3864 Johan Tordsson: https://lists.cncf.io/g/cncf-toc/message/3865 Stephen Augustus: https://lists.cncf.io/g/cncf-toc/message/3925 Brandon Lum: https://lists.cncf.io/g/cncf-toc/message/3926 Philippe Robin: https://lists.cncf.io/g/cncf-toc/message/3927 Golfen Guo: https://lists.cncf.io/g/cncf-toc/message/3932 Max Körbächer: https://lists.cncf.io/g/cncf-toc/message/3934 Jeyappragash Jeyakeerthi: https://lists.cncf.io/g/cncf-toc/message/3964 Liam Randall: https://lists.cncf.io/g/cncf-toc/message/3965 Lee Calcote: https://lists.cncf.io/g/cncf-toc/message/3987 Amye Scavarda Perrin | Program Manager, CNCF | amye@... |
|
|
|
Re: Contour to CNCF sandbox
sorry, this is my mistake, I assumed sandbox for contour out of the gate
--
Chris Aniszczyk (@cra) | +1-512-961-6719 |
|
|
|
Re: Contour to CNCF sandbox
Joe Beda <jbeda@...>
Ah – my mistake. I know we talked about it. Chris added the “sandbox” label so that confused me. I’ll fix it.
Agree that if we are talking incubation we should definitely have SIG-network start the process.
Sorry for the confusion!
From: Matt Klein <mattklein123@...>
The PR lists incubation as the desired level. So that is not accurate?
On Tue, Jan 7, 2020 at 3:02 PM Joe Beda via
Lists.Cncf.Io <jbeda=vmware.com@...> wrote:
|
|
|
|
Re: Contour to CNCF sandbox
Matt Klein
I'd go for Sandbox and figure out details later, but I'm supportive if you want to shoot for incubation and have some good users who can step forward. +1 but happy to support if you want to try for incubation. On Tue, Jan 7, 2020 at 3:20 PM Alexis Richardson <alexis@...> wrote:
|
|
|
|
Re: Contour to CNCF sandbox
alexis richardson
I'd go for Sandbox and figure out details later, but I'm supportive if you want to shoot for incubation and have some good users who can step forward. On Tue, 7 Jan 2020, 14:15 Matt Klein, <mattklein123@...> wrote:
|
|
|
|
Re: Contour to CNCF sandbox
Matt Klein
If we are targeting sandbox IMO we can just do it. If incubation I think we need to route through SIG network (cc @Lee Calcote) for DD. On Tue, Jan 7, 2020 at 3:17 PM Joe Beda <jbeda@...> wrote:
|
|
|
|
Re: Contour to CNCF sandbox
Matt Klein
The PR lists incubation as the desired level. So that is not accurate?
|
|
|
|
Contour to CNCF sandbox
Joe Beda <jbeda@...>
Hi all,
I know we’ve talked about not syncing on TOC meetings to get new projects in. As things stand, we have just submitted contour as a sandbox project and there is support from Alexis and Matt and me.
What do we want to consider necessary before we move forward? Do we want to have SIG-network take a look or do we want to just “make it so”?
Personally, I’d be cool with just getting it in but don’t want to jump the gun.
Joe |
|
|
|
Re: An interesting issue wrt CLA
swinslow@...
Thanks for raising this. In the case of Dependabot, if it is only modifying version numbers and hashes to bump dependency versions, I don't think there is any realistic concern that this bot would be contributing copyrightable content. That might not be the case for other bots but in this case I don't see a concern.
Because of that, from the CNCF / LF side I think we would be comfortable with having Dependabot changes not being blocked by the CLA bot. I'm coordinating with the LF IT team to whitelist Dependabot so that it will not be gated for the k8s CLA bot going forward. Thanks, Steve |
|
|
|
Re: [EXTERNAL] Re: [cncf-toc] An interesting issue wrt CLA
Matt Farina
What is the legal approach for a bot contributing code under a CLA? I'd be curious to know what the guard rails are. Then we can try to make the process as streamlined as possible. On Tue, Jan 7, 2020, at 2:34 PM, Brendan Burns via Lists.Cncf.Io wrote:
|
|
|
|
Re: [EXTERNAL] Re: [cncf-toc] An interesting issue wrt CLA
Brendan Burns
I will definitely ping GitHub folks about this, but I thought it useful to at least document the desired approach in general.
From: cncf-toc@... <cncf-toc@...> on behalf of Matt Farina via Lists.Cncf.Io <matt=mattfarina.com@...>
Sent: Tuesday, January 7, 2020 11:30 AM To: CNCF TOC <cncf-toc@...> Cc: cncf-toc@... <cncf-toc@...> Subject: [EXTERNAL] Re: [cncf-toc] An interesting issue wrt CLA
Dependabot is a service now owned by GitHub. Do we want to expect all people offering a service like this to sign the CNCF CLA and associate their bot with it? The person choosing to use the bot is different from those providing it and the person choosing
to use it is a member of the project.
This problem only affects those using the CLA. Dependabot appropriately signs for the DCO. The majority of CNCF projects are not affected by this issue.
Dependabot creates a PR like any other random person to come along on GitHub. A person with merge access has to merge the PR and the PR has to pass tests and review as if a person were suggesting the same change.
https://dependabot.com/#how-it-works
What would an attack vector for a bot like this be? If a bot had write access to the code I would be concerned.
A thought for this case... GitHub is a CNCF member and has a signed CLA (I assume) since GitHub employees contribute to Kubernetes. Is there someone there who can add Dependabots account to the CLA?
This would be the quick and easy approach. It would not scale to similar services.
- Matt Farina
On Tue, Jan 7, 2020, at 2:05 PM, Sarah Allen wrote:
|
|
|
|
Re: An interesting issue wrt CLA
Matt Farina
Dependabot is a service now owned by GitHub. Do we want to expect all people offering a service like this to sign the CNCF CLA and associate their bot with it? The person choosing to use the bot is different from those providing it and the person choosing to use it is a member of the project.
This problem only affects those using the CLA. Dependabot appropriately signs for the DCO. The majority of CNCF projects are not affected by this issue.
Dependabot creates a PR like any other random person to come along on GitHub. A person with merge access has to merge the PR and the PR has to pass tests and review as if a person were suggesting the same change. https://dependabot.com/#how-it-works What would an attack vector for a bot like this be? If a bot had write access to the code I would be concerned.
A thought for this case... GitHub is a CNCF member and has a signed CLA (I assume) since GitHub employees contribute to Kubernetes. Is there someone there who can add Dependabots account to the CLA? This would be the quick and easy approach. It would not scale to similar services. - Matt Farina On Tue, Jan 7, 2020, at 2:05 PM, Sarah Allen wrote:
|
|
|
|
Re: [VOTE] SIG Runtime
Hong Zhang <cathy.zhang@...>
+1 NB
Cheers, Cathy Zhang On 6 January 2020 at 21:39:42, Amye Scavarda Perrin (ascavarda@...) wrote: A new CNCF Runtime SIG has been proposed with Brian Grant and BrendanAmazon Data Services Ireland Limited registered office: One Burlington Plaza, Burlington Road, Dublin 4, Ireland. Registered in Ireland. Registration number 390566. |
|
|
|
Re: An interesting issue wrt CLA
Sarah Allen
Bots can have delegated authority to sign things on behalf of their makers. It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or impersonated (can I say that about a bot?) that could be a pretty powerful attack vector. Thanks for raising this question! Sarah
|
|
|
|
An interesting issue wrt CLA
Brendan Burns
Folks,
See:
Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and dependabot (being a bot) has no ability to sign.
Any thoughts about the right approach here? (for this specific one I'm going to clone the PR myself, but in general it's an interesting issue)
Thanks
--brendan
|
|
|
|
Re: [VOTE] SIG Runtime
Kiran Mova
+1 NB On Tue, Jan 7, 2020 at 11:04 PM Hausenblas, Michael via Lists.Cncf.Io <hausenbl=amazon.com@...> wrote: +1 (nb) |
|
|