-1 NB ( I am not in favor of sponsoring concept at all ) I think sponsoring will lead to "King Makers" situation which is against the TOC principle. I don’t agree that the CNCF sandbox entry

Hi Gerred, I wanted to follow up with a few thoughts on your comment here. Although the barrier to entry for Sandbox is intended to be low, we want to make sure that the projects that come in have a

The Falco project has been approved to the incubating maturity level: https://github.com/cncf/toc/pull/307 +1 binding TOC votes (7/9): Matt Klein: https://lists.cncf.io/g/cncf-toc/message/3922

sorry, this is my mistake, I assumed sandbox for contour out of the gate -- Chris Aniszczyk (@cra) | +1-512-961-6719

Ah – my mistake. I know we talked about it. Chris added the “sandbox” label so that confused me. I’ll fix it. Agree that if we are talking incubation we should definitely have

+1 but happy to support if you want to try for incubation.

I'd go for Sandbox and figure out details later, but I'm supportive if you want to shoot for incubation and have some good users who can step forward.

If we are targeting sandbox IMO we can just do it. If incubation I think we need to route through SIG network (cc @Lee Calcote) for DD.

The PR lists incubation as the desired level. So that is not accurate?

Hi all, I know we’ve talked about not syncing on TOC meetings to get new projects in. As things stand, we have just submitted contour as a sandbox project and there is support from Alexis and

Thanks for raising this. In the case of Dependabot, if it is only modifying version numbers and hashes to bump dependency versions, I don't think there is any realistic concern that this bot would be

What is the legal approach for a bot contributing code under a CLA? I'd be curious to know what the guard rails are. Then we can try to make the process as streamlined as possible.

I will definitely ping GitHub folks about this, but I thought it useful to at least document the desired approach in general.

Dependabot is a service now owned by GitHub. Do we want to expect all people offering a service like this to sign the CNCF CLA and associate their bot with it? The person choosing to use the bot is

+1 NB Cheers, Cathy Zhang Amazon Data Services Ireland Limited registered office: One Burlington Plaza, Burlington Road, Dublin 4, Ireland. Registered in Ireland. Registration number 390566.

Bots can have delegated authority to sign things on behalf of their makers. It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or

Folks, See: https://github.com/kubernetes-client/javascript/pull/384 Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and

+1 NB --Kiran Mova | Co-Founder, Chief Architect MayaData | kiran.mova@... https://github.com/openebs/openebs

+1 (nb) Cheers, Michael -- Developer Advocate @ AWS +353 86 0215164 Amazon Data Services Ireland Limited registered office: One Burlington Plaza, Burlington Road, Dublin 4, Ireland. Registered

+1 binding from Alimail iPhone