Date   

TAG Security Technical Lead Nominations

Brandon Lum
 

Hi TOC,

The TAG Security Co-chairs would like to nominate Ragashree, Michael Lieberman, and Marina Moore as Technical Leads of TAG Security!

They have been awesome members of the community contributing across many different efforts, we look forward to working with them to further expand the community! Below are their nominations, which is a fraction of all the awesomeness they've done for the community.

Cheers
TAG-Security Co-Chairs

—----------------------------------------------------------------------------------------------------------------------

Nominee: Ragashree 

Github: @ragashreeshekar

Title: Cloud Security Specialist

Professional Affiliation: Nokia


Leadership/participation with TAG-Security:


  • Project Lead: TAG Security Community Manager (#692)

  • Project Lead: Cloud Native Security Lexicon (#735)

  • Project Co-lead Security Con EU 2022 (#811)

  • [Governance] Contributions to communication templates (#670)



Bio:


2021 Nokia Ada Lovelace Honoree, Ragashree M C is a Cloud Security enthusiast with 3+ years industry experience in the domain. She is an active member of several open source security forums such as OWASP, CNCF, CSA etc. She is passionate about all things STEM & security - information science, animal welfare & so on!


—----------------------------------------------------------------------------------------------------------------------


Nominee: Michael Lieberman

Github: @mlieberman85

Title: Supply Chain Security Engineer

Professional Affiliation: Citi


Other community affiliations:

  • Co-Chair, CNCF Financial Services User Group

  • Technical Advisory Committee, SLSA (OpenSSF)


Leadership/participation with TAG-Security:

  • Project Lead: Secure Software Factory Reference Architecture Paper (#679)

  • Contributions to Supply Chain Security Best Practices Paper (#510)

  • Contributions to Security Controls Mapping (#635)


Bio:


Michael Lieberman is an engineer and architect focused on technology transformation especially with regards to cloud native architectures, technologies and migrations. His passion is in applying his expertise to use cases where privacy and security are paramount. Most recently he has been focused on work within the software supply chain security space. He is co-chair of the CNCF Financial Services User Group, SLSA steering committee member, and recently co-lead the Secure Software Factory Reference Architecture for the Security Technical Advisory Group. Michael has also participated in multiple podcasts, panels and talks on behalf of the FSUG, the companies he’s worked for and on behalf of himself as an individual contributor in the tech community.


—----------------------------------------------------------------------------------------------------------------------


Nominee: Marina Moore 

Github: @mnm678

Title: PhD candidate, NYU Tandon’s Secure Systems Lab

Professional Affiliation: NYU, GoDaddy.com


Other community affiliations:

  • Maintainer, The Update Framework

  • Maintainer, Uptane (TUF variant)


Leadership/participation with TAG-Security:

  • Contributions to Supply Chain Security Best Practices Paper (#510)

  • Contributions to Secure Software Factory Reference Architecture Paper (#679)

  • Contributions to Cloud Native Security Whitepaper v2 (#844)



Bio:


Marina Moore is a PhD candidate at NYU Tandon’s Secure Systems Lab focusing on secure software updates and software supply chain security. She is a maintainer of The Update Framework (TUF), a CNCF graduated project, as well as Uptane, the automotive variant of TUF. She contributed to the updated TAG Security Whitepaper and has been actively involved in the supply chain security group, including contributing to the Software Supply Chain Security Best Practices paper. She has presented at the CNCF Security Day at both KubeCon NA and Europe.


—----------------------------------------------------------------------------------------------------------------------



Re: Sandbox process needs to evolve to support cross industry collaboation

Liz Rice <liz@...>
 

There is a different sandbox logo, and projects are required to explicitly say they are sandbox whenever they mention that they are CNCF projects. The staff are pretty good at chasing up if folks report there are projects not complying with that

On Thu, 5 May 2022 at 19:10, alexis richardson <alexis@...> wrote:
We need VCs to sit on their hands until Incubation


On Thu, 5 May 2022 at 19:01, Brendan Burns <bburns@...> wrote:
Just for a historic perspective. When we did this discussion the last time, we identified that there are fundamentally two divergent goals that we have to balance:

Projects Goal #1) Bring multiple, potentially competing parties together in a neutral space so they can collaborate and innovate in open source without worrying about ownership. This goal means that the bar for Sandbox should be as low as possible to facilitate as much collaboration and innovation as possible.

Projects Goal #2) Get the CNCF 'label' for their project from a marketing perspective to spur interest, growth and (potentially) venture capital. This goal means that the bar for Sandbox should be rigorous so that we don't dilute CNCF brand/resources for random projects.

No matter how many lowest levels you add (4 instead of 3, 5 instead of 4, etc) none of this will go away. At the lowest level you always have to balance these two different, divergent goals.

Where we landed was that to try to make the Sandbox bar pretty low, but also try to make (and enforce) the usage of the CNCF logo/imprimatur for Sandbox projects.

At the time, we suggested crafting a separate 'sandbox' logo that looked like it was drawn with crayons (and perhaps even had toddlers in a sandbox) so that people really understood that there was no CNCF endorsement implied by being in Sandbox.

Afaik, this never happened, but I think the important lesson is that adding additional levels will not solve the problem, it just moves it.

And also, the problem is fundamentally unsolveable. All you can hope for is achieving some sort of balance (and adjusting from time to time based on experience to retain this balance)

--brendan



From: cncf-toc@... <cncf-toc@...> on behalf of alexis richardson via lists.cncf.io <alexis=weave.works@...>
Sent: Thursday, May 5, 2022 9:26 AM
To: Liz Rice <liz@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>; Bob Killen <killen.bob@...>; Richard Hartmann <richih@...>
Subject: [EXTERNAL] Re: [cncf-toc] Sandbox process needs to evolve to support cross industry collaboation
 
Remember, the point of cncf is not to create ways for committees to sit in judgment over projects.  It is to make great projects that enable end user success.  That is all.


On Thu, 5 May 2022, 17:19 Liz Rice, <liz@...> wrote:
Four levels would increase the total work required to assess a project through their life cycle. There might be good reasons to do it, but I don't see that it would solve the initial problem raised on this thread: speeding up the response to the first application at the earliest stage. 

The original point of Sandbox was to enable a neutral place for experimentation, for projects that wouldn't meet incubation criteria. A project only needs neutrality if and when there's more than one organisation keen to get involved; that's why I'm suggesting that could be the criteria for Sandbox inclusion. I'm further suggesting those organizations should be CNCF members so that they have "skin in the game"

(Of course the TOC might decide there are other reasons to support early stage projects that don't need neutrality - I'm just reminding the original intent.)

On Thu, May 5, 2022 at 4:02 PM alexis richardson <alexis@...> wrote:
Stringent implies work, judgement, and value.  It seems that scaling wall has been hit already..


On Thu, 5 May 2022, 15:44 Bob Killen, <killen.bob@...> wrote:
I agree on quite a few points :)  Replying in line with some thoughts

> We tried SIGs (now TAGs) doing due diligence for projects. The level
> of scrutiny, and the closeness to the guidance material available, was
> different across TAGs. In effect, this meant inconsistent processes
> which is arguably unfair. And in cases of disagreements, TOC is pulled
> in automatically anyway.

The TOC is the approval body and should be involved in DD, but I do think delegating portions of it to the TAGs is still a good idea and could play a large role in scaling the process. If there have been issues with varying levels of scrutiny in the past, this could be a mentorship and/or documentation opportunity. Think "ride-alongs" for reviewing DD, calling out what to look for, etc.  I also don't necessarily want to volunteer them, but TAG Contributor Strategy would be an excellent resource to pull in to review areas of governance and community health.

> What TAGs could provide is an initial proving ground, though: Projects
> could give a presentation and go through questions and feedback in a
> more limited scope, allowing them to polish their submittal.

+1 to involving them early, an initial consult would likely help with firming up applications before applying to Sandbox.

> While I know that the current sandbox process is designed to be very
> low barrier, I am still not convinced that this is an obviously
> desirable design goal. It is true that a neutral playing field is good
> and helps some projects grow. It is also true that "CNCF project"
> holds immense marketing value and many efforts are ephemeral, in
> particular if largely driven by perf & marketing.
> Back when sandbox criteria were relaxed, I was of the opinion that
> they should remain more stringent.

I have held the same opinion - I thought they should, to a degree, remain more stringent. While Sandbox does not have any formal marketing support from the CNCF, that doesn't mean companies or other groups can't market them as a "CNCF Project." Smaller or independent projects that might not have those sorts of resources will have a harder time climbing the ladder.

> I have come to wonder if four
> levels wouldn't be more appropriate: An initial runway on which
> projects can be put; but also pruned more aggressively if they do not
> show growth/adoption/the usual. E.g. once submitted they have three?
> six? twelve? months to show certain progress or are removed outright.

I was literally talking with a co-worker about this thought yesterday as a potential idea :)
I don't know if it's the answer, but I do really like the idea of a timebox with explicit criteria for exiting. It should not require a deep dive into the project to determine if they are ready to move up to sandbox. I'd also like to see restrictions on the branding/marketing of "CNCF Project" at this level. A potential alternative might be "Cloud Native Inception Project" or something along those lines.


> Another would be to rework the process & documentation; e.g.
> Incubation had distinct requirement docs which TAGs copied together
> and deduplicated back during the DD trials.

+1 to firming up requirements/docs. While I think there needs to be some room for TOC discretion, I think being more explicit with requirements will help reduce the toil involved with the DD process.


I have a slew more thoughts, but this subject might be a good discussion during a TOC meeting :)

- Bob



On Thu, May 5, 2022 at 7:38 AM Richard Hartmann <richih@...> wrote:
Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard






Re: Sandbox process needs to evolve to support cross industry collaboation

alexis richardson
 

We need VCs to sit on their hands until Incubation


On Thu, 5 May 2022 at 19:01, Brendan Burns <bburns@...> wrote:
Just for a historic perspective. When we did this discussion the last time, we identified that there are fundamentally two divergent goals that we have to balance:

Projects Goal #1) Bring multiple, potentially competing parties together in a neutral space so they can collaborate and innovate in open source without worrying about ownership. This goal means that the bar for Sandbox should be as low as possible to facilitate as much collaboration and innovation as possible.

Projects Goal #2) Get the CNCF 'label' for their project from a marketing perspective to spur interest, growth and (potentially) venture capital. This goal means that the bar for Sandbox should be rigorous so that we don't dilute CNCF brand/resources for random projects.

No matter how many lowest levels you add (4 instead of 3, 5 instead of 4, etc) none of this will go away. At the lowest level you always have to balance these two different, divergent goals.

Where we landed was that to try to make the Sandbox bar pretty low, but also try to make (and enforce) the usage of the CNCF logo/imprimatur for Sandbox projects.

At the time, we suggested crafting a separate 'sandbox' logo that looked like it was drawn with crayons (and perhaps even had toddlers in a sandbox) so that people really understood that there was no CNCF endorsement implied by being in Sandbox.

Afaik, this never happened, but I think the important lesson is that adding additional levels will not solve the problem, it just moves it.

And also, the problem is fundamentally unsolveable. All you can hope for is achieving some sort of balance (and adjusting from time to time based on experience to retain this balance)

--brendan



From: cncf-toc@... <cncf-toc@...> on behalf of alexis richardson via lists.cncf.io <alexis=weave.works@...>
Sent: Thursday, May 5, 2022 9:26 AM
To: Liz Rice <liz@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>; Bob Killen <killen.bob@...>; Richard Hartmann <richih@...>
Subject: [EXTERNAL] Re: [cncf-toc] Sandbox process needs to evolve to support cross industry collaboation
 
Remember, the point of cncf is not to create ways for committees to sit in judgment over projects.  It is to make great projects that enable end user success.  That is all.


On Thu, 5 May 2022, 17:19 Liz Rice, <liz@...> wrote:
Four levels would increase the total work required to assess a project through their life cycle. There might be good reasons to do it, but I don't see that it would solve the initial problem raised on this thread: speeding up the response to the first application at the earliest stage. 

The original point of Sandbox was to enable a neutral place for experimentation, for projects that wouldn't meet incubation criteria. A project only needs neutrality if and when there's more than one organisation keen to get involved; that's why I'm suggesting that could be the criteria for Sandbox inclusion. I'm further suggesting those organizations should be CNCF members so that they have "skin in the game"

(Of course the TOC might decide there are other reasons to support early stage projects that don't need neutrality - I'm just reminding the original intent.)

On Thu, May 5, 2022 at 4:02 PM alexis richardson <alexis@...> wrote:
Stringent implies work, judgement, and value.  It seems that scaling wall has been hit already..


On Thu, 5 May 2022, 15:44 Bob Killen, <killen.bob@...> wrote:
I agree on quite a few points :)  Replying in line with some thoughts

> We tried SIGs (now TAGs) doing due diligence for projects. The level
> of scrutiny, and the closeness to the guidance material available, was
> different across TAGs. In effect, this meant inconsistent processes
> which is arguably unfair. And in cases of disagreements, TOC is pulled
> in automatically anyway.

The TOC is the approval body and should be involved in DD, but I do think delegating portions of it to the TAGs is still a good idea and could play a large role in scaling the process. If there have been issues with varying levels of scrutiny in the past, this could be a mentorship and/or documentation opportunity. Think "ride-alongs" for reviewing DD, calling out what to look for, etc.  I also don't necessarily want to volunteer them, but TAG Contributor Strategy would be an excellent resource to pull in to review areas of governance and community health.

> What TAGs could provide is an initial proving ground, though: Projects
> could give a presentation and go through questions and feedback in a
> more limited scope, allowing them to polish their submittal.

+1 to involving them early, an initial consult would likely help with firming up applications before applying to Sandbox.

> While I know that the current sandbox process is designed to be very
> low barrier, I am still not convinced that this is an obviously
> desirable design goal. It is true that a neutral playing field is good
> and helps some projects grow. It is also true that "CNCF project"
> holds immense marketing value and many efforts are ephemeral, in
> particular if largely driven by perf & marketing.
> Back when sandbox criteria were relaxed, I was of the opinion that
> they should remain more stringent.

I have held the same opinion - I thought they should, to a degree, remain more stringent. While Sandbox does not have any formal marketing support from the CNCF, that doesn't mean companies or other groups can't market them as a "CNCF Project." Smaller or independent projects that might not have those sorts of resources will have a harder time climbing the ladder.

> I have come to wonder if four
> levels wouldn't be more appropriate: An initial runway on which
> projects can be put; but also pruned more aggressively if they do not
> show growth/adoption/the usual. E.g. once submitted they have three?
> six? twelve? months to show certain progress or are removed outright.

I was literally talking with a co-worker about this thought yesterday as a potential idea :)
I don't know if it's the answer, but I do really like the idea of a timebox with explicit criteria for exiting. It should not require a deep dive into the project to determine if they are ready to move up to sandbox. I'd also like to see restrictions on the branding/marketing of "CNCF Project" at this level. A potential alternative might be "Cloud Native Inception Project" or something along those lines.


> Another would be to rework the process & documentation; e.g.
> Incubation had distinct requirement docs which TAGs copied together
> and deduplicated back during the DD trials.

+1 to firming up requirements/docs. While I think there needs to be some room for TOC discretion, I think being more explicit with requirements will help reduce the toil involved with the DD process.


I have a slew more thoughts, but this subject might be a good discussion during a TOC meeting :)

- Bob



On Thu, May 5, 2022 at 7:38 AM Richard Hartmann <richih@...> wrote:
Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard






Re: Sandbox process needs to evolve to support cross industry collaboation

Brendan Burns
 

Just for a historic perspective. When we did this discussion the last time, we identified that there are fundamentally two divergent goals that we have to balance:

Projects Goal #1) Bring multiple, potentially competing parties together in a neutral space so they can collaborate and innovate in open source without worrying about ownership. This goal means that the bar for Sandbox should be as low as possible to facilitate as much collaboration and innovation as possible.

Projects Goal #2) Get the CNCF 'label' for their project from a marketing perspective to spur interest, growth and (potentially) venture capital. This goal means that the bar for Sandbox should be rigorous so that we don't dilute CNCF brand/resources for random projects.

No matter how many lowest levels you add (4 instead of 3, 5 instead of 4, etc) none of this will go away. At the lowest level you always have to balance these two different, divergent goals.

Where we landed was that to try to make the Sandbox bar pretty low, but also try to make (and enforce) the usage of the CNCF logo/imprimatur for Sandbox projects.

At the time, we suggested crafting a separate 'sandbox' logo that looked like it was drawn with crayons (and perhaps even had toddlers in a sandbox) so that people really understood that there was no CNCF endorsement implied by being in Sandbox.

Afaik, this never happened, but I think the important lesson is that adding additional levels will not solve the problem, it just moves it.

And also, the problem is fundamentally unsolveable. All you can hope for is achieving some sort of balance (and adjusting from time to time based on experience to retain this balance)

--brendan



From: cncf-toc@... <cncf-toc@...> on behalf of alexis richardson via lists.cncf.io <alexis=weave.works@...>
Sent: Thursday, May 5, 2022 9:26 AM
To: Liz Rice <liz@...>
Cc: Alexis Richardson via cncf-toc <cncf-toc@...>; Bob Killen <killen.bob@...>; Richard Hartmann <richih@...>
Subject: [EXTERNAL] Re: [cncf-toc] Sandbox process needs to evolve to support cross industry collaboation
 
Remember, the point of cncf is not to create ways for committees to sit in judgment over projects.  It is to make great projects that enable end user success.  That is all.


On Thu, 5 May 2022, 17:19 Liz Rice, <liz@...> wrote:
Four levels would increase the total work required to assess a project through their life cycle. There might be good reasons to do it, but I don't see that it would solve the initial problem raised on this thread: speeding up the response to the first application at the earliest stage. 

The original point of Sandbox was to enable a neutral place for experimentation, for projects that wouldn't meet incubation criteria. A project only needs neutrality if and when there's more than one organisation keen to get involved; that's why I'm suggesting that could be the criteria for Sandbox inclusion. I'm further suggesting those organizations should be CNCF members so that they have "skin in the game"

(Of course the TOC might decide there are other reasons to support early stage projects that don't need neutrality - I'm just reminding the original intent.)

On Thu, May 5, 2022 at 4:02 PM alexis richardson <alexis@...> wrote:
Stringent implies work, judgement, and value.  It seems that scaling wall has been hit already..


On Thu, 5 May 2022, 15:44 Bob Killen, <killen.bob@...> wrote:
I agree on quite a few points :)  Replying in line with some thoughts

> We tried SIGs (now TAGs) doing due diligence for projects. The level
> of scrutiny, and the closeness to the guidance material available, was
> different across TAGs. In effect, this meant inconsistent processes
> which is arguably unfair. And in cases of disagreements, TOC is pulled
> in automatically anyway.

The TOC is the approval body and should be involved in DD, but I do think delegating portions of it to the TAGs is still a good idea and could play a large role in scaling the process. If there have been issues with varying levels of scrutiny in the past, this could be a mentorship and/or documentation opportunity. Think "ride-alongs" for reviewing DD, calling out what to look for, etc.  I also don't necessarily want to volunteer them, but TAG Contributor Strategy would be an excellent resource to pull in to review areas of governance and community health.

> What TAGs could provide is an initial proving ground, though: Projects
> could give a presentation and go through questions and feedback in a
> more limited scope, allowing them to polish their submittal.

+1 to involving them early, an initial consult would likely help with firming up applications before applying to Sandbox.

> While I know that the current sandbox process is designed to be very
> low barrier, I am still not convinced that this is an obviously
> desirable design goal. It is true that a neutral playing field is good
> and helps some projects grow. It is also true that "CNCF project"
> holds immense marketing value and many efforts are ephemeral, in
> particular if largely driven by perf & marketing.
> Back when sandbox criteria were relaxed, I was of the opinion that
> they should remain more stringent.

I have held the same opinion - I thought they should, to a degree, remain more stringent. While Sandbox does not have any formal marketing support from the CNCF, that doesn't mean companies or other groups can't market them as a "CNCF Project." Smaller or independent projects that might not have those sorts of resources will have a harder time climbing the ladder.

> I have come to wonder if four
> levels wouldn't be more appropriate: An initial runway on which
> projects can be put; but also pruned more aggressively if they do not
> show growth/adoption/the usual. E.g. once submitted they have three?
> six? twelve? months to show certain progress or are removed outright.

I was literally talking with a co-worker about this thought yesterday as a potential idea :)
I don't know if it's the answer, but I do really like the idea of a timebox with explicit criteria for exiting. It should not require a deep dive into the project to determine if they are ready to move up to sandbox. I'd also like to see restrictions on the branding/marketing of "CNCF Project" at this level. A potential alternative might be "Cloud Native Inception Project" or something along those lines.


> Another would be to rework the process & documentation; e.g.
> Incubation had distinct requirement docs which TAGs copied together
> and deduplicated back during the DD trials.

+1 to firming up requirements/docs. While I think there needs to be some room for TOC discretion, I think being more explicit with requirements will help reduce the toil involved with the DD process.


I have a slew more thoughts, but this subject might be a good discussion during a TOC meeting :)

- Bob



On Thu, May 5, 2022 at 7:38 AM Richard Hartmann <richih@...> wrote:
Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard






2022 Service Mesh Interface Annual Review Submission

Keith Mattix <keithmattix2@...>
 

Hello there!

I’d like to report that a PR for the SMI sandbox project’s annual review has been submitted: https://github.com/cncf/toc/pull/833. Please review at your earliest convenience. 

Thanks,
Keith Mattix


Re: Sandbox process needs to evolve to support cross industry collaboation

alexis richardson
 

Remember, the point of cncf is not to create ways for committees to sit in judgment over projects.  It is to make great projects that enable end user success.  That is all.


On Thu, 5 May 2022, 17:19 Liz Rice, <liz@...> wrote:
Four levels would increase the total work required to assess a project through their life cycle. There might be good reasons to do it, but I don't see that it would solve the initial problem raised on this thread: speeding up the response to the first application at the earliest stage. 

The original point of Sandbox was to enable a neutral place for experimentation, for projects that wouldn't meet incubation criteria. A project only needs neutrality if and when there's more than one organisation keen to get involved; that's why I'm suggesting that could be the criteria for Sandbox inclusion. I'm further suggesting those organizations should be CNCF members so that they have "skin in the game"

(Of course the TOC might decide there are other reasons to support early stage projects that don't need neutrality - I'm just reminding the original intent.)

On Thu, May 5, 2022 at 4:02 PM alexis richardson <alexis@...> wrote:
Stringent implies work, judgement, and value.  It seems that scaling wall has been hit already..


On Thu, 5 May 2022, 15:44 Bob Killen, <killen.bob@...> wrote:
I agree on quite a few points :)  Replying in line with some thoughts

> We tried SIGs (now TAGs) doing due diligence for projects. The level
> of scrutiny, and the closeness to the guidance material available, was
> different across TAGs. In effect, this meant inconsistent processes
> which is arguably unfair. And in cases of disagreements, TOC is pulled
> in automatically anyway.

The TOC is the approval body and should be involved in DD, but I do think delegating portions of it to the TAGs is still a good idea and could play a large role in scaling the process. If there have been issues with varying levels of scrutiny in the past, this could be a mentorship and/or documentation opportunity. Think "ride-alongs" for reviewing DD, calling out what to look for, etc.  I also don't necessarily want to volunteer them, but TAG Contributor Strategy would be an excellent resource to pull in to review areas of governance and community health.

> What TAGs could provide is an initial proving ground, though: Projects
> could give a presentation and go through questions and feedback in a
> more limited scope, allowing them to polish their submittal.

+1 to involving them early, an initial consult would likely help with firming up applications before applying to Sandbox.

> While I know that the current sandbox process is designed to be very
> low barrier, I am still not convinced that this is an obviously
> desirable design goal. It is true that a neutral playing field is good
> and helps some projects grow. It is also true that "CNCF project"
> holds immense marketing value and many efforts are ephemeral, in
> particular if largely driven by perf & marketing.
> Back when sandbox criteria were relaxed, I was of the opinion that
> they should remain more stringent.

I have held the same opinion - I thought they should, to a degree, remain more stringent. While Sandbox does not have any formal marketing support from the CNCF, that doesn't mean companies or other groups can't market them as a "CNCF Project." Smaller or independent projects that might not have those sorts of resources will have a harder time climbing the ladder.

> I have come to wonder if four
> levels wouldn't be more appropriate: An initial runway on which
> projects can be put; but also pruned more aggressively if they do not
> show growth/adoption/the usual. E.g. once submitted they have three?
> six? twelve? months to show certain progress or are removed outright.

I was literally talking with a co-worker about this thought yesterday as a potential idea :)
I don't know if it's the answer, but I do really like the idea of a timebox with explicit criteria for exiting. It should not require a deep dive into the project to determine if they are ready to move up to sandbox. I'd also like to see restrictions on the branding/marketing of "CNCF Project" at this level. A potential alternative might be "Cloud Native Inception Project" or something along those lines.


> Another would be to rework the process & documentation; e.g.
> Incubation had distinct requirement docs which TAGs copied together
> and deduplicated back during the DD trials.

+1 to firming up requirements/docs. While I think there needs to be some room for TOC discretion, I think being more explicit with requirements will help reduce the toil involved with the DD process.


I have a slew more thoughts, but this subject might be a good discussion during a TOC meeting :)

- Bob



On Thu, May 5, 2022 at 7:38 AM Richard Hartmann <richih@...> wrote:
Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard






Re: Sandbox process needs to evolve to support cross industry collaboation

Liz Rice
 

Four levels would increase the total work required to assess a project through their life cycle. There might be good reasons to do it, but I don't see that it would solve the initial problem raised on this thread: speeding up the response to the first application at the earliest stage. 

The original point of Sandbox was to enable a neutral place for experimentation, for projects that wouldn't meet incubation criteria. A project only needs neutrality if and when there's more than one organisation keen to get involved; that's why I'm suggesting that could be the criteria for Sandbox inclusion. I'm further suggesting those organizations should be CNCF members so that they have "skin in the game"

(Of course the TOC might decide there are other reasons to support early stage projects that don't need neutrality - I'm just reminding the original intent.)

On Thu, May 5, 2022 at 4:02 PM alexis richardson <alexis@...> wrote:
Stringent implies work, judgement, and value.  It seems that scaling wall has been hit already..


On Thu, 5 May 2022, 15:44 Bob Killen, <killen.bob@...> wrote:
I agree on quite a few points :)  Replying in line with some thoughts

> We tried SIGs (now TAGs) doing due diligence for projects. The level
> of scrutiny, and the closeness to the guidance material available, was
> different across TAGs. In effect, this meant inconsistent processes
> which is arguably unfair. And in cases of disagreements, TOC is pulled
> in automatically anyway.

The TOC is the approval body and should be involved in DD, but I do think delegating portions of it to the TAGs is still a good idea and could play a large role in scaling the process. If there have been issues with varying levels of scrutiny in the past, this could be a mentorship and/or documentation opportunity. Think "ride-alongs" for reviewing DD, calling out what to look for, etc.  I also don't necessarily want to volunteer them, but TAG Contributor Strategy would be an excellent resource to pull in to review areas of governance and community health.

> What TAGs could provide is an initial proving ground, though: Projects
> could give a presentation and go through questions and feedback in a
> more limited scope, allowing them to polish their submittal.

+1 to involving them early, an initial consult would likely help with firming up applications before applying to Sandbox.

> While I know that the current sandbox process is designed to be very
> low barrier, I am still not convinced that this is an obviously
> desirable design goal. It is true that a neutral playing field is good
> and helps some projects grow. It is also true that "CNCF project"
> holds immense marketing value and many efforts are ephemeral, in
> particular if largely driven by perf & marketing.
> Back when sandbox criteria were relaxed, I was of the opinion that
> they should remain more stringent.

I have held the same opinion - I thought they should, to a degree, remain more stringent. While Sandbox does not have any formal marketing support from the CNCF, that doesn't mean companies or other groups can't market them as a "CNCF Project." Smaller or independent projects that might not have those sorts of resources will have a harder time climbing the ladder.

> I have come to wonder if four
> levels wouldn't be more appropriate: An initial runway on which
> projects can be put; but also pruned more aggressively if they do not
> show growth/adoption/the usual. E.g. once submitted they have three?
> six? twelve? months to show certain progress or are removed outright.

I was literally talking with a co-worker about this thought yesterday as a potential idea :)
I don't know if it's the answer, but I do really like the idea of a timebox with explicit criteria for exiting. It should not require a deep dive into the project to determine if they are ready to move up to sandbox. I'd also like to see restrictions on the branding/marketing of "CNCF Project" at this level. A potential alternative might be "Cloud Native Inception Project" or something along those lines.


> Another would be to rework the process & documentation; e.g.
> Incubation had distinct requirement docs which TAGs copied together
> and deduplicated back during the DD trials.

+1 to firming up requirements/docs. While I think there needs to be some room for TOC discretion, I think being more explicit with requirements will help reduce the toil involved with the DD process.


I have a slew more thoughts, but this subject might be a good discussion during a TOC meeting :)

- Bob



On Thu, May 5, 2022 at 7:38 AM Richard Hartmann <richih@...> wrote:
Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard






Re: Sandbox process needs to evolve to support cross industry collaboation

alexis richardson
 

Stringent implies work, judgement, and value.  It seems that scaling wall has been hit already..


On Thu, 5 May 2022, 15:44 Bob Killen, <killen.bob@...> wrote:
I agree on quite a few points :)  Replying in line with some thoughts

> We tried SIGs (now TAGs) doing due diligence for projects. The level
> of scrutiny, and the closeness to the guidance material available, was
> different across TAGs. In effect, this meant inconsistent processes
> which is arguably unfair. And in cases of disagreements, TOC is pulled
> in automatically anyway.

The TOC is the approval body and should be involved in DD, but I do think delegating portions of it to the TAGs is still a good idea and could play a large role in scaling the process. If there have been issues with varying levels of scrutiny in the past, this could be a mentorship and/or documentation opportunity. Think "ride-alongs" for reviewing DD, calling out what to look for, etc.  I also don't necessarily want to volunteer them, but TAG Contributor Strategy would be an excellent resource to pull in to review areas of governance and community health.

> What TAGs could provide is an initial proving ground, though: Projects
> could give a presentation and go through questions and feedback in a
> more limited scope, allowing them to polish their submittal.

+1 to involving them early, an initial consult would likely help with firming up applications before applying to Sandbox.

> While I know that the current sandbox process is designed to be very
> low barrier, I am still not convinced that this is an obviously
> desirable design goal. It is true that a neutral playing field is good
> and helps some projects grow. It is also true that "CNCF project"
> holds immense marketing value and many efforts are ephemeral, in
> particular if largely driven by perf & marketing.
> Back when sandbox criteria were relaxed, I was of the opinion that
> they should remain more stringent.

I have held the same opinion - I thought they should, to a degree, remain more stringent. While Sandbox does not have any formal marketing support from the CNCF, that doesn't mean companies or other groups can't market them as a "CNCF Project." Smaller or independent projects that might not have those sorts of resources will have a harder time climbing the ladder.

> I have come to wonder if four
> levels wouldn't be more appropriate: An initial runway on which
> projects can be put; but also pruned more aggressively if they do not
> show growth/adoption/the usual. E.g. once submitted they have three?
> six? twelve? months to show certain progress or are removed outright.

I was literally talking with a co-worker about this thought yesterday as a potential idea :)
I don't know if it's the answer, but I do really like the idea of a timebox with explicit criteria for exiting. It should not require a deep dive into the project to determine if they are ready to move up to sandbox. I'd also like to see restrictions on the branding/marketing of "CNCF Project" at this level. A potential alternative might be "Cloud Native Inception Project" or something along those lines.


> Another would be to rework the process & documentation; e.g.
> Incubation had distinct requirement docs which TAGs copied together
> and deduplicated back during the DD trials.

+1 to firming up requirements/docs. While I think there needs to be some room for TOC discretion, I think being more explicit with requirements will help reduce the toil involved with the DD process.


I have a slew more thoughts, but this subject might be a good discussion during a TOC meeting :)

- Bob



On Thu, May 5, 2022 at 7:38 AM Richard Hartmann <richih@...> wrote:
Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard






Re: Sandbox process needs to evolve to support cross industry collaboation

Bob Killen
 

I agree on quite a few points :)  Replying in line with some thoughts

> We tried SIGs (now TAGs) doing due diligence for projects. The level
> of scrutiny, and the closeness to the guidance material available, was
> different across TAGs. In effect, this meant inconsistent processes
> which is arguably unfair. And in cases of disagreements, TOC is pulled
> in automatically anyway.

The TOC is the approval body and should be involved in DD, but I do think delegating portions of it to the TAGs is still a good idea and could play a large role in scaling the process. If there have been issues with varying levels of scrutiny in the past, this could be a mentorship and/or documentation opportunity. Think "ride-alongs" for reviewing DD, calling out what to look for, etc.  I also don't necessarily want to volunteer them, but TAG Contributor Strategy would be an excellent resource to pull in to review areas of governance and community health.

> What TAGs could provide is an initial proving ground, though: Projects
> could give a presentation and go through questions and feedback in a
> more limited scope, allowing them to polish their submittal.

+1 to involving them early, an initial consult would likely help with firming up applications before applying to Sandbox.

> While I know that the current sandbox process is designed to be very
> low barrier, I am still not convinced that this is an obviously
> desirable design goal. It is true that a neutral playing field is good
> and helps some projects grow. It is also true that "CNCF project"
> holds immense marketing value and many efforts are ephemeral, in
> particular if largely driven by perf & marketing.
> Back when sandbox criteria were relaxed, I was of the opinion that
> they should remain more stringent.

I have held the same opinion - I thought they should, to a degree, remain more stringent. While Sandbox does not have any formal marketing support from the CNCF, that doesn't mean companies or other groups can't market them as a "CNCF Project." Smaller or independent projects that might not have those sorts of resources will have a harder time climbing the ladder.

> I have come to wonder if four
> levels wouldn't be more appropriate: An initial runway on which
> projects can be put; but also pruned more aggressively if they do not
> show growth/adoption/the usual. E.g. once submitted they have three?
> six? twelve? months to show certain progress or are removed outright.

I was literally talking with a co-worker about this thought yesterday as a potential idea :)
I don't know if it's the answer, but I do really like the idea of a timebox with explicit criteria for exiting. It should not require a deep dive into the project to determine if they are ready to move up to sandbox. I'd also like to see restrictions on the branding/marketing of "CNCF Project" at this level. A potential alternative might be "Cloud Native Inception Project" or something along those lines.


> Another would be to rework the process & documentation; e.g.
> Incubation had distinct requirement docs which TAGs copied together
> and deduplicated back during the DD trials.

+1 to firming up requirements/docs. While I think there needs to be some room for TOC discretion, I think being more explicit with requirements will help reduce the toil involved with the DD process.


I have a slew more thoughts, but this subject might be a good discussion during a TOC meeting :)

- Bob



On Thu, May 5, 2022 at 7:38 AM Richard Hartmann <richih@...> wrote:
Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard






Re: Sandbox process needs to evolve to support cross industry collaboation

Richard Hartmann
 

On Thu, May 5, 2022 at 3:57 PM Alexis Richardson <alexis@...> wrote:

Richard how would you formalise this?
Which parts, specifically? I think we need consensus on a direction
before we, potentially, start new/updating processes.


The goal, IMO, is to reduce the subjective judgment on entry to sandbox, and increase the quantitative aspects
Agreed. At the same time, we need to take Goodhart's law[1] into
account. A more quantitative approach to inform project progression is
an obvious target for project optimization. At the same time, a more
quantitative tally of TOC's input and work would help make processes
more transparent and thus predictable.

Put differently, I am not convinced that we can optimize human
judgement away and would rather try to optimize on the side of
transparent processes.


Best,
Richard


[1] https://en.wikipedia.org/wiki/Goodhart%27s_law


Re: Sandbox process needs to evolve to support cross industry collaboation

alexis richardson
 

Richard how would you formalise this?  The goal, IMO, is to reduce the subjective judgment on entry to sandbox, and increase the quantitative aspects


On Thu, 5 May 2022, 13:38 Richard Hartmann, <richih@...> wrote:
Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard






Re: Sandbox process needs to evolve to support cross industry collaboation

Richard Hartmann
 

Replying top-level as my thoughts jump across the thread.


I didn't run the numbers, yet I believe that the pace of submissions
has picked up. That alone can increase backlog.

We tried SIGs (now TAGs) doing due diligence for projects. The level
of scrutiny, and the closeness to the guidance material available, was
different across TAGs. In effect, this meant inconsistent processes
which is arguably unfair. And in cases of disagreements, TOC is pulled
in automatically anyway.
A clear delegation from TOC might be possible, yet project advancement
is one of the main tasks of TOC and arguably what votees expect TOC to
do. In any case, it does change any of the underlying desires.

What TAGs could provide is an initial proving ground, though: Projects
could give a presentation and go through questions and feedback in a
more limited scope, allowing them to polish their submittal.


While I know that the current sandbox process is designed to be very
low barrier, I am still not convinced that this is an obviously
desirable design goal. It is true that a neutral playing field is good
and helps some projects grow. It is also true that "CNCF project"
holds immense marketing value and many efforts are ephemeral, in
particular if largely driven by perf & marketing.
Back when sandbox criteria were relaxed, I was of the opinion that
they should remain more stringent. I have come to wonder if four
levels wouldn't be more appropriate: An initial runway on which
projects can be put; but also pruned more aggressively if they do not
show growth/adoption/the usual. E.g. once submitted they have three?
six? twelve? months to show certain progress or are removed outright.
Medium term, this might also allow for a smaller jump towards
Incubating, which is currently significant.


Orthogonally, I believe we can manage expectations better. One
possible approach would be to create dashboards and reports of the
underlying data to help manage expectations and keep ourselves honest.
What are the average and median times a project takes from stage X to
stage Y? How has this changed over time?
Another would be to rework the process & documentation; e.g.
Incubation had distinct requirement docs which TAGs copied together
and deduplicated back during the DD trials.



Having seen things from both sides now, and since CNCF started, I can
understand both the frustrations about some timelines better and also
understand how a few dedicated people are trying to do their best with
the time they have. On all sides.


Best,
Richard


Re: LFX Mentorship '22 Summer Semester

Nate Waddington
 

Hello everyone!

Just a reminder that the cutoff for making project proposals is May 8th!

This is a great opportunity to have a paid mentee help with your projects.



Cheers,
Nate

On Apr 25, 2022, at 5:31 PM, Nate Waddington <nwaddington@...> wrote:

Hello everyone!

The LFX Mentorship '22 Summer semester is open now open for project ideas: https://github.com/cncf/mentoring/tree/main/lfx-mentorship/2022/02-Summer 

We have compressed the administration schedule to work around the LF All hands and KubeCon events this year. The semester is the same length as it has been in previous years.

Project submission and application timeline:
  • mentorships available on LFX Mentorship: May 8th, 2021
  • applications open: May 9th - May 24th (2 weeks)
  • application review/admission decisions/HR paperwork: May 25th - May 31st

We're looking forward to seeing all the project ideas you're interested in working on over the summer!


Cheers,
Nate


Re: Kyverno incubation public comment period

Maulik Shyani
 

+ 1 NB 

On Tue, May 3, 2022 at 10:32 AM Chris Short via lists.cncf.io <cbshort=amazon.com@...> wrote:
+1 NB

Chris Short
He/Him/His
Sr. Developer Advocate, AWS Kubernetes (GitOps)
TZ=America/Detroit

On Apr 26, 2022, at 22:54, Rahul Jadhav <r@...> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


+1 NB


On Tue, Apr 26, 2022 at 4:56 PM Davanum Srinivas <davanum@...> wrote:
Hi Folks,

Kyverno has applied to move from sandbox to incubation. As the TOC sponsor, thanks to everyone for their work.

PR: https://github.com/cncf/toc/pull/784
DD: https://docs.google.com/document/d/18dWgOd2MUQz3RXI1R9vKntL3ULyZhOD1HEtijGOeaWg/edit?usp=sharing

Everyone is welcome to comment in the document, on the PR, or in reply to this thread, before we move to a TOC vote. This period of public comment will last a minimum of two weeks.

Thanks,
Dims
-- 
Davanum Srinivas :: https://twitter.com/dims





--

Thanks and Regards,

Maulik Shyani
CEO
408.480.8501



Re: Kyverno incubation public comment period

Chris Short
 

+1 NB

Chris Short
He/Him/His
Sr. Developer Advocate, AWS Kubernetes (GitOps)
TZ=America/Detroit

On Apr 26, 2022, at 22:54, Rahul Jadhav <r@...> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


+1 NB


On Tue, Apr 26, 2022 at 4:56 PM Davanum Srinivas <davanum@...> wrote:
Hi Folks,

Kyverno has applied to move from sandbox to incubation. As the TOC sponsor, thanks to everyone for their work.

PR: https://github.com/cncf/toc/pull/784
DD: https://docs.google.com/document/d/18dWgOd2MUQz3RXI1R9vKntL3ULyZhOD1HEtijGOeaWg/edit?usp=sharing

Everyone is welcome to comment in the document, on the PR, or in reply to this thread, before we move to a TOC vote. This period of public comment will last a minimum of two weeks.

Thanks,
Dims
-- 
Davanum Srinivas :: https://twitter.com/dims




Re: No TOC meetings for May 3 and May 17th, TOC panel on May 18

Katie Gamanji
 

Got it - thank you!


On Tue, May 3, 2022 at 2:12 PM Davanum Srinivas <davanum@...> wrote:
Katie,

typically whoever makes it to the event in-person :)

On Tue, May 3, 2022 at 12:05 AM Katie Gamanji <gamanjie@...> wrote:
Thank you Amye for the update!

Do we know who will represent the TOC in the panel?

On Mon, May 2, 2022 at 10:08 PM Amye Scavarda Perrin <ascavarda@...> wrote:
A quick note that the TOC meetings for May 3rd and May 17th are cancelled. We have a conflict with the TOC for the 3rd, and we'll have an open TOC panel at KubeCon replacing our standard meeting for May 17th. 

Wednesday, May 18 • 15:25 - 16:00 Central European Summer Time


--
Amye Scavarda Perrin | Director of Developer Programs, CNCF | amye@...



--
Davanum Srinivas :: https://twitter.com/dims


Re: No TOC meetings for May 3 and May 17th, TOC panel on May 18

Davanum Srinivas
 

Katie,

typically whoever makes it to the event in-person :)


On Tue, May 3, 2022 at 12:05 AM Katie Gamanji <gamanjie@...> wrote:
Thank you Amye for the update!

Do we know who will represent the TOC in the panel?

On Mon, May 2, 2022 at 10:08 PM Amye Scavarda Perrin <ascavarda@...> wrote:
A quick note that the TOC meetings for May 3rd and May 17th are cancelled. We have a conflict with the TOC for the 3rd, and we'll have an open TOC panel at KubeCon replacing our standard meeting for May 17th. 

Wednesday, May 18 • 15:25 - 16:00 Central European Summer Time


--
Amye Scavarda Perrin | Director of Developer Programs, CNCF | amye@...



--
Davanum Srinivas :: https://twitter.com/dims


Re: Results from Sandbox Inclusion Meeting, April 26

Maulik Shyani
 

Hello Dawn - thanks a lot for your direction here. We will surely work on the given resources. 


On Tue, May 3, 2022 at 1:18 AM Dawn Foster <fosterd@...> wrote:

Hi Maulik,

 

I’m not on the TOC, so I’m not sure if there were specific concerns about Matos raised during the meeting, but I do have a few suggestions for you based on our work within TAG Contributor Strategy.

 

I recommend having a look at some of the TAG Contributor Strategy resources about Contributor Growth here: https://contribute.cncf.io/maintainers/community/contributor-growth-framework/

 

I also recommend completing some of the TODO items in your Contribution Guidelines documentation: https://github.com/cloudmatos/Matos/blob/main/docs/CONTRIBUTION_GUIDELINES.md

 

Right now, I think most people would find it challenging to contribute without instructions for building Matos locally and running tests. The easier you can make it for contributors to get started, the easier it will be to recruit contributors.

 

Cheers,

Dawn

 

From: cncf-toc@... <cncf-toc@...> on behalf of Maulik Shyani via lists.cncf.io <maulik=cloudmatos.com@...>
Date: Monday, May 2, 2022 at 9:02 PM
To: Amye Scavarda Perrin <ascavarda@...>, CNCF TOC <cncf-toc@...>
Subject: Re: [cncf-toc] Results from Sandbox Inclusion Meeting, April 26

Hello Amye and TOC,

 

Thanks for the details below on our Sandbox project entry of Matos. 

 

Decision: Matos: Reapply in January '23 showing more robust community.

 

We submitted our entry in December'21 and got selected at the end of April'22 to be reviewed but we were informed to reapply in Jan'23. 

 

I completely understand that there are so many applications that want to be part of the Sandbox project and that's why it's taking time to be reviewed but my understanding is that the Sandbox project will provide better visibility to the community to participate in the open source project. 

 

How do we build the community without being part of the Sandbox or having better visibility?Would you please share any recommendations on how to build a robust community?

 

I appreciate your help here!

Thanks!  

 

On Tue, Apr 26, 2022 at 11:25 AM Amye Scavarda Perrin <ascavarda@...> wrote:

The TOC met today to review the sandbox applications available at sandbox.cncf.io.

OpenFunction - passes with a majority vote of the TOC
Teller - passes with a majority vote of the TOC
sealer - passes with a majority vote of the TOC

Our next Sandbox review meeting is June 14.

Not included at the sandbox level:

Ketch: Reapply with a more robust community presence.
container-structure-test: Reapply with a more robust community presence.
Clusternet: TOC would like to see more people who are active in the project actively doing PRS and reviews and issues.
Tarian: Consider becoming a subproject of Falco
Kubescape: would like to see more community growth, TAG + SIG Security may be useful here, reapply in 6 months
Lagoon: Reapply in 6 months to a year.
Matos: Reapply in January '23 showing more robust community.
KTLS: Suggest meeting with Kubernetes SIG-Release to work together.
Cluster API Provider for CloudStack(CAPC): Suggest meeting with SIG Cluster Lifecycle.

 

--

Amye Scavarda Perrin | Director of Developer Programs, CNCF | amye@...


 

--



Thanks and Regards,



Maulik Shyani

 

 

 

 




--





Re: Results from Sandbox Inclusion Meeting, April 26

Dawn Foster
 

Hi Maulik,

 

I’m not on the TOC, so I’m not sure if there were specific concerns about Matos raised during the meeting, but I do have a few suggestions for you based on our work within TAG Contributor Strategy.

 

I recommend having a look at some of the TAG Contributor Strategy resources about Contributor Growth here: https://contribute.cncf.io/maintainers/community/contributor-growth-framework/

 

I also recommend completing some of the TODO items in your Contribution Guidelines documentation: https://github.com/cloudmatos/Matos/blob/main/docs/CONTRIBUTION_GUIDELINES.md

 

Right now, I think most people would find it challenging to contribute without instructions for building Matos locally and running tests. The easier you can make it for contributors to get started, the easier it will be to recruit contributors.

 

Cheers,

Dawn

 

From: cncf-toc@... <cncf-toc@...> on behalf of Maulik Shyani via lists.cncf.io <maulik=cloudmatos.com@...>
Date: Monday, May 2, 2022 at 9:02 PM
To: Amye Scavarda Perrin <ascavarda@...>, CNCF TOC <cncf-toc@...>
Subject: Re: [cncf-toc] Results from Sandbox Inclusion Meeting, April 26

Hello Amye and TOC,

 

Thanks for the details below on our Sandbox project entry of Matos. 

 

Decision: Matos: Reapply in January '23 showing more robust community.

 

We submitted our entry in December'21 and got selected at the end of April'22 to be reviewed but we were informed to reapply in Jan'23. 

 

I completely understand that there are so many applications that want to be part of the Sandbox project and that's why it's taking time to be reviewed but my understanding is that the Sandbox project will provide better visibility to the community to participate in the open source project. 

 

How do we build the community without being part of the Sandbox or having better visibility?Would you please share any recommendations on how to build a robust community?

 

I appreciate your help here!

Thanks!  

 

On Tue, Apr 26, 2022 at 11:25 AM Amye Scavarda Perrin <ascavarda@...> wrote:

The TOC met today to review the sandbox applications available at sandbox.cncf.io.

OpenFunction - passes with a majority vote of the TOC
Teller - passes with a majority vote of the TOC
sealer - passes with a majority vote of the TOC

Our next Sandbox review meeting is June 14.

Not included at the sandbox level:

Ketch: Reapply with a more robust community presence.
container-structure-test: Reapply with a more robust community presence.
Clusternet: TOC would like to see more people who are active in the project actively doing PRS and reviews and issues.
Tarian: Consider becoming a subproject of Falco
Kubescape: would like to see more community growth, TAG + SIG Security may be useful here, reapply in 6 months
Lagoon: Reapply in 6 months to a year.
Matos: Reapply in January '23 showing more robust community.
KTLS: Suggest meeting with Kubernetes SIG-Release to work together.
Cluster API Provider for CloudStack(CAPC): Suggest meeting with SIG Cluster Lifecycle.

 

--

Amye Scavarda Perrin | Director of Developer Programs, CNCF | amye@...


 

--



Thanks and Regards,



Maulik Shyani

 

 

 

 



Re: No TOC meetings for May 3 and May 17th, TOC panel on May 18

Katie Gamanji
 

Thank you Amye for the update!

Do we know who will represent the TOC in the panel?

On Mon, May 2, 2022 at 10:08 PM Amye Scavarda Perrin <ascavarda@...> wrote:
A quick note that the TOC meetings for May 3rd and May 17th are cancelled. We have a conflict with the TOC for the 3rd, and we'll have an open TOC panel at KubeCon replacing our standard meeting for May 17th. 

Wednesday, May 18 • 15:25 - 16:00 Central European Summer Time


--
Amye Scavarda Perrin | Director of Developer Programs, CNCF | amye@...

241 - 260 of 7197