Hello TOC,

Hopefully this is an easy question to answer 😅

Background:

- We're in the process of preparing a proposal for OPA to graduate from Incubation. As part of the process, we're putting together a due diligence document for review. We'll be able to share that soon.

- SIG-Security completed an assessment of OPA in October 2019: https://github.com/cncf/sig-security/pull/275. The assessment yielded useful feedback that has since been addressed. There haven't been any significant (design or architectural) changes to the project since the assessment (nor are there any planned).

The question to the TOC:

- What action is required from SIG-Security in the context of OPA's graduation process given they completed the assessment of OPA in October 2019?

Any guidance would be appreciated.

Thanks!

-Torin

A simple invite for SIG Security to comment on your graduation proposal is sufficient based on the previous due diligence... "any concerns from incubation DD in addition to the standard graduation requirements"

https://github.com/cncf/toc/blob/master/process/project_proposals.adoc#graduation-process

I don't see a public graduation proposal from you yet so I'd get that out and invite the SIG to formally comment.

Hope that helps, but note the discretion lies with the TOC at the end of the day.

On Mon, Jul 20, 2020 at 10:53 AM Torin Sandall via lists.cncf.io <torin=styra.com@...> wrote:

Hello TOC,

Hopefully this is an easy question to answer 😅

Background:

- We're in the process of preparing a proposal for OPA to graduate from Incubation. As part of the process, we're putting together a due diligence document for review. We'll be able to share that soon.

- SIG-Security completed an assessment of OPA in October 2019: https://github.com/cncf/sig-security/pull/275. The assessment yielded useful feedback that has since been addressed. There haven't been any significant (design or architectural) changes to the project since the assessment (nor are there any planned).

The question to the TOC:

- What action is required from SIG-Security in the context of OPA's graduation process given they completed the assessment of OPA in October 2019?

Any guidance would be appreciated.

Thanks!

-Torin

--

Chris Aniszczyk (@cra) | +1-512-961-6719

Chris, does the CNCF have an external security assessment done before graduation?

On Tue, Jul 21, 2020, 13:02 Chris Aniszczyk <caniszczyk@...> wrote:

A simple invite for SIG Security to comment on your graduation proposal is sufficient based on the previous due diligence... "any concerns from incubation DD in addition to the standard graduation requirements"

https://github.com/cncf/toc/blob/master/process/project_proposals.adoc#graduation-process

I don't see a public graduation proposal from you yet so I'd get that out and invite the SIG to formally comment.

Hope that helps, but note the discretion lies with the TOC at the end of the day.

On Mon, Jul 20, 2020 at 10:53 AM Torin Sandall via lists.cncf.io <torin=styra.com@...> wrote:

Hello TOC,

Hopefully this is an easy question to answer 😅

Background:

- We're in the process of preparing a proposal for OPA to graduate from Incubation. As part of the process, we're putting together a due diligence document for review. We'll be able to share that soon.

- SIG-Security completed an assessment of OPA in October 2019: https://github.com/cncf/sig-security/pull/275. The assessment yielded useful feedback that has since been addressed. There haven't been any significant (design or architectural) changes to the project since the assessment (nor are there any planned).

The question to the TOC:

- What action is required from SIG-Security in the context of OPA's graduation process given they completed the assessment of OPA in October 2019?

Any guidance would be appreciated.

Thanks!

-Torin

--

Chris Aniszczyk (@cra) | +1-512-961-6719