[Suggestion] Define a review process for CNCF projects being considered for Graduation #367
Labels
inactive
No activity on issue/PR
Requests for Comment (RFC)
suggestion
New suggestion for the CNCF sig-security group that don't fall into an existing category
Comments
ashutosh-narkar
added
the
suggestion
|
This should be lightweight as we are still working through what a SIG Security Assessment process looks like, also refer and link to TOC PR 374 |
|
Hello Michelle,
Thanks for your reply. The idea behind creating #367
<#367> was to create a process
around how Sig-Security in particular would provide a recommendation for a
project looking to graduate. In Harbor's graduation proposal
<cncf/toc#311>, getting a review from Sig-Security
was raised few months ago. So having a process in-place for such scenarios
seemed to be the right thing.
When I brought up #367 <#367> on
the last Sig-Security call on 3/11, I was informed by @TheFoxAtWork
<https://github.com/TheFoxAtWork> and @justincormack about your work on
#374 <cncf/toc#374>. The process the TOC would
follow for graduation as you've outlined in #374
<cncf/toc#374> is clear and looks good to me.
The "Optional SIG reviews" that you mention would be handled differently by
each SIG, correct ? And if yes, I was trying to get a conversation started
purely from the perspective of Sig-Security about how that process would
look and how we (Sig-Security) can streamline it for future projects.
Thanks
Ash Narkar
…On Thu, Mar 12, 2020 at 3:55 PM Michelle Noorali ***@***.***> wrote:
@ashutosh-narkar <https://github.com/ashutosh-narkar> thank you for the
feedback and suggestions. Given the updated, lightweight process
@TheFoxAtWork <https://github.com/TheFoxAtWork> referenced (#374), do you
still feel we should add this level of detail to the graduation process. I
think it makes complete sense for multiple SIGs to review a project however
I don't think it will be needed for all projects that go through the
process.
Optional SIG reviews can be kicked off (requested/suggested) by TOC
members or SIG chairs during the period for public comment if necessary. If
we agree on that, we should document it in the process and reference the
examples you've outlined above.
Happy to request this be added to the next TOC meeting for discussion if
you'd like to come and talk more about. Also happy to let you lead any
changes here. Thank you. cc/ @amye <https://github.com/amye>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#367 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA27TMAPXQ55Z772LAXTJGDRHFR6ZANCNFSM4LF2BCOA>
.
|
|
This issue has been automatically marked as inactive because it has not had recent activity. |
|
@lumjjb is this covered by our last TL discussion? |
|
This issue has been automatically marked as inactive because it has not had recent activity. |
|
This issue has been automatically marked as inactive because it has not had recent activity. |
|
Closed as stale over two years. For the the lastest process see https://github.com/cncf/toc/tree/main/process |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description: When a CNCF project is being considered for Graduation status, it is recommended that the project first be reviewed by the appropriate SIG. For example, one of the suggestions in Harbor's Graduation Proposal is that the project be reviewed by Sig-Runtime, Sig-Storage and Sig-Security.
This issue aims to get feedback around how to formalize the review process that Sig-Security would perform for projects looking to graduate. This would help projects get a clear understanding of the process that needs to be followed to get a recommendation from Sig-Security.
Couple of options that could help define this process:
Review the project's due diligence doc and make a recommendation: This approach is similar to the process followed by Sig-Runtime in its review of Harbor. Their recommendation can be found here.
Use the Security Assessments process: Sig-Security has defined an in-depth process to assess the security aspects of a project. At the end of the assessment, the SIG-Security reviewers provide feedback as well. So a project looking to graduate that hasn't gone through a security assessment before, could be requested to go through this formal process in order to get Sig-Security's recommendation.
The benefit of using this approach, is that we already have a well-defined process in-place and additionally we can leverage the Updates and Renewal flow of the Security Assessment process for projects that are looking to graduate and have already gone through the Security Assessment process in the past.
We would need to update the renewal process with more details than we currently have but in the long run the same process can be used for annual reviews and for the graduation recommendation. As suggested in this issue, creating a section for Critical Functions & Features would be a good first step.
Update:
The TOC recently updated the process/template for graduation. More details in this pull request.
The text was updated successfully, but these errors were encountered: