Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update project moving level guildance based on feedback from in-toto DD review #1532

Open
linsun opened this issue Feb 10, 2025 · 5 comments · May be fixed by #1533
Open

Update project moving level guildance based on feedback from in-toto DD review #1532

linsun opened this issue Feb 10, 2025 · 5 comments · May be fixed by #1533
Assignees
@linsun

Comments

@linsun
Copy link
Contributor

linsun commented Feb 10, 2025

A few things that come out of the in-toto review and worth clarify in the graduation template:

  • as a specification project - there really is very little additional development that would need to happen.
  • We do not hold projects back from moving levels on factors outside the project’s control that are probabilistic occurrences because many factors can change at a moments notice.
  • for specification project, it is required to have at least one implementation and that reference implementation DOES NOT need to be part of the project undergoing due diligence.
  • For graduated projects all critical and high issues from the security audit must be resolved. For medium & low items - they should (not a requirement but strongly encourage) have a corresponding issue opened on the repo to track it to closure.

@TheFoxAtWork let me know if i missed anything, i'll open a PR for this shortly!
@linsun linsun added the archive archive project proposals label Feb 10, 2025
@linsun linsun changed the title Update project moving level guildance based on feedback from in-toto Update project moving level guildance based on feedback from in-toto DD review Feb 10, 2025
@linsun linsun removed the archive archive project proposals label Feb 10, 2025
@linsun
Copy link
Contributor Author

linsun commented Feb 10, 2025

Corresponding slack discussion in TOC private: https://cloud-native.slack.com/archives/G01MNU51LFM/p1736305335718719

@linsun
Copy link
Contributor Author

linsun commented Feb 10, 2025 

* We do not hold projects back from moving levels on factors outside the project’s control that are probabilistic occurrences because many factors can change at a moments notice.

Not exactly sure where to add this, so i left this out. Going to open the PR shortly!

* For graduated projects all critical and high issues from the security audit must be resolved.  For medium & low items - they should (not a requirement but strongly encourage) have a corresponding issue opened on the repo to track it to closure.

Confirmed this is already in the dd-toc-guide.md

@linsun linsun linked a pull request Feb 10, 2025 that will close this issue
Open
@TheFoxAtWork
Copy link
Contributor

First 💕 thank you! For the not holding back projects bit, I would put that at the end of the paragraph of line 166. It would fit perfectly.

@linsun
Copy link
Contributor Author

linsun commented Feb 11, 2025

First 💕 thank you! For the not holding back projects bit, I would put that at the end of the paragraph of line 166. It would fit perfectly.

Awesome, PR is updated: https://github.com/cncf/toc/pull/1533/files PTAL! Thanks Emily!

@angellk
Copy link
Contributor

angellk commented Feb 19, 2025
edited
Loading

@TheFoxAtWork @linsun this is adding requirements for specification projects to the DD guide - where are those requirements initially captured and reviewed? From what I recall, the private-toc thread was initiated because the TOC does not have requirements specified. However, if that is inaccurate - those requirements for specification projects should be linked in the attached PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@linsun linsun

Labels
None yet
Projects
CNCF TOC Board
Status: New
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update dd guide for specification project linsun/toc
8 participants
@caniszczyk @idvoretskyi @angellk @castrojo @jeefy @linsun @mrbobbytables @TheFoxAtWork