Provide guidance for projects maintained by a single organization looking to submit to OSSF Sandbox #244
Comments
|
I think one of the things the OpenSSF excels at is bringing folks together from different orgs to address common challenges. I recognize that we want the sandbox stage to be an easy on-ramp, but I'd rather see us improve (1) and help newcomers engage with the broader community. |
|
I don't think the requirement of 2 maintainers from different organizations is too high a bar. The reason we have this requirement is to prevent organizations from taking advantage of OpenSSF to advertise their project as being part of OpenSSF even though it may not have any support beyond their own organization. Organizations interested in bringing a project to OpenSSF have plenty of opportunities to advertise their intentions and should be able to get someone interested enough to sign up as a maintainer to meet the requirement. If they don't then it's probably not a good sign. |
|
@lehors - I understand. One drawback is that it may be hard to get that second organization because "they're not in OpenSSF yet", so the members of a second organization might not participate or review until it's done. I fear adding this requirement may create a chicken-and-egg / Catch-22 / deadlock situation. |
Just to be clear: We're not adding anything, it's already there. The question is whether we should remove it. :-) |
|
This has been a hard requirement since the beginning. I do not feel that we should change it. @lehors points out the reasoning why. If someone is interested in donating, they should consider showing up and participating in our groups and growing a community of new contributors from our current ranks or folks that aren't members (yet). |
|
@SecurityCRob - fair enough! If we keep it as a hard requirement, maybe we can write guidance for those projects on growing their contributors outside their organization. E.g.:
|
If the effort is not too time consuming, I think it would be great for the TAC to provide feedback on the below Sandbox requirement. That feedback shouldn't be considered a definitive acceptance but, it could help avoid projects that are blatantly unrelated from pursuing membership or encourage borderline projects to adjust their focus.
Additionally, creating an issue template for WG repos to allow presentations could be a great forum for new projects to spread awareness. This template from CNCF's TAG Security requires a sponsor for the group to accept the presentation. |
|
I agree with @lehors and @SecurityCRob and most others in saying we shouldn't reduce the requirement. We might want to do more to point folks in the right direction on how they might transform to do the right things to become ready for acceptance into OpenSSF. For example what @jkjell mentioned. |
|
I also believe the sandbox requirement should not be reduced below two maintainers. For the guidance, I believe we can add a sentence that hyperlinks to another page on: navigating the openssf to gain more contributors and understand alignment. The additional context should point to the MVSR, the Secure Software Guiding Principles, and a description that discusses how to navigate the website to understand the different WG, and how to get on those WG agendas to introduce themselves and request interest from more contributors. Perhaps the DevRel team could help with this, as I believe members of that group were working to develop an overview of each WG and how to best figure out how to determine alignment of interests to WGs. We could use also create/add WG roles and responsbilities, one of which is to provide guidance and feedback to orgs requesting sandbox alignment that don't have more than one contributor. |
|
I've been working on some notes. Hope to have a basic doc a little later this week. FWIW, we do have a couple of TIs like https://github.com/ossf/s2c2f that are only maintained by a single org. We should also really look to resolve this. |
This solves ossf#244. This is a document for helping people and organizations that have open sourc projects they would like to eventually contribute to the OpenSSF but don't meet the requirements to be a sandbox project. In particular the need for maintainers from 2 organizations can be difficult when the project was started by an individual or internally at an organization. This document highlights some simple practices to get started with building a new community.
This solves ossf#244. This is a document for helping people and organizations that have open sourc projects they would like to eventually contribute to the OpenSSF but don't meet the requirements to be a sandbox project. In particular the need for maintainers from 2 organizations can be difficult when the project was started by an individual or internally at an organization. This document highlights some simple practices to get started with building a new community. Signed-off-by: Michael Lieberman <[email protected]>
|
Mike gave us a really good proposal to review in TAC PR 267, please review and provide feedback. |
|
This was addressed by PR #267 |
Current lifecycle requires all projects including sandbox to have maintainers from more than one organization. This can lead to issues where a well intentioned organization that doesn't have a lot of connections within the community looking to contribute a project have no way to do so.
There are a few potential solutions including:
The text was updated successfully, but these errors were encountered: