via Liz Rice

"Tried out the Explore Videos tool - would be great if this was extended back to all the KubeCon videos not just 2019!"

Introduction

CNCF currently has a really powerful set of developer tools that makes contributors life easier. Starting from Project Specific workflow tools to Common Project-level Monitoring tools, there are a wide array of tools helping developers in their daily jobs. One such tool that I can think of, that has immense value is Code Search

CodeSearch is becoming an important tool in developer's workflow, As it makes navigating code easier, more accessible, and faster (through Browser). Its importance is compounded when there are multiple repositories having dependencies between each other (as its the case with CNCF). It also makes it easy to understand what repo's are using which versions of dependencies and which code paths.

Benefits

CNCF has a lot of projects that have inter-related dependencies i.e Most projects depend on k8s client-go, etc

• Makes Code Search and Navigation easier, without having to set up dev environments specific to the project.
• Makes it easier to understand project dependencies (both inside and outside CNCF), and navigating between them.
• Easier to search for code-paths across repositories, useful for understanding the effects of breaking changes, etc.

Examples

• Kubernetes Code Search
• Google OSS
• Debian Code Search
• SourceGraph Global Instance

Conclusion

I personally have been a heavy user of both Kubernetes Code Search and SourceGraph Global Instance and feel that it is really valuable to have a hosted Code Search engine specifically for CNCF projects.

If there is similar interest from CNCF and other contributors/users. We can start looking for OSS Code Search Engines available and how we can take this effort forward.

@caniszczyk

CNCF's IP policy (https://github.com/cncf/foundation/blob/master/charter.md#11-ip-policy) requires all projects to use either CLA (Contributor License Agreements) or DCO (Developer Certificate of Origin). Unless there's a strong necessity to use CLA, we encourage projects to use DCO as it's easier to setup and use.

Projects that are missing the CLA/DCO are asked to enable DCO for their respective GitHub organizations. More details on DCO here - https://github.com/apps/dco.

I'd love to explore creating custom Phippy style characters for graduated projects

We should do an audit of all the projects GA and ensure they are under the CNCF/LF main account.

The Russian language is missing from the CoC languages list

https://twitter.com/kiranmova/status/1171123462947008514

Projects like Kubernetes and Containerd are using automation and file templates to apply the license:
Kubernetes (Main repo) : https://github.com/kubernetes/kubernetes/tree/master/hack/boilerplate
Containerd : https://github.com/containerd/project/tree/master/script/validate/template

However ASF guidance here seems to indicate a shorter SPDX version is fine:
http://www.apache.org/foundation/license-faq.html#Apply-My-Software

Can we please establish that this is ok or not? and document the decision in this repository?

cc @swinslow

Recently, 7 members of the CNCF Landscape have decided to move to AGPLv3; most recently Minio made this change with confusion about the copyright status of contributions due to a lack of CLA.

Not only does this cause issues within corporate environments where a strict interpretation of "distribution" (as well as "modification", etc) is used which could result in licensing troubles, the change in license makes it impossible for some enterprises to maintain good security policies where AGPL3 software is banned(etc, etc,) or where third parties ban the use of agpl3 software, as now those environments are barred from using versions addressing current and as of yet unknown security fixes.

Open source compliance tools such as Sonatype ban AGPL code by default. Additionally, agpl-recommendations.md indicates that all source under the CNCF projecst should be Apache2 or in the allowable list of licenses. To the lay reader, the prima facie reading of the charter indicates that projects such as minio and grafana would fall under the requirements of being in the allowed list of licenses.

So, does AGPL3 have a place on the CNCF Landscape? What of these projects? Are they still part of the landscape?

Clause 6.d.ii in the TOC charter says:
"ii. demonstrate an advanced level of professional experience as
engineers in the scope of CNCF"

As the TOC looks after ALL aspects of projects, community, etc, not
just "engineering".... I propose that we change "engineers" to
"technologists".

There is a quorum of TOC votes in favour.

I would prefer for the entire CLAbot codebase to be open source so that others could make use of it, fix bugs, contribute features, etc.

@emsearcy Could you please scope out what would be involved in separating the CLAbot from the LF's Drupal infrastructure so that CNCF (and others who wanted to use it) are not reliant on any closed source infrastructure.

I presume we would still want the production database of signatories to be private, but we could have a demo server with fake data for testing.

Thanks.

Cc @caniszczyk @mkdolan

github.com/hashicorp/go-retryablehttp is an MPL-2.0 project that is not currently listed as an exemption. We are asking it be added as an exemption so it can be used.

Would it be possible to get either a blanket MPL-2.0 exemption or an exemption for all of the hashicorp MPL-2.0 projects, instead?

We had a request to list exceptions voted by the CNCF GB to the IP Policy.

We'd like to set up regional boards for users on discuss.kubernetes.io in their own native languages but we're missing a code of conduct in Chinese for example.

I'm not sure what the protocol is, but I figured it wouldn't hurt to consider having the CoC translated to other languages. Some data that we have, the top 5 non-English kubernetes slack channels are currently:

• jp-users - 783
• de-users - 441
• fr-users - 407
• cn-users - 357
• es-users - 204

As projects are moving from individual slacks to CNCF slack, there can be some improvement to registration workflow, for people joining CNCF slack to interact with specific project communities. Most often people join to get their questions answered at the earliest and it will help to remove any barriers in reaching the right community.

One idea could be to present with a welcome message after registering that shows the list of project-specific channels that are available or alternatively, if users are coming to CNCF slack via a Project website, some way to capture that referring site and redirect them to the intended channel after they register.

https://www.getro.com looks like it has more than just a jobs board option, has networking etc

The CNCF has a whitelist policy: https://github.com/cncf/foundation/blob/master/whitelist-policy.md.
Associating "white" with good or allowed has implications of systematic racism.
Using another name (e.g., licence allowed list) would better describe the policy.
I think https://developers.google.com/style/inclusive-documentation#features-and-users could serve as a good reference here.

Hi,
i have a question and hope, this is the right place to answer it. A lot of definitions about what cloud native applications state that they are characterized by the three points below:

- Containerized: Each part (applications, processes, etc) is packaged in its own container. This facilitates reproducibility, transparency, and resource isolation.
- Dynamically orchestrated: Containers are actively scheduled and managed to optimize resource utilization.
- Microservices oriented: Applications are segmented into microservices. This significantly increases the overall agility and maintainability of applications

Often you are given as the source of this definition. I think it's nice because it defines three distinct points i can use to discuss with others when talking about cloud native.

Unfortunately, in revision 7 of your charter (a121a45) you replaced this explicit definition through a more generic one, deleting this explicit three-point definition.

May i ask why you decided to change the definition this way?

Best regards

Any anonymous hacker can type anything on a bunch of TOC-SIG Google doc. I can basically type 'Anonymous was here' from an incognito window on these Google docs (and more):

• SIG-Security notes (Ironically 😄):
  • https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g
• SIG-Runtime notes:
  • https://docs.google.com/document/d/1k7VNetgbuDNyIs_87GLQRH2W5SLgjgOhB6pDyv89MYk
• SIG-Network notes:
  • https://docs.google.com/document/d/18hYemFKK_PC_KbT_TDBUgb0rknOuIhikkRxer4_bv4Q
• etc

I'm wondering if there's a better way to

• Keep track of users who make the changes
• Allow certain people who request access
• Allow anonymous to comment only, etc.

cc: @amye @quinton-hoole

I cannot find the proper place to submit commentary on a CNCF project, but it may be the the case that a project has in recent months shifted away form meeting the guidelines for CNCF project inclusion.

The Sandbox Guidelines require:

That a project has a legally neutral home that is stable and known

...

A neutral home for your project increases the willingness of developers from other companies and independent developers to collaborate, contribute, and become committers. Neutrality requires that projects contribute their trademark to CNCF so that:

• No company is favored over any other
• CNCF ensures project governance is transparent and fair for everyone.

Recent changes to a sandbox project appear to cause it to diverge dramatically from the requirements for incubation stage, and appear to be moving toward the project being a proprietary requiring a third party cloud service and licensing. These changes would appear to preclude it from graduating to the incubation stage.

What is the appropriate venue for concerns such as this?

For the corporate CLA signers, the organizations/lawyers verify the terms of the CLA. For an individual looking to sign it, it may appear daunting. Perhaps we should have a landing page as the first step which explains the need for a CLA, so as to not startle someone with several pages of intimidating legalese right away

This is an umbrella issue that tracks branch renaming from master -> main across the CNCF projects.

Ref.: https://github.com/github/renaming

This issue will track progress of rolling out the CLA Bot fully to Kubernetes (see this issue for previous discussion: cncf/demo#7) and this Google doc (https://docs.google.com/document/d/1LIwyn5PDSYu8kh-7hH8688lt1cvwATkZmhec13nhp1c/edit#).

This blocks issue: kubernetes/kubernetes#27796

According to this criteria doc, the CNCF code of conduct appears to be required only at Graduation. Is there any reason not to require this of all projects, including Sandbox and Incubation?

https://github.com/cncf/foundation/blob/master/code-of-conduct-languages/hi.md
this page not exists

1b of the charter refers to “micro-services” (sic) whereas the FAQ and front page both refer to the (generally accepted as correct) form “microservices”. Please could the charter be corrected? I would happily raise a PR, but cannot find it in a repo.

https://www.cncf.io/about/charter/

Consider having CNCF projects adopt SPDX style short license identifiers

SPDX-License-Identifier: Apache-2.0

We could potentially make this a graduation requirement, but not sure what the TOC will think.

ISSUES

The Hyperledger project recently went through a process to select a code of conduct which will serve as code of conducts for LF collaborative projects moving forward. We will most likely reuse this: https://github.com/hyperledger/hyperledger/wiki/Hyperledger-Project-Code-of-Conduct

https://docs.google.com/document/d/1pIg4GySiGVW9qllYgCfYFgxD9dY90mIiJeUzb14ZDRw/edit?ts=5cb4d7f1

CNCF,

Larger projects like Kubernetes and Helm have their own committees for CoC enforcement. However, many smaller projects have difficulty staffing a diverse and balanced CoC committee because they just have too few contributors involved. That doesn't mean they don't need one, though; referring all CoC enforcement to a Linux Foundation staff member is both too much work for that staff member, and likely to result in long delays since LF staff cannot have context for the projects.

We (the Governance WG of SIG-Contributor Strategy) propose that the CNCF should consider having a "joint CoC enforcement committee" that all of the smaller projects would be allowed, at their discretion, to join, providing 1 or 2 volunteer members. This would support knowledgable CoC enforcement without requiring projects to each invest a large amount of contributor time, and it would help ensure that the CoC committee was more diverse and balanced.

cc @amye

There's a new version of the Contributor Covenant at https://www.contributor-covenant.org/version/1/4/code-of-conduct

Can the wording of the CNCF CoC be updated to reference this latest version?

Add Farsi language to the list of 'other languages available' in code-of-conduct.

Starting Nov 1, 2020, Docker is planning to limit retention of images on Docker Hub for free accounts to 6m 1. This will likely affect many CNCF projects that distribute binaries. For example, while the Jaeger projects makes multiple releases per year, it does not mean that all users are upgrading more frequently than 6m. We also have a number of build and CI related images that are not updated that often, and if they start TTL-ing out it will introduce additional maintenance burden.

What is the TOC recommendation on this front? Should CNCF upgrade some of Docker Hub accounts (e.g. starting with graduated projects) to paid plans?

As im updating envoy's references to master (envoyproxy/envoy#15190) im tracking which related projects have already switched

We are overdue an update since we based the CoC on v1.2 and there's been some newer versions out:
https://www.contributor-covenant.org/version/2/0/code_of_conduct/

Have a discussion with the Kubernetes Code of Conduct Committee also before finalizing everything and get their sign off.

This is especially painful when doing git surgery, examples

• filtering some files in git (examples in https://github.com/kubernetes/utils/pulls)
• moving stuff between branches (example kubernetes/kubernetes#73042)
• between repos ( kubernetes-csi/csi-driver-host-path#1 )

Let's take an example - kubernetes/utils#55, the bot says:
cla/linuxfoundation — dims authorized, but 1 other problem

and the Details link points to https://identity.linuxfoundation.org/projects/cncf which is not helpful as we should not be pinging the helpdesk to figure out which git commit in a PR is causing an issue.

Can we please do better?

• log exactly why the bot thinks the PR is bad
• link to logs, so we can go look at the verbose output from the bot

Can you redirect https://kubernetescommunitydays.org/ to https://community.cncf.io/kubernetes-community-days/about-kcd/?

From TOC discussion

https://lists.cncf.io/g/cncf-toc/message/4461

This should be assigned to Kim

There are two versions of the style guide available:

https://www.cncf.io/blog/2018/09/04/the-cloud-native-computing-foundation-cncf-style-guide/
https://github.com/cncf/foundation/blob/master/style-guide.md

The style guide on github seems to be at least six months further along than the blog post. The blog post comes up before the more current style guide on github. I know the blog post was a snapshot in time, but it is confusing to users. Can we either update the blog post or put a disclaimer in it to say that the current style guide is in github at the top?

thanks!

For instance there is this issue:
helm/charts#391

I don't know if it is serious or not, but I believe that if it is a serious one, it shouldn't be public.
This should be sent to a an email and addressed outside of public discussions.

For instance:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

Once there is such a procedure, would be nice if there is a line on each README of each project, and maybe the bot could read issues, and if sees "security" keyword, then delete it, and send emails. Just an idea.

Greetings,

Is there a spesific reason that MPL is out of the Allowlist?
Afaik it is an OSI approved license from Mozilla, and it is open source/closed source/commercial etc. friendly.

Thanks..

FOSSA license scanning for all the repos (that include code) in the CNCF project organizations should be enabled:
https://github.com/fossas/fossa-cli

#53

Create a new repo, cncf/language, to host a list of language and naming requirements for CNCF projects.

Note: I was privately circulating a google doc to Kubernetes collaborators for this work, it's taken on a life of its own and started circulating independently of any Kubernetes- or CNCF- work to some of our member organizations. At this point I think it's best to make any WIP publicly attached with the CNCF :)

Note #2: I'm open to alternate repo names.