-
Notifications
You must be signed in to change notification settings - Fork 635
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ENH:proposals: add in-toto graduation proposal #1162
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Santiago Torres-Arias <[email protected]>
b0b6431
to
a043a72
Compare
nb +1 ! |
Very excited to see this happen! |
nb +1. This is long overdue!!! |
nb +1 |
It is great to see the progress and see the impact of in-toto thus far. Great things to come! |
nb +1 🎉 |
nb +1 🎓 in-toto is not only a great system, it is also a frequently cited inspiration for other systems, defines standard formats that multiple systems implement, and benefits from multiple quality implementations. |
nb +1 As one of the original in-toto core team members, I can attest that a lot of thought has gone into the design and development of the system. And I am very excited to see its impact grow in the supply chain security ecosystem. Graduation seems appropriate. |
+1 for graduation of in-toto!! |
+1 |
1 similar comment
+1 |
+1 as a relative new comer to the project and I've been really impressed by the maintainers and community. Absolutely supportive of project graduation! |
+1 ❤️ |
+1 |
1 similar comment
+1 |
Hi @SantiagoTorres, I'll be reviewing your proposal soon! Excited to see so much support of in-toto here! |
+1 |
Some update - met with @SantiagoTorres last week and walked him through the new process along with expected timeline. Raised a few issues with @SantiagoTorres and started working on putting DD doc together. From our discussion, @SantiagoTorres has already setup a review with TAG-security, see cncf/tag-security#1290. I'm traveling for this and next 2 weeks unfortunately, will have limited bandwidth but will make progress whenever I can. cc @TheFoxAtWork @nikhita FYI |
TAG Security has conducted a thorough review of the in-toto project as part of its consideration for CNCF graduation. Based on our assessment, we find: in-toto presents as a mature, well designed security project that has made significant strides toward graduation. Key points supporting this include:
Opportunities for further development:
In conclusion, in-toto demonstrates the characteristics of a graduated level CNCF project, particularly in terms of security. Its wide adoption, successful response to security audits, and overall mature security posture make it a strong candidate for graduation. The project serves as an exemplar of security design in the ecosystem. |
Thank you @anvega for the detailed note, glad the review went very well and in-toto continues to demonstrate the characteristics of a graduated level CNCF project. Update: @SantiagoTorres is working on getting me interviewer lists and also answering some questions I had while preparing the DD doc. |
Still working on @SantiagoTorres on the proposal doc, also have 1 interviewee scheduled this week! |
Synched with @SantiagoTorres today, DD 80% done, a few todo items remaining but nothing blocking. Adopter 1 interview has been done and uploaded to CNCF TOC folder, and adopter 2 interview is being rescheduled. |
Anything else the in-toto Steering Committee can help with here, please? |
Someone needs to submit at Governance Review request for In-toto. |
Got it. Where and how, please? |
Thanks for the reminder @jberkus and @TheFoxAtWork for the link! @trishankatdatadog and @SantiagoTorres pls let us know when this is submitted, thanks! |
Ping, we still don't have a gov review request. |
Sorry for the delay --- was going to send today! Let me send it off in a bit... |
Done! Please let us know if you need any other information there. |
Still working on @SantiagoTorres on the proposal doc, waiting for a few final items from @SantiagoTorres! 2 adopter interviews are finished and working on getting the 3rd interviewee scheduled! |
Looks like govt review is done and ready to be merged: https://github.com/cncf/tag-contributor-strategy/pull/740/files Thanks to tag contributor strategy!!! Pinged @SantiagoTorres offline to address one concern (subprojects are not listed properly) from govt review, otherwise, it looks GREAT to me. |
Also pinged @SantiagoTorres offline about getting another adopter to me as I haven't been able to get the 3rd adopter interview scheduled for the past 2 months. |
Got the 3rd adopter interview scheduled for this week! |
All adopter interviews have been completed. I have prepared the DD doc here: https://github.com/linsun/toc/blob/main/projects/in-toto/in-toto-graduation-dd.md While reviewing it again, I saw 4 gaps and communicated to @SantiagoTorres few days ago via slack. I also went ahead and created the following GitHub issues to track them. Once they are addressed, I should be able to move the project forward for the next step. |
Hi @SantiagoTorres added you as assignee, would be great if you can work with the in-toto community to resolve the issues mentioned in my comment earlier today so I can move this forward. Thanks!! |
This is a formal proposal for the graduation of the in-toto project.
in-toto, an open-source project that joined CNCF as a sandbox project in August 2019, and incubation in March 2022.
Since then, in-toto has experienced a remarkable degree of adoption within various ecosystems and usecases. These include cases such as GitHub's, Gitlab's and Tekton among others. Due to this, we are confident that in-toto is ready to graduate.
Supporting Documents
link to graduation DD document
Incubation Documents
link to incubation PR
incubation DD
P.S. I was holding back on the former proposal because there were going to be changes to the process, but seeing other projects are moving forward as well I'd rather leave a formal paper trail