org
org copied to clipboard
kubernetes
REQUEST: Migrate aquasecurity/vuln-list-k8s
New repo, staging repo, or migrate existing
migrate existing: aquasecurity/vuln-list-k8s
Is it a staging repo?
no
Requested name for new repository
cve-feed-osv
Which Organization should it reside
kubernetes-sigs
Who should have admin access?
itaysk, knqyf263, tabbysable, iancoldwater, pushkarj
Who should have write access?
pushkarj, ericsmalling
Who should be listed as approvers in OWNERS?
itaysk, knqyf263, tabbysable, iancoldwater, pushkarj
Who should be listed in SECURITY_CONTACTS?
itaysk, knqyf263, tabbysable, iancoldwater, pushkarj
What should the repo description be?
OSV JSON format file generator for official Kubernetes CVE Feed
What SIG and subproject does this fall under?
sig-security
Please provide references to appropriate approval for this new repo
Meeting minutes: https://docs.google.com/document/d/1GgmmNYN88IZ2v2NBiO3gdU8Riomm0upge_XNVxEYXp0/edit#bookmark=id.kywwheybam91
Lazy Consensus announcement: https://groups.google.com/g/kubernetes-sig-security/c/FxXegIeO198
Additional context for request
We will be creating a separate branch where code from here: https://github.com/aquasecurity/vuln-list-update/tree/main/k8s will be migrated to https://github.com/aquasecurity/vuln-list-k8s
if its just a subdir of the repo, I would opt to create a new repo and move the code over - there are only 5 commits that touch that dir.
the primary contributor is going to be @chen-keinan, so please add him too. I (@itaysk) won't be contributing actively, so feel free to remove me, unless I'm needed for redundency.
Thanks @itaysk I have updated the description now to include @chen-keinan
@mrbobbytables we actually worked together to move all the code that we need to migrate into the new branch on this repo: https://github.com/aquasecurity/vuln-list-k8s/tree/migrate-k8s-org So this branch if made as main branch for the new repo with all the other kubernetes repo skeleton (license, etc), we would be golden! Let us know how I can help you and GitHub admin team to make this happen :)
@PushkarJ if you can, stage all the things needed to be a k8s project first - https://github.com/kubernetes/community/blob/master/github-management/kubernetes-repositories.md#rules-for-donated-repositories
the license headers etc (the stuff in the repo skeleton part you mentioned)
@mrbobbytables Branch is now updated with template files and headers. Please let me know if we missed nothing :) 🙏
@PushkarJ / @itaysk a couple of items for the first step of migration:
- I will need to invite an admin of the https://github.com/aquasecurity/vuln-list-k8s repo to one of our temporary orgs through which we can migrate the repository, please lmk whom I can invite for that.
- We have the following folks listed with admin and write privileges, but they are not part of the
kubernetes-sigsGitHub org:- @chen-keinan
- @knqyf263
- @ericsmalling
They will need to apply for membership before they can be given admin access to the migrated repo: https://github.com/kubernetes/community/blob/master/community-membership.md#requirements
@ericsmalling since you're already part of the Kubernetes org, I can PR you in to the kubernetes-sigs org, you do not need to apply for membership anew. 🙂
However, this should be non-blocking for the migration itself, they can always be added in as and when the org membership requirements are met.
Couple more things:
- [Blocking] We need to ensure that all existing committers to the code of vuln-list-k8s have signed the CLA: https://github.com/kubernetes/community/tree/master/contributors/guide#sign-the-cla
- This is especially true for folks that will be given admin/write access.
- This means, for the
migrate-k8s-orgbranch, we have 2 non-bot users who have committed to this branch: @chen-keinan and @knqyf263. Could you both confirm if you have signed the CLA? If you have not, please do so and we can proceed with the migration. If you have concerns with signing the CLA and you do not wish to, please lmk in that case as well, we have a process of documenting exceptions, but please note that this will prohibit you from making contributions once the repo is migrated.
- Let's also merge the
migrate-k8s-orgbranch intomainpre-migration.
@MadhavJivrajani thank you for the info, I have signed the CLA. please do let me know if anything else is required
@MadhavJivrajani It looks like I've already signed the CLA before. Please let me know if I'm missing something. https://github.com/kubernetes-sigs/contributor-playground/pull/1251
@MadhavJivrajani Also, I have several questions regarding membership requirements.
- [x] Enabled two-factor authentication on their GitHub account
- [ ] Ensure GitHub username, company affiliation and email in CNCF gitdm are up to date. If you are not affiliated with a company please mark yourself as "Independent".
- I marked myself as "Independent". Should I still do something?
- [x] Ensure affiliation is up to date in [openprofile.dev].
- [x] Have made multiple contributions to the project or community, enough to demonstrate an ongoing and long-term commitment to the project. Contributions should include, but is not limited to:
- [x] Subscribed to [email protected]
- [x] Have read the contributor guide
- [x] Actively contributing to 1 or more subprojects.
- [ ] Sponsored by 2 reviewers. Note the following requirements for sponsors:
- [ ] Open an issue against the kubernetes/org repo
- Should I open it myself?
- [ ] Have your sponsoring reviewers reply confirmation of sponsorship: +1
- [ ] Once your sponsors have responded, your request will be reviewed by the Kubernetes GitHub Admin team, in accordance with their SLO. Any missing information will be requested.
@knqyf263
I marked myself as "Independent". Should I still do something?
That should be okay 👍🏼
Should I open it myself?
Yes! If you go here: https://github.com/kubernetes/org/issues/new/choose and select "Org Membership Request", you should have the required template to fill out.
@knqyf263
I marked myself as "Independent". Should I still do something?
That should be okay 👍🏼
Should I open it myself?
Yes! If you go here: https://github.com/kubernetes/org/issues/new/choose and select "Org Membership Request", you should have the required template to fill out.
@MadhavJivrajani which users should we put under I have two sponsors that meet the sponsor requirements listed in the community membership guidelines ?
@MadhavJivrajani Can we put your name? Or should we look for someone else?
@PushkarJ @reylejano Thanks for sponsoring. I've opened an issue. https://github.com/kubernetes/org/issues/5031
@PushkarJ @reylejano also want to thank you for the sponsorship. here is my request #5032
Hey @PushkarJ, can you please take a look at the remaining items here: https://github.com/kubernetes/org/issues/4873#issuecomment-2172345942?
Let's also merge the migrate-k8s-org branch into main pre-migration.
@MadhavJivrajani This is probably not possible. Is it okay to keep the code in the same branch and then migrate that branch as main branch in the new repo? Let me know if anything else is missing. I read the whole comment twice to check if anything else is missing.
@PushkarJ / @itaysk a couple of items for the first step of migration:
- I will need to invite an admin of the https://github.com/aquasecurity/vuln-list-k8s repo to one of our temporary orgs through which we can migrate the repository, please lmk whom I can invite for that.
@PushkarJ @MadhavJivrajani please put me as admin
@MadhavJivrajani please let us know if anything else is pending. I summarized all the steps below.
Hopefully we covered all the tasks and thank you again for being so descriptive in what was needed to make progress on this!
I will need to invite an admin of the https://github.com/aquasecurity/vuln-list-k8s repo to one of our temporary orgs through which we can migrate the repository, please lmk whom I can invite for that. We have the following folks listed with admin and write privileges, but they are not part of the kubernetes-sigs GitHub org: @chen-keinan @knqyf263 @ericsmalling They will need to apply for membership before they can be given admin access to the migrated repo: https://github.com/kubernetes/community/blob/master/community-membership.md#requirements
@ericsmalling since you're already part of the Kubernetes org, I can PR you in to the kubernetes-sigs org, you do not need to apply for membership anew. 🙂
However, this should be non-blocking for the migration itself, they can always be added in as and when the org membership requirements are met.
All are member of k8s Org now as per https://github.com/kubernetes/org/issues/5031 and https://github.com/kubernetes/org/issues/5032 and https://github.com/kubernetes/org/pull/5026
Couple more things:
[Blocking] We need to ensure that all existing committers to the code of vuln-list-k8s have signed the CLA: https://github.com/kubernetes/community/tree/master/contributors/guide#sign-the-cla This is especially true for folks that will be given admin/write access. This means, for the migrate-k8s-org branch, we have 2 non-bot users who have committed to this branch: @chen-keinan and @knqyf263. Could you both confirm if you have signed the CLA? If you have not, please do so and we can proceed with the migration. If you have concerns with signing the CLA and you do not wish to, please lmk in that case as well, we have a process of documenting exceptions, but please note that this will prohibit you from making contributions once the repo is migrated.
CLA is signed by both https://github.com/kubernetes/org/issues/4873#issuecomment-2172376259 and https://github.com/kubernetes/org/issues/4873#issuecomment-2172487871
Let's also merge the migrate-k8s-org branch into main pre-migration.
If the code to be migrated has to be on "main" branch then @itaysk suggested that he would be open to creating a temporary fork of the source repo where the fork's main branch is == migrate-k8s-org branch in terms of commit history. Let us know if you would prefer that and we can make it happen!
@PushkarJ thanks for the rundown. Here's what I'm thinking I can do:
I can create a blank repository and then push the relevant branch from https://github.com/aquasecurity/vuln-list-k8s to main.
I can do it in my AM tomorrow.
The repo is live here: https://github.com/kubernetes-sigs/cve-feed-osv/ 🎉
After these 2 PRs merge, we can close this out:
- https://github.com/kubernetes/org/pull/5049
- https://github.com/kubernetes/community/pull/7966
@MadhavJivrajani: Closing this issue.
In response to this:
/close
This is done now, thanks folks!
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
