sandbox icon indicating copy to clipboard operation
sandbox copied to clipboard
verified publisher icon cncf

[SANDBOX ONBOARDING] KusionStack

Open mrbobbytables opened this issue 1 year ago โ€ข 53 comments

Welcome to CNCF Project Onboarding

ref: https://github.com/cncf/sandbox/issues/83

This is an issue created to help onboard your project into the CNCF after the TOC has voted to accept your project.

We would like your project to complete onboarding within one month of acceptance.

Please track your progress by using "Quote reply" to create your own copy of this checklist in an issue, so that you can update the status as you finish items.

Review and understand

Contribute and transfer

Update and document

  • [x] Ensure that DCO (preferred) or CLA are enabled for all GitHub repositories of the project.
  • [x] Ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub.
  • [x] Ensure LF footer is on your website and guidelines are followed (if your project doesn't have a dedicated website, please adopt those guidelines for the README file).
  • [x] Create a maintainer list and add it to the aggregated CNCF maintainer list via pull request.
  • [x] Provide emails for the maintainers to get access to the maintainers mailing list and Service Desk. Email them to [email protected].
  • [x] Start working on written, open governance.
  • [x] Start on an OpenSSF Best Practices Badge.

CNCF staff tasks

  • [x] Add the project to DevStats.
  • [x] Add the project to CLOmonitor.
  • [ ] Add the project to LFX Insights. This is done by adding a read-only app to your GitHub organization once it's in CNCF GHE.
  • [ ] Add the project to LFX Project Control Center.
  • [x] Add a license scanning tool, like FOSSA or Snyk.
  • [ ] Invite developers to the #maintainers-circle Slack channel.
  • [ ] Send a welcome email to confirm maintainer list access.

mrbobbytables avatar Sep 27 '24 20:09 mrbobbytables

@Cmierly this should be good to go to begin onboarding :)

@SparkYuan tagging you here as an FYI, please tag any others from the project who should follow this issue.

mrbobbytables avatar Sep 27 '24 20:09 mrbobbytables

Thanks @mrbobbytables! We will follow up on the items in this issue.

ffforest avatar Sep 28 '24 02:09 ffforest

I am working on the following items:

  • [ ] Move your project to its own separate neutral GitHub organization. This will make it transferable to the CNCF's GitHub Enterprise account. If it's already in a GHE account, you will need to remove it from that first.

Question about this one: Does "neutral" here represent "not in a GHE account currently"? We are planning to transfer all repositories currently under the KusionStack organization. I take it as we don't need to create a new org for that?

There are 3 private repos and 2 public-archived repos at the moment. Can they be transferred while staying private/archived, or do we need to get rid of them first?

We are also cleaning up the outdated repos and then everything else should be good to transfer.

These can be expected by the end of the week:

  • [ ] Ensure that DCO (preferred) or CLA are enabled for all GitHub repositories of the project.
  • [ ] Ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub.
  • [ ] Ensure LF footer is on your website and guidelines are followed (if your project doesn't have a dedicated website, please adopt those guidelines for the README file).
  • [ ] Create a maintainer list and add it to the aggregated CNCF maintainer list via pull request.
  • [ ] Provide emails for the maintainers to get access to the maintainers mailing list and Service Desk. Email them to [email protected].
  • [ ] Start working on written, open governance.
  • [ ] Start on an OpenSSF Best Practices Badge.

These two might take a bit longer:

Could you please also tag the CNCF staff that can help with the following?

cc @mrbobbytables @Cmierly @idvoretskyi @krook @jeefy

ffforest avatar Oct 09 '24 10:10 ffforest

This artwork PR is ready for review. Since our logo is basically just words, I'm using Helm as a reference which uses the same set images for horizontal, stacked and logo.

[ ] Submit a pull request with your artwork.

ffforest avatar Oct 09 '24 10:10 ffforest

We are planning to transfer all repositories currently under the KusionStack organization. I take it as we don't need to create a new org for that?

Correct. ๐Ÿ‘ If the entire org is going to be donated you don't have to worry about moving it to a separate one.

As a followup we can update the wording in the template to make that a bit more clear.

mrbobbytables avatar Oct 09 '24 10:10 mrbobbytables

@ffforest with the Slack migration either myself of @RobertKielty are happy to assist!

The same with:

Add a license scanning tool, like FOSSA or Snyk.

idvoretskyi avatar Oct 09 '24 10:10 idvoretskyi

Migrate your Slack channels (if any) to the Kubernetes or CNCF Slack workspace.

myself, @krook or @jeefy can help here. How many channels do you have? If its a small number the easiest method might be to manually recreate them in cncf or kubernetes slack.

mrbobbytables avatar Oct 09 '24 10:10 mrbobbytables

Hi @ffforest, for FOSSA and/or Snyk we will need one or more email addresses to invite you to join the CNCF service instances that are provided to CNCF Projects.

You send us the email addresses by emailing them to [email protected]

For FOSSA and Snyk - The email addresses you send us need to be associated with GitHub user accounts that have access to the code repos that will be scanned.

RobertKielty avatar Oct 09 '24 11:10 RobertKielty

@ffforest, I have made a KusionStack Team on CNCF FOSSA and a KusionStack Organziation on CNCF Snyk for the project.

@Cmierlym, I've added KusionStack to our internal records.

RobertKielty avatar Oct 09 '24 11:10 RobertKielty

We are planning to transfer all repositories currently under the KusionStack organization. I take it as we don't need to create a new org for that?

Correct. ๐Ÿ‘ If the entire org is going to be donated you don't have to worry about moving it to a separate one.

As a followup we can update the wording in the template to make that a bit more clear.

Thanks @mrbobbytables! For the private repos, can they be donated as-is, or do we have to make them public first?

ffforest avatar Oct 10 '24 02:10 ffforest

Migrate your Slack channels (if any) to the Kubernetes or CNCF Slack workspace.

myself, @krook or @jeefy can help here. How many channels do you have? If its a small number the easiest method might be to manually recreate them in cncf or kubernetes slack.

We have 2 channels with about 70 people in them. What would you recommend? Create a new one and redirect people to it from the existing one?

ffforest avatar Oct 10 '24 02:10 ffforest

as-is is fine - a good chunk of projects use private repos for things like security patch testing before pushing to public etc

mrbobbytables avatar Oct 10 '24 02:10 mrbobbytables

Hi @ffforest, for FOSSA and/or Snyk we will need one or more email addresses to invite you to join the CNCF service instances that are provided to CNCF Projects.

You send us the email addresses by emailing them to [email protected]

For FOSSA and Snyk - The email addresses you send us need to be associated with GitHub user accounts that have access to the code repos that will be scanned.

Thanks @RobertKielty! I have just sent the email over. Is there anything else you need on the FOSSA/Snyk front?

ffforest avatar Oct 10 '24 03:10 ffforest

For FOSSA and Snyk - The email addresses you send us need to be associated with GitHub user accounts that have access to the code repos that will be scanned.

Thanks @RobertKielty! I have just sent the email over. Is there anything else you need on the FOSSA/Snyk front?

That's perfect thank you. I have received the emails you have sent over. cc @Cmierly

Next step would be to state a preference for the project to use either FOSSA or Snyk.

RobertKielty avatar Oct 10 '24 14:10 RobertKielty

We have 2 channels with about 70 people in them. What would you recommend? Create a new one and redirect people to it from the existing one?

For that amount of users, I'd probably lean towards import. @RobertKielty @idvoretskyi would either of you be able to help?

mrbobbytables avatar Oct 10 '24 19:10 mrbobbytables

For FOSSA and Snyk - The email addresses you send us need to be associated with GitHub user accounts that have access to the code repos that will be scanned. Thanks @RobertKielty! I have just sent the email over. Is there anything else you need on the FOSSA/Snyk front?

That's perfect thank you. I have received the emails you have sent over. cc @Cmierly

Next step would be to state a preference for the project to use either FOSSA or Snyk.

Absolutely. FOSSA would do. Appreciate the help!

ffforest avatar Oct 11 '24 03:10 ffforest

@ffforest thank you!

I have emailed out FOSSA invites to the maintainer team: @SparkYuan @liu-hm19 @zuomo @wu8685 @elliotxx @Eikykun @adohe @ruquanzhao @Yangyang96 @ColdsteelRail @shaofan-hs

Please note the following:

  1. For registration with the CNCF FOSSA Organizaion, the email addresses we use to invite the team members MUST NOT be associated with any other FOSSA Organization.
  2. Once an invite is accepted I need to manually add the first team member to the Team in FOSSA. We grant Team Members the role of FOSSA Team Admin. Remaining members who sucessfully accept the their invitations to join CNCF FOSSA can be added to the new Team by the first KusionStack Team Admin or a CNCF Organziation Admin.
  3. The email addresses MUST be associated with GitHub user accounts that have read/write access to the code repos that will be imported for license scanning.

For the initial license scans of the code repos we only need one maintainer to sucessfully register and import the repos so that we can see reports on the 3rd party licenses used in the project code repos.

Feel free to have one of the maintainers reach out to me on CNCF Slack if support is required on getting setup.

If there is work to be done to bring the code repos into compliance with the 3rd Party License policy then we can focus on getting all of the maintainers on-boarded onto FOSSA.

I have sent out all of the invites, (one of the maintainers email addresses already had a FOSSA a/c associated with their email address) I will let you know who that was in my next comment.

RobertKielty avatar Oct 11 '24 08:10 RobertKielty

Hi @SparkYuan,

The email address that @ffforest passed on to us for you was already registered on FOSSA.

From a KusionStack on-boarding point of view, this is fine; as long as one of the other maintainers accepts their invite and imports the project's code repos into FOSSA then that will do for now.

If however you want to register with CNCF FOSSA now there are two options to choose from:

either

  • we can ask FOSSA Support to transfer your existing FOSSA Account over to the CNCF FOSSA Organziation. or
  • if you want to keep your existing FOSSA setup you can send me an alternative email address to use for CNCF FOSSA

Typically, we use the FOSSA support transfer option for accounts where a maintainer just used their email address to setup FOSSA for learning purposes and are happy to delete that account, and we use an alternate address for people who are already using FOSSA for work and need to keep using their existing FOSSA setup.

RobertKielty avatar Oct 11 '24 09:10 RobertKielty

Quick update:

Review and understand

Contribute and transfer

Update and document

  • [x] Ensure that DCO (preferred) or CLA are enabled for all GitHub repositories of the project.
  • [x] Ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub.
  • [x] Ensure LF footer is on your website and guidelines are followed (if your project doesn't have a dedicated website, please adopt those guidelines for the README file).
  • [x] Create a maintainer list and add it to the aggregated CNCF maintainer list via pull request.
  • [x] Provide emails for the maintainers to get access to the maintainers mailing list and Service Desk. Email them to [email protected].
  • [x] Start working on written, open governance.
  • [ ] Start on an OpenSSF Best Practices Badge.

ffforest avatar Oct 11 '24 10:10 ffforest

@ffforest thank you!

I have emailed out FOSSA invites to the maintainer team: @SparkYuan @liu-hm19 @zuomo @wu8685 @elliotxx @Eikykun @adohe @ruquanzhao @Yangyang96 @ColdsteelRail @shaofan-hs

Please note the following:

  1. For registration with the CNCF FOSSA Organizaion, the email addresses we use to invite the team members MUST NOT be associated with any other FOSSA Organization.
  2. Once an invite is accepted I need to manually add the first team member to the Team in FOSSA. We grant Team Members the role of FOSSA Team Admin. Remaining members who sucessfully accept the their invitations to join CNCF FOSSA can be added to the new Team by the first KusionStack Team Admin or a CNCF Organziation Admin.
  3. The email addresses MUST be associated with GitHub user accounts that have read/write access to the code repos that will be imported for license scanning.

For the initial license scans of the code repos we only need one maintainer to sucessfully register and import the repos so that we can see reports on the 3rd party licenses used in the project code repos.

Feel free to have one of the maintainers reach out to me on CNCF Slack if support is required on getting setup.

If there is work to be done to bring the code repos into compliance with the 3rd Party License policy then we can focus on getting all of the maintainers on-boarded onto FOSSA.

I have sent out all of the invites, (one of the maintainers email addresses already had a FOSSA a/c associated with their email address) I will let you know who that was in my next comment.

Thank you @RobertKielty! I have just signed up and joined the CNCF FOSSA Org. My email is [email protected].

ffforest avatar Oct 11 '24 10:10 ffforest

@Eikykun Thank you for accepting the FOSSA invite!

I have added you to the KusionStack Team in CNCF FOSSA as a Team Admin.

As a Team Admin when the rest of your colleagues accept their invites you will be able to add them to the Team on CNCF FOSSA. Be sure to also give your colleagues the Team Admin role so that they can self-serve on team administration tasks. For a description of the Team Admin Role within FOSSA see:

https://docs.fossa.com/docs/role-based-access-control#team-roles

The next step now is to import the KusionStack code repos into FOSSA

You can follow the instructions to import a project repos here

https://docs.fossa.com/docs/getting-started#importing-a-project

Important Notes:

  1. Use the user account we have just set up for you
  2. Use Team we have set up to import your code repos

If you need any support in getting a repo import completed, let me know, I am only 7hrs ahead of you. Typically, the import task takes a few minutes to setup and the first scans will start soon after setup is complete. From there, merging new Pull Requests will trigger scans on FOSSA.

RobertKielty avatar Oct 11 '24 11:10 RobertKielty

@RobertKielty thank you! ๐Ÿ˜บ

@ffforest I have added you as a team admin. Thank you for taking care of the next steps.

Eikykun avatar Oct 11 '24 11:10 Eikykun

Update on 10/15:

Welcome to CNCF Project Onboarding

ref: #83

This is an issue created to help onboard your project into the CNCF after the TOC has voted to accept your project.

We would like your project to complete onboarding within one month of acceptance.

Please track your progress by using "Quote reply" to create your own copy of this checklist in an issue, so that you can update the status as you finish items.

Review and understand

Contribute and transfer

Update and document

  • [x] Ensure that DCO (preferred) or CLA are enabled for all GitHub repositories of the project.
  • [x] Ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub.
  • [x] Ensure LF footer is on your website and guidelines are followed (if your project doesn't have a dedicated website, please adopt those guidelines for the README file).
  • [x] Create a maintainer list and add it to the aggregated CNCF maintainer list via pull request.
  • [x] Provide emails for the maintainers to get access to the maintainers mailing list and Service Desk. Email them to [email protected].
  • [x] Start working on written, open governance.
  • [x] Start on an OpenSSF Best Practices Badge.

CNCF staff tasks

  • [ ] Add the project to DevStats.
  • [ ] Add the project to CLOmonitor.
  • [ ] Add the project to LFX Insights. This is done by adding a read-only app to your GitHub organization once it's in CNCF GHE.
  • [ ] Add the project to LFX Project Control Center.
  • [x] Add a license scanning tool, like FOSSA or Snyk.
  • [ ] Invite developers to the #maintainers-circle Slack channel.
  • [ ] Send a welcome email to confirm maintainer list access.

ffforest avatar Oct 15 '24 09:10 ffforest

Items needing assistance from the CNCF:

Accept the invite to join the CNCF GitHub Enterprise account. We'll then add thelinuxfoundation as an organization owner to ensure neutral hosting of your project.

Could you please send the invite? The organization is KusionStack.

Transfer website analytics to [email protected]. CNCF staff can help.

We are using Google Analytics. Does this involve the transfer of a Google Analytics account?

Migrate your Slack channels (if any) to the Kubernetes or CNCF Slack workspace. CNCF staff can help.

I'm preparing the export file. Where should I send the file to?

Add the project to DevStats. @lukaszgryglicki Add the project to CLOmonitor. @cynthia-sg Add the project to LFX Insights. This is done by adding a read-only app to your GitHub organization once it's in CNCF GHE. Add the project to LFX Project Control Center. Invite developers to the #maintainers-circle Slack channel. Send a welcome email to confirm maintainer list access.

Could you please let me know if you could help with these?

cc @caniszczyk @mrbobbytables @Cmierly @idvoretskyi @RobertKielty @jeefy @krook

ffforest avatar Oct 15 '24 10:10 ffforest

Could you please send the invite? The organization is KusionStack.

Invite sent!

I'm preparing the export file. Where should I send the file to?

Can you please submit a ServiceDesk ticket, we'll proceed from there.

idvoretskyi avatar Oct 15 '24 10:10 idvoretskyi

Can you please submit a ServiceDesk ticket, we'll proceed from there.

@idvoretskyi I'm assuming you mean https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1 but I'm not able to log in there. I did send an email (titled KusionStack Sandbox Onboarding - Maintainers Emails) to [email protected] last week but perhaps it wasn't processed yet. Image

I am able to submit a ticket via the LF service though but there are no Slack-related service there.

ffforest avatar Oct 15 '24 12:10 ffforest

Regarding this one

Transfer any trademark and logo assets to the Linux Foundation.

The agreement also mentions the transfer of social media accounts and such. We have a KusionStack account for X and Medium. Are they expected to transferred during onboarding? If so, how is that done (do we provide the username and password)? I'm assuming we are still in charge of producing contents for each.

Procedure-wise, I understand that we are expected to send a signed copy to [email protected], after which we will receive a mutually signed copy back.

cc @mrbobbytables @RobertKielty @idvoretskyi

ffforest avatar Oct 15 '24 12:10 ffforest

@RobertKielty Regarding FOSSA license scan results:

What is the expected response for (and time window to address) the issues exposed in the license scan? I noticed some of them are common issues among CNCF projects (dual licenses in vendor projects, etc). Do we need to provide a detailed comment in FOSSA with explanation for each of the issue (I've seen people done that for other projects but I don't have the permission to create a comment yet) and proceed to click ignore on the issue?

ffforest avatar Oct 15 '24 12:10 ffforest

@ffforest - on timelines for working through the reported license issues I think that is something the KusionStack project team should work on while the project is in the Sandbox.

For 3rd party dependancies that are dual licensed they must be wholly licenseable under a permitted license as described in https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#approved-licenses-for-allowlist

For onboarding, getting repos scanned by FOSSA is the necessary task to complete. If you have contributors who can look at the reported issues now that is perfect.

~~One piece of feedback that I have is that the CNCF 3rd Pary License policy is for code repositories belonging to a project that releases artifacts to end-users. So I think it it OK to not scan the .github repo or the website repos. I will run this by @jeefy @krook @mrbobbytables to confirm this.~~ EDIT: All of the repositories need to be scanned! I checked this with my colleagues on the CNCF Projects team after writing this last paragraph.

Also on that call I learned that documentation repos need to be licensed under the Creative Commons Attribution 4.0 International License as described in https://github.com/cncf/foundation/blob/main/charter.md#11-ip-policy

Thank you @jeefy and @mrbobbytables!

RobertKielty avatar Oct 15 '24 16:10 RobertKielty

EDIT: NM - thought of .github, not website - both need licenses.^^;;;

mrbobbytables avatar Oct 15 '24 16:10 mrbobbytables