Dragonfly Graduation Application

Project Repo(s): https://github.com/dragonflyoss/dragonfly and other repos under https://github.com/dragonflyoss.

Project Site: https://d7y.io/

Sub-Projects: Dragonfly does not have formally defined "subprojects", but all repositories under the dragonflyoss adhere to the well defined governance.

Communication:

Slack: Chat with us on the #dragonfly channel in the CNCF Slack.
Mailing Lists:
- Developers: [email protected]
- Maintainers: [email protected]
Twitter: Follow us at @dragonfly_oss.
DingTalk: 22880028764

Project points of contacts:

Maintainers Mailing List: [email protected]
#dragonfly channel on CNCF Slack

Graduation Criteria Summary for Dragonfly

Adoption Assertion

The project has been adopted by the following organizations in a testing and integration or production capacity:

Dragonfly, an open source P2P-based file distribution and image acceleration systemt, has been adopted by many prominent organizations to enhance their file and image distribution capabilities. Public adopters listed in the Dragonfly repository’s ADOPTERS.md file include major cloud and technology providers.

Criteria

Below we address the graduation criteria with detailed updates and supplements as requested.

Application Process Principles

Suggested

N/A

Required

[x] Give a presentation and engage with the domain specific TAG(s) to increase awareness
- [x] Tag Runtime: Dragonfly presentation (Graduation).

[x] TAG provides insight/recommendation of the project in the context of the landscape

[x] All project metadata and resources are vendor-neutral.

Dragonfly operates according to well defined vendor-neutral governance in https://github.com/dragonflyoss/community/blob/master/GOVERNANCE.md, and all project communication, messaging, and collaboration is vendor-neutral.

[x] Review and acknowledgement of expectations for graduated projects and requirements for moving forward through the CNCF Maturity levels.

The Dragonfly project has reviewed and understands the expectations outlined in the Cloud Native Computing Foundation (CNCF) process README and graduation criteria. As an Incubating Level Project within the CNCF, Dragonfly continues to progress through the maturity levels.

Sandbox: https://github.com/cncf/toc/pull/162
Incubating: https://github.com/cncf/toc/pull/276
Graduation:
- [x] Met during Project's application on 31-Aug-2023 (in our initial PR #1161 )

Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisifies the Due Diligence Review criteria.

[x] Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.

Project documentation can be found in https://d7y.io/docs/next/. Contributor documentation for the project can be found in https://github.com/dragonflyoss/community/blob/master/CONTRIBUTING.md.

Governance and Maintainers

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

[x] Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.

Dragonfly joined the CNCF as a sandbox project in October 2018 and became an incubating project in April 2020. In January 2020, Nydus became a sub-project of Dragonfly and was widely used for image acceleration. In April 2021, the Dragonfly v2.0 was released after architectural optimization and code refactoring. Dragonfly has 12 maintainers (committers). The public list of Dragonfly adopters is in the ADOPTERS.md. We've looked to expand our governance.

Decision-Making Process: Decisions are made through consensus among maintainers during regular community meetings or via mailing list discussions. Major decisions (e.g., roadmap changes, new maintainers) require a majority vote among maintainers and are documented in GOVERNANCE.md. Community input is encouraged through GitHub issues and public meetings before final decisions are made.

Maintainer Role Division: Maintainers share responsibilities across all project areas but often focus on specific sub-projects or components based on expertise (e.g., Nydus for image acceleration, console for UI). Specific roles include code review, release management, and community engagement. Detailed responsibilities and current maintainers are listed in MAINTAINERS.md.

2018: Initial governance model established with a small group of core maintainers from Alibaba and Ant Group focusing on basic contribution and review processes.
2020: Post-incubation, governance updated to include more maintainers from diverse organizations (e.g., ByteDance, Intel) and formalized sub-project leadership for Nydus.
2021-2023: Introduced detailed contributor ladders and emeritus status for maintainers, alongside public documentation of decision-making processes to ensure transparency.

Required

[x] Clear and discoverable project governance documentation.

The Dragonfly project maintains clear and discoverable project governance documentation, as outlined in its GOVERNANCE.md. This document details the project's governance structure, including roles, responsibilities, and decision-making processes. It provides transparent guidelines for community participation, contributor promotions, and maintainer responsibilities, ensuring an open and inclusive process.

[x] Governance is up to date with actual project activities, including any meetings, elections, leadership, or approval processes.

All meetings within the Dragonfly community and ecosystem are tracked in the community calendar. This calendar as well as other ways to get involved are highlighted prominently in the project's main README.

The election process is outlined at https://github.com/dragonflyoss/community/blob/master/COMMUNITY_MEMBERSHIP.md#election-process.

Reference link for the community's latest Maintainer voting election: https://github.com/dragonflyoss/community/issues/62

[x] Governance clearly documents vendor-neutrality of project direction.

Most of our decisions today are made by maintainers who're actively involved in the project, and we've set out a clear path for people to become maintainers. We have maintainers spread across several companies and we'd gladly accept more.

The "Maximum Representation" section of the governance policy enforces vendor neutrality in project leadership and elections.

[x] Document how the project makes decisions on leadership roles, contribution acceptance, requests to the CNCF, and changes to governance or project goals.

Project leadership makes decisions is defined in https://github.com/dragonflyoss/community/blob/master/COMMUNITY_MEMBERSHIP.md#how-we-make-decisions.

Contribution acceptance is augmented by the contributing guide with https://github.com/dragonflyoss/community/blob/master/CONTRIBUTING.md#contributing-code-and-docs.

[x] Document how role, function-based members, or sub-teams are assigned, onboarded, and removed for specific teams (example: Security Response Committee).

The membership ladder describes our basic roles and functions.

[x] Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.

All maintainers share all domains of responsbility currently, refer to maintainers.

[x] A number of active maintainers which is appropriate to the size and scope of the project.

In the past year we had 234 active contributors from 55 different organizations.

[x] Document a complete maintainer lifecycle process (including roles, onboarding, offboarding, and emeritus status).

Repository maintainers are added by: https://github.com/dragonflyoss/community/blob/master/COMMUNITY_MEMBERSHIP.md#adding-new-maintainers

Repository maintainers are removed by: https://github.com/dragonflyoss/community/blob/master/COMMUNITY_MEMBERSHIP.md#removing-inactive-maintainers

[x] Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.

The OWNERS.md files in the Dragonfly project repository should reflect the maintainer roles defined in the governance document.

Reference link for the community's latest Maintainer voting election: https://github.com/dragonflyoss/community/issues/62

[x] Project maintainers from at least 2 organizations that demonstrates survivability.

There are 12 maintainers from 7 different companies.

[x] Code and Doc ownership in Github and elsewhere matches documented governance roles.

This is documented in the governance process for maintainers. GitHub Teams for Maintainers and Approvers are managed for each repo.

[x] Document agreement that project will adopt CNCF Code of Conduct.

We operate under the CNCF CoC.

[x] CNCF Code of Conduct is cross-linked from other governance documents.

The CNCF Code of Conduct is linked from the root of the core Dragonfly repository: https://github.com/dragonflyoss/dragonfly/blob/main/CODE_OF_CONDUCT.md

[x] All subprojects, if any, are listed.

Dragonfly does not have formally defined "subprojects", but all repositories under the dragonflyoss adhere to the well defined governance.

[x] If the project has subprojects: subproject leadership, contribution, maturity status documented, including add/remove process.

Contributors and Community

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

[x] Contributor ladder with multiple roles for contributors.

Documented in https://github.com/dragonflyoss/community/blob/master/COMMUNITY_LADDER.md

Required

[x] Clearly defined and discoverable process to submit issues or changes.

Reporting General Issues: https://github.com/dragonflyoss/community/blob/master/CONTRIBUTING.md#reporting-general-issues

Reporting Security Issues: https://github.com/dragonflyoss/community/blob/master/CONTRIBUTING.md#reporting-security-issues

Contributing Code and Docs: https://github.com/dragonflyoss/community/blob/master/CONTRIBUTING.md#contributing-code-and-docs

[x] Project must have, and document, at least one public communications channel for users and/or contributors.

All communication channels are listed in the community project README: https://github.com/dragonflyoss/community/blob/master/README.md#community.

[x] List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.

All communication channels are listed in the community project README: https://github.com/dragonflyoss/community/blob/master/README.md#community.

[x] Up-to-date public meeting schedulers and/or integration with CNCF calendar.

All meetings within the Dragonfly community and ecosystem are tracked in the community calendar.

[x] Documentation of how to contribute, with increasing detail as the project matures.

The Contributing guide describes the process of how to contribute to the project, what the maintainers are expecting, and guidance for how to make a successful contribution.

[x] Demonstrate contributor activity and recruitment.

Contributor Data and Growth Trend:

As of mid-2025, Dragonfly has over 200 unique contributors on GitHub, with a steady growth of 15-20 new contributors per quarter over the past two years.
Contribution stats are publicly tracked via GitHub insights and shared during community meetings.

Incentive Mechanism:

Recognition of top contributors in release notes and community blogs, refer to https://github.com/dragonflyoss/dragonfly/releases/tag/v2.1.0.
Opportunities for active contributors to be nominated as maintainers, detailed in GOVERNANCE.md.

Engineering Principles

[x] Document project goals and objectives that illustrate the project’s differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.

Provider efficient, stable, and secure file distribution and image acceleration using P2P technology, aiming to become the best practice and standard solution for cloud-native architectures.

Landing Page in d7y.io:

[x] Document what the project does, and why it does it - including viable cloud native use cases.

The documentation lays out a general overview of the purpose and goals of the project, along with details about usage.

[x] Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.

The public roadmap can be found at https://github.com/dragonflyoss/community/blob/master/ROADMAP.md.

[x] Roadmap change process is documented.

The expectations and process for updating the public roadmap over time is outlined in https://github.com/dragonflyoss/community/blob/master/ROADMAP.md.

[x] Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.

Architecture: https://d7y.io/docs/next/#architecture, https://d7y.io/docs/next/operations/deployment/architecture/

Components introduction: https://d7y.io/docs/next/operations/deployment/applications/manager/, https://d7y.io/docs/next/operations/deployment/applications/scheduler/, https://d7y.io/docs/next/operations/deployment/applications/client/.

Quick Start(Kubernetes): https://d7y.io/docs/next/getting-started/quick-start/kubernetes/

Integrations: https://d7y.io/docs/next/operations/integrations/container-runtime/containerd/, https://d7y.io/docs/next/operations/integrations/container-runtime/cri-o/, https://d7y.io/docs/next/operations/integrations/harbor/ and etc.

[x] Document the project's release process and guidelines publicly in a RELEASES.md or equivalent file that defines:
- [x] Release expectations (scheduled or based on feature implementation)
- [x] Tagging as stable, unstable, and security related releases
- [x] Information on branch and tag strategies
- [x] Branch and platform support and length of support
- [x] Artifacts included in the release.
- Additional information on topics such as LTS and edge releases are optional. Release expectations are a social contract between the project and its end users and hence changes to these should be well thought out, discussed, socialized and as necessary agreed upon by project leadership before getting rolled out.

The release process is described here.

[x] History of regular, quality releases.
Dragonfly publishes releases in https://github.com/dragonflyoss/dragonfly/releases. We also announce releases on Dragonfly offical blog, refer to https://d7y.io/blog/
Dragonfly follows a release process as described in the Release Lifecycle.

Security

Note: this section may be augemented by a joint-assessment performed by TAG Security.

Suggested

[ ] Achieving OpenSSF Best Practices silver or gold badge.

We'll look into this down the road but it's not an immediate priority for us.

Required

[x] Clearly defined and discoverable process to report security issues.

The Dragonfly project's security policy is clearly documented at https://github.com/dragonflyoss/community/blob/master/SECURITY.md.

[x] Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)

The dragonflyoss organization has enabled the GitHub setting for "Require two-factor authentication for everyone in the dragonflyoss organization."

[x] Document assignment of security response roles and how reports are handled.

The response process for security vulnerability disclosure reports is outlined in detail in https://github.com/dragonflyoss/community/blob/master/SECURITY.md.

[x] Document Security Self-Assessment.

Documented in Security Self-Assessment. We intend to merge the PR to TAG Security repository, refer to https://github.com/cncf/tag-security/blob/main/community/assessments/projects/dragonfly/self-assessment.md.

[x] Third Party Security Review.
- [x] Moderate and low findings from the Third Party Security Review are planned/tracked for resolution as well as overall thematic findings, such as: improving project contribution guide providing a PR review guide to look for memory leaks and other vulnerabilities the project may be susceptible to by design or language choice ensuring adequate test coverage on all PRs.

A third party security audit was performed by Trail of Bits, you can see the full report here.

[x] Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.
OpenSSF Best Practices passing badge can be found at https://www.bestpractices.dev/en/projects/10432. This badge is displayed prominently on the main project README.
OpenSSF Scorecard report can be found at https://scorecard.dev/viewer/?uri=github.com/dragonflyoss/dragonfly. This badge is displayed prominently on the main project README.

Ecosystem

Suggested

N/A

Required

[x] Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)

This list shows non-exhaustive adopters of dragonfly.

[x] Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)

The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.

[ ] TOC verification of adopters.

Refer to the Adoption portion of this document.

[x] Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.

Dragonfly integrates with many CNCF projects:

Kubernetes as a hosting platform with the Dragonfly.
Harbor preheats image and oci artifacts by Dragonfly.
containerd distributes image by Dragonfly.
cri-o distributes image by Dragonfly.
Prometheus to collect metrics.
Open Telemetry to generate, collect, and export telemetry data.
ArtifactHub indexes all versions of Dragonfly's main Helm chart for installation.
gRPC for high-performance remote procedure calls (RPC).
Helm used to deploy Dragonfly to Kubernetes.
ModelPack distributes model artifacts by Dragonfly.