Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the OpenSSF labs process #421

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

marcelamelara
Copy link
Contributor

@marcelamelara marcelamelara commented Dec 11, 2024

This PR introduces the process for creating and managing pre-sandbox projects under a future OpenSSF-managed GitHub organization (name TBD). Ideally, all docs and templates related to this process would eventually be moved to a dedicated repo in that same GH org to separate it from the main TAC repo.

Resolves #264 .

@marcelamelara marcelamelara marked this pull request as ready for review December 11, 2024 01:29
@marcelamelara marcelamelara requested a review from a team as a code owner December 11, 2024 01:29
@marcelamelara marcelamelara added the Major Changes to Charter/Technical Strategy/TI Lifecycle process, new TI. Needs 7 approvals, 15d review. label Dec 11, 2024
Copy link
Contributor

@lehors lehors left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but I recommend not mixing the terms project and lab as much as possible. In practice this is often difficult but at least in our documentation we should try to keep the two concepts distinct.

process/labs-process.md Outdated Show resolved Hide resolved
process/labs-process.md Outdated Show resolved Hide resolved
process/labs-process.md Outdated Show resolved Hide resolved
process/labs-process.md Outdated Show resolved Hide resolved
process/labs-process.md Outdated Show resolved Hide resolved
process/labs-process.md Outdated Show resolved Hide resolved
process/labs-process.md Outdated Show resolved Hide resolved
process/templates/LAB_NAME_archived_stage.md Outdated Show resolved Hide resolved
process/labs-process.md Outdated Show resolved Hide resolved
@camaleon2016 camaleon2016 self-requested a review January 7, 2025 15:35
Copy link
Member

@camaleon2016 camaleon2016 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this, and I agree with Arnaud on the changes. My only worry is the debt in created and then archived or abandoned labs. We may consider a policy or procedure for how long we maintain an archived lab before it's deleted.

Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor questions and I think we need to decide what repo the labs proposals will live in - otherwise LGTM!

process/labs-process.md Outdated Show resolved Hide resolved
process/labs-process.md Outdated Show resolved Hide resolved

## New Lab Proposal Process

1. Fork the `<TBD>` repo.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is exactly the question - where should this content live? Since the TAC is the one reviewing the requests, maybe it makes sense to have this content in the TAC repo? And then the labs themselves will be part of an ossf-labs GitHub organization? Or will they be in the same ossf GitHub organization with something in their README that says they are a lab (e.g. pre-sandbox)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit torn between this content living in the TAC repo and in a dedicated ossf-labs/onboarding repo, which the TAC would have access to. I see a few tradeoffs.

The biggest advantage of keeping this content in the TAC repo, I think, is that the overhead in getting this set up would be quite low, we already have a process for managing new incoming PRs, everyone has the necessary permissions etc.

The advantage of having this content live in the dedicated ossf-labs repo is that it would be more clearly associated with the labs, we could set the content up as a website, and if the need for a separate labs review committee ever arose, we wouldn't have to worry about separation of duties since it would become a matter of updating the repo maintainers. But it does (currently) increase the burden on the TAC and staff to maintain another repo.

FWIW, Hyperledger Labs, for example, does use a separate repo for labs onboarding.

@lehors what are your thoughts on this, since you have more experience with creating a lab space?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would advise having a separate repo for labs. First because it more clearly separates the labs from the other TIs. Indeed, it will be an ongoing battle to keep the 2 concepts lab vs projects separated. Then, the TAC might eventually delegate this task to some other group - in Hyperleger we have a group of "Lab stewards" dealing with this. If it's a separate repo it will be easy to make the change of who's in charge. That's harder to do if it's part of the TAC repo.

but are not required to participate in ongoing work like contributing or
reviewing code in the lab.

### Transferring an existing repository
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would transferring existing repositories over to the labs org require a full license and IP review as for "full" projects coming into the OpenSSF? That could create a significant overhead and we may want to trade-off the intention of making labs a very accessible path into the OpenSSF space and putting the necessary guardrails in place.

Copy link
Contributor Author

@marcelamelara marcelamelara Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think transferring an existing repo to the labs org should require a full license and IP review, as long as they have one of the expected licenses and DCO. The full license and IP review becomes part of the transition requirement to sandbox stage. I can clarify this in the text.

CC'ing @Naomi-Wash @riaankleinhans to confirm this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the text with a note about this, please let me know what you think.

process/labs-process.md Outdated Show resolved Hide resolved
marcelamelara and others added 3 commits January 9, 2025 11:34
Signed-off-by: Marcela Melara <[email protected]>
Signed-off-by: Marcela Melara <[email protected]>
Co-authored-by: Arnaud J Le Hors <[email protected]>
Co-authored-by: Zach Steindler <[email protected]>
Signed-off-by: Marcela Melara <[email protected]>
Signed-off-by: Marcela Melara <[email protected]>
@marcelamelara
Copy link
Contributor Author

My only worry is the debt in created and then archived or abandoned labs. We may consider a policy or procedure for how long we maintain an archived lab before it's deleted.

@camaleon2016 Is your concern more about whether we'll run out of space for new labs, or more about the optics of having a lot of archived labs?

@camaleon2016
Copy link
Member

camaleon2016 commented Jan 9, 2025 via email

@marcelamelara
Copy link
Contributor Author

I think more about optics and who will bear the responsibility of maintaining account and record of issued labs and their disposition.

@camaleon2016 Gotcha. The current proposal has the TAC as the body responsible for reviewing new lab applications (much like we do with other TI lifecycle applications). Ideally, labs maintainers will either apply for sandbox status when they're ready, or submit an archival request to the TAC when deemed necessary. But the proposed process won't let labs go inactive for longer than 6 months, so the TAC would archive any repo that's been abandoned longer than that timeframe. Either way, the TAC would have the documentation for the approved and archived labs. Does this address your concerns?

Copy link
Contributor

@lehors lehors left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

Copy link
Contributor

@gkunz gkunz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you for putting this together.

Copy link
Contributor

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WOW! Excellent addition to our process docs!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Major Changes to Charter/Technical Strategy/TI Lifecycle process, new TI. Needs 7 approvals, 15d review.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Create an OpenSSF GitHub organization for pre-sandbox/prototype projects
8 participants