 Hey there, hello Sorry we changed the host code recently and I'm Trying to find where it is. So just a moment because I want to record this Does anybody know where to find the host code in the zoom admin interface? Is the host code is on the front screen? It's your isn't on your profile screen right on the front. It's not It's not no, you know, we had to set passwords so we changed everything. Oh wait wait there. We go fine Host code. Yeah, it's buried down in the settings. Oh, is it not? Did they move it? Okay, so now I can actually record Yay, there we go Okay Welcome everybody to CNCF I Contributor I well governance working group of the contributor strategy sick Is there a regularly scheduled meeting and we are subject to the CNCF code of conduct minutes there have a Huge agenda today A couple of things was Pardon me, we had a governance discussion that you see meeting this morning, but I wanted to recap that particularly the sort of Three deliverables that came out of that because we'll be involved with that as a working group And then Just you know go over what we've got in progress In terms of people's work on prs and the stuff that we already knew about If somebody does anybody have any other business for the day so Well actually the first question was I know Matt was at the toc meeting this morning don Jaime Yeah, by the way, welcome honey. I don't think I've seen you at this meeting before Uh, no, uh, I'm actually from san idea. Uh, and I just rejoined like A few weeks ago actually so Okay, you need to everything. Okay. Well, welcome. Yeah Um, the uh, it's small and you can see it's currently me and dawn and matt uh this morning We have more people working on deliverables, but Okay, not necessarily everybody makes the meeting Yeah, yeah Should be here at 30 past. Yeah So to recap really quickly Um, the meeting started out with a discussion of alexis's original sort of steering committee proposal Um, I that proposal was not adopted Um, but after a bunch of discussion what came out of the meeting instead Was the idea that we would mutate the Um and replace what's currently the multi organizational requirement for graduated projects And instead require potentially three things out of projects that are closer to what the cncf really cares about Um One being um a sort of longevity sustainability plan for you know, How does this project continue? Um, I you know even in the face of potential commercial challenges Um You know that was sort of discussed by the toc. Um, we'll obviously have to be involved in it um, I that seems likely to be a governance document, but um Not quite sure exactly what one of those would look like Yeah Um, second thing is requiring feedback on the roadmap from community and end users Um, and there was a discussion Of making a contributor ladder, um or analogous Um plan a requirement as well um Well, I didn't get as far as it's sort of getting general approval. I mean, I'll note that there wasn't actually a vote on any of these things um But people were pretty positive about the first two requirements People were generally positive about the third requirement. It's just that it didn't come up in the last five minutes in the meeting Did I to get is that a good summary amount? So the general idea was um Forgot who said matt will you the one who suggested this somebody suggested they pointed out that hey if requiring Multi organizational maintainers is kind of a proxy for these other issues that we care about Why not just require that projects do something directly about the other issues? um and Yeah, yeah Kind of what I said in the meeting was because there were a number of issues going around and there's really no one Right way to solve them to come up with some criteria that needs to be put in place um think about it as a pattern and then come up with two or more uh Implementations that people have done of each of those things And then maybe point to some examples of governance that are a full thing That look like what we want, you know, maybe one's a steering committee one something else So that way people can see What's really needed different patterns for solving it and learn an understanding of how it solves it Along with seeing an overall governance that does these things that that that was kind of my My shtick for this And I also want to point out here, um, and I know I said it over there the multi org maintainers There is one little nuance to this that I think is problematic towards the real end goal Um because the end goal is what if a vendor pulls out then what happens to projects, right? If it's being driven by a vendor, then how do you have that longevity of a vendor just pivoting away and leaving, right? Well, if you've got multi organization, uh Maintainers that doesn't necessarily solve it if you have one vendor and a bunch of their customers Because if that vendor pivots away the customers are going to pivot away the project's still in alert So it doesn't completely solve it if they're very closely related in that aspect Like you don't have any competitors in the vendor space there Yeah, the other thing it doesn't solve is the issue of um allowing Code for different implementations packaging etc in the project Right because if the multi organizations is one vendor and their customers Then if another vendor comes in and say hey, I want to add code to make this compatible with my product The existing governance structure doesn't in any way guarantee that that is going to be well received um so um the um yeah, so This is going to be interesting because You know CIG contributors strategy in general is probably going to be in charge of writing these the documentation for this um The um, yeah and a couple of these the require feedback and the longevity plan are interesting in that These are not things that we have good examples of In existing mature projects Um, at least I don't know of any Yeah, um, yeah You're absolutely right about that the um and so And the required feedback is a little bit easier To imagine I do know examples of this because we actually have in our internal maturity model for red hat We actually have stuff about having you know open forums for customer feedback etc for red hat projects that operate within red hat um So I think that's pretty easy to imagine like I don't know what canonical independent documentation of that But it's easy to imagine what would be in that document for the longevity plan is You know, hey imagine I'm Imagine I'm kong and I'm writing this for the kuma project And currently 90 of the code on kong comes from kong him on kuma comes from kong employees What do I put in this document? um the um yeah Oh, and one other thing just hit me. What about projects that don't have vendors and g rpc is going to be my example of this right, they are an incubating project that presumably someday will want to go for graduation and What do they look like because they're not something like kubernetes or prometheus that you're going to run with vendors What does this model look like for them? Yeah, that's a good question. Well, the thing is in a lot of ways. I mean effectively g rpc is more of a spec project And and eventually I'd like to actually see kind of different guidance for spec projects Because the nice thing about spec projects is once the spec reaches 1.0 The required maintenance on that spec drops a tremendous amount Compared to like a code project, right where the maintenance required for a code project After which is 1.0 only goes up Okay, then I'll pull out a slightly different project. Let's take helm for example a package manager You see tons of people using it whether it's people using it directly to install things And there are people who distribute their stuff over it but Find me of and and there are people who build stuff on top of it, right? Like we've worked flux or I'm now at rancher and rancher has fleet that's that uses it Right, we use this stuff all over the place But find me a vendor that will just provide you helm support And the same thing find me a vendor that'll find you homebrew or apt or yum Or any of those supports for package managers in general you don't tend to find it And so there's an example that's kind of hard because it doesn't Fit the spec model and it doesn't fit the It doesn't fit like the kubernetes prometheus being offered by a vendor model either And I imagine there's more projects like that in the CNTF I haven't really thought about it, especially with the proliferation of new sandbox projects I guess but what's the problem? I mean like take helm again. What's the problem with that in terms of sustainability? Because I mean like For as long as red hat customers even though we don't sell a helm For as long as red hat customers are using helm. I don't see us pulling our contributors off the project true Yeah And and that gets into what do you use as a definition for vendors around it? right because there's a vendor also direct support contract and maybe there's You know that that really will get into the question of vendorship. I think Yeah, I really don't like to focus on vendors. Um, I mean for me what I What I think is important in the discussion is um the discussion of contributors So so less of what vendor is going to eventually do something with this piece of software, but do we have Do we have contributors from a bunch of different companies contributing to it? because that that to me I think is Kind of the the core of the problem we're trying to solve it's less about the vendors taking it more about who's contributing Yeah, the but I mean the the problem came up and some of the discussion here right is that Even if we take a hypothetical project like for example Take harbour is a good example of this, right? Um harbour has a majority of vmware contributors. They have a bunch of contributors from other companies But there's a bunch of vmware people who Do things that no one else in the project knows how to do that are critical to getting a release out right um and the um So If like you're looking at worst-case scenario you're managing a scenario where for example Vmware has a fight with the linux foundation and pulls all of their people out of linux foundation projects and starts running their own fork of harbour then You know even though there are additional contributors Who don't work for vmware? I don't know that that really solves the sustainability problem Those additional contributors are not capable of carrying the project Yeah, I think that's a really good point. I mean, that's something that You know, we've seen in the kubernetes project as well, you know where You know, it's google employees that hold the keys to to certain things and we've Backed out of that a bit, but it's easier in kubernetes. It's harder with a project like harbour where so much of it is You know as our employees at vmware Yeah, and the thing is it doesn't even have to be a permissions thing, right? It can just be a knowledge thing Right. Like in kubernetes. Nobody is preventing Other people from getting involved with kubernetes performance But the simple truth is 90 of kubernetes performance is wojakten Blanking on our second performance lead But 90 of it is those two people And and if we lose those two people then kubernetes is going to go through an extremely delayed release What we try to figure out why the performance tests are broken The um So a lot of this comes down to the trouble of what does a sustainability plan look like in the reality of who contributes what to projects Well, if this was easy, we would have solved it already, right? Yeah So that's gonna be challenging and I think we're gonna have to go back and forth to the toc because I think it was sort of easy to say that we should have this but Trying to figure out what one looks like I think it's going to be a long I'm more sanguine about pushing for requiring a contributor ladder Because that's something I would have liked in the first place Right. I mean honestly think by the time a project gets to graduated. They should have You know some form of contributor ladder And and in a lot of cases. I think that's more important than um counting noses on the I on the maintainers group Yeah, absolutely So So this is the second thing is requiring feedback I mean obviously for you know part of the discussion this morning was around steering committees Obviously for a project that decides to adopt A steering committee model There's an obvious way to manage feedback But what about for other projects? So here I'll tell you something as a project here I've been going around trying to get more feedback from people. I've done things like email the cncf and users list I've offered up end users who want to come sit down and have time And it actually turns out for a lot of projects pulling that end user support and or that end user feedback Isn't always an easy thing To capture right On the helm project we found that when we're face to face at a conference We can usually grab somebody at a company who's a user and sit down with them That's a pretty easy thing to do But in this virtual space saying hey, can I get a half an hour of your time or who wants to talk about it? Who wants to give feedback? It turns out it's not such an easy thing to go collect that feedback and just Sit down with somebody and talk with them and so What may be obvious for some or the inroads they have in their project Isn't obvious for others and they don't have the the setup or even people willing to give them that feedback on another project Yeah the um Yeah, and I think end users in general are kind of hard to engage with for a lot of projects because they're not They're not intimately involved in the project. You don't know who to talk to at the end user You may know that a certain company is using it, but That's a great company. Who do I start with? I'd actually like to you know hear because The TOC was kind of vague about whether they want to use the term end user community And I'd rather kind of focus, you know and try to steer them towards making the requirement community feedback because You know, for example, there's going to be a whole set of the community who are not end users, but Still should have input in the process You know minor contributors um developers You know people who develop Stuff on top of the platform who aren't necessarily end users Um, I mean actually for a bunch of our cncf technologies They're already trying to redefine end users because of your technology is basically developer tool the developers are your end users Even if they happen to work for vendor companies um so You know and you know for that matter you can get a lot of feedback from from those people like for example um If part of your community consists of independent consultants then Those consultants can often tell you a lot about what the actual end users are doing Because they are intimately involved with it even if you can't reach those end users directly Yeah, I absolutely agree that the focus I would like to see the focus on community as well over over end users And I think this one in particular is is really important getting feedback on the roadmap Because this is where I see a lot of projects sort of fail is that Especially if one vendor is particularly involved. It's really easy for their product managers Just to kind of decide on the roadmap and things just happen and nobody else has any transparency into what's going on for feature planning or roadmaps So I think this one's really important when you're talking about getting over the hump of having a project controlled by a single vendor Yeah, I'd also like to point out that end user in cncf terms can mean a very specific community There's uh the cncf end user group Which is now over a hundred different companies that aren't vendors, but they're end users and they've got their own private meetings And they discuss things and they even elect their own toc members So when they're talking about end users, sometimes they're not generally talking about Well, just people who generally take this stuff pick it up and use it But this actual cncf group and a way to get their input into the projects And quite frankly one of the ways that I would like to see that group get their input into the projects Is by getting the developers at their companies to contribute to those projects Um, and I think that would be a really useful thing if we could somehow get You know, not just have somebody like apple hire a bunch of people who work on kubernetes and related projects But have people who are already at the company start contributing to them and changing that conversation I mean, I think that is one of the goals of the end user community Um, I don't know what level of success they've had But I think that is one of the goals. I mean, I also think in terms of preparing guidance for projects on collecting feedback I honestly think more cncf projects could reach out to that particular end user group Um, because I've done it on behalf of kubernetes And they were happy to tell me lots of things the um So Now that's not That wouldn't be the whole of how you can get feedback But it's certainly a mechanism and is nicely one that has a defined structure. Do you have anything else on that? I guess next thing to do is going to be to open some issues to develop these things We'll go ahead. Do we want to do that or do we? I feel like the steering committee meeting was kind of all over the place Like these are our takeaways for what we think are maybe the right things to do is the next steps out of that meeting I wonder before we get too far down the path of Putting together docs for this Do we want to circle back with the steering committee and make sure that these are the right things to do? Um, and maybe provide them with a little more information about what we think would be in this doc To help them kind of make that decision But but I do feel like there there wasn't really anything tangible that came out of the steering committee meeting today It was a lot of a lot of different people with lots of different opinions And some of them were louder than others so Get to see to approve the idea that this is the next thing That somebody's going to work on in this area Yeah, it's probably a good idea that to know that it's something they're interested in before somebody goes off and spend Hours trying to put this together because if they're not really interested in reading it then people will waste a bunch of time Well, and for one of them for the sustainability longevity requirement, we're going to need lots We need to start with lots of feedback from the DOC because you know again that's um It's amorphous Anything more on the meeting this morning? issues Yeah, gee draft revisions to multi organization requirement for graduated projects I can't imagine why that's still open the uh Okay, uh, mostly with the content tracking Open, um, did we knock anything else out this week? I started work on um policy and procedure paperwork don you get any chance to uh Hammer anything out? No, I'm still I know I'm still on the hook to do the the charter documentation To be honest these last week or two have been sucked up in conference prep for Um talks Yeah, October Yeah, I know I'm going to be saying the same thing in two weeks because of all the november stuff Yeah Yeah, and I'm trying to do them a little bit early because I just need to get them recorded And if I can just get them recorded and done that I can focus on some other work So I'm trying to just ahead of things a little bit Go Well, one thing that we have now is um vicky put up her Catalog of governance documentation That was which is a treasure trove of examples um So Um, it's nice. I'm going to go back through I mean, it's one of the things I'm doing with the policy and procedures I'm like, okay, I mean you get three examples of every one of these documents from that The um for um I mean matt this is uh, this is Looking right here at our content tracking So these are all of the Documentation and content that we know we need to write I actually have not put the templates in here because the templates are their own Directory I see you've just got a little bit to write. Yeah Uh, you know, honestly, this was I don't know other people got into this part of my goal in this team Is that there just really has not been a consolidated location for this kind of guidance Right, there hasn't been an external location that we can just point C and see a project to say Hey, this is how you run an open source project um and so you know Part of least my personal reason for um helping start contributor strategy was to actually Make that a thing because right because I see these projects coming in and they're Sponsored by companies who have not done public open source projects before And you know, they don't know what to do. They've never done it before You're absolutely right. I mean in the last month. I've had people from more than one company I'm more than one new sandbox project say Uh, can you help us get going with governance? Can you point us in the right direction and I'm sitting there going What do I point you at? I start asking questions and then I start pointing. Okay, you do things like this Here is kind of what somebody else has already done in a graduated project And here's their governance and it's sort of similar to what you've got So let's start by reading this one and maybe a few others like it So you get an idea of what other people have already graduated with But that's that's the extent of what I've got and then answering their questions in trying to explain things Actually having something to point people to that's well rounded and thought out that teaches them Doesn't exist and it is a needed problem and I just say that because I've been bugged a bunch of times on it, right? Yeah Yeah, that's a hard problem too because every project is different and what every project needs for governance There's no there's no cookie cutter. You can't just send people to this and it's like you need this and this and this And it's it's really easy It just it doesn't work that way So like the leadership selection doc that I put together has like 10 options for how you might select leaders And some of the best practices for you know for doing that, but it's not it's not this is what you do check Yeah, I mean one thing that actually came out of this is I kind of think I almost want to add to this That I think we actually do have a few projects who could use a steering committee for completely different reasons Like there's been some back and forth around graduating the opa project And honestly, you know looking at it from the discussion and looking at it from the opa project is they do actually have a problem with coordination project wide Like that's a project where I actually look at it and I'm like, you know This actually is a project that could use something like a steering committee not for anything to do with graduation but because They have all these people working in these sort of isolated areas on the project who weren't really coordinating with each other the so I almost kind of think like We could eventually add more on the you know So you think your project needs a steering committee type document Just because that's more complicated than some of the other governance models Well, we'll talk I'm writing for the open source summit EU is all about governance. So I'll probably think of other things that we need that we haven't even put on the list so we've got that Matt Fatima Jaime, you can see the list of of things if there is not a name after any of the items on that content tracking It's because nobody has volunteered to be responsible for that So Feel free to grab any of those for that matter even if somebody has something assigned and it's not done Feel free to ping that person because All of us have multiple competing things on our time Um, and if there's something that you're like, hey, I already have stuff for this Um, don't don't hesitate to speak up just because somebody else has their name attached to it Um Can I assess it? So there's one called security issue handling guidelines and it's mark sig security and next to it is the name jennifer who's jennifer Jennifer davis she was going to coordinate with sig security on the The the little bit of glue code that says hey Your project has governance your project needs to have a documented process on how you handle security issues And here's a link to all of sig security stuff about that because they have stuff about that right But when a project is looking at the governance section, they need to realize That this is actually part of governance is to have that handled They they have a security handling guidelines. Yeah Um, they published it recently too Um, I mean the governance component of it is more you need a process to select the people who are going to be on that security committee The um, and you need to have requirements for what the security committee people do Um the um like they don't take security reports patch their employers products only and not tell anyone about it Now I'll be curious to go read it because uh, one of the things that we're touching in lately is embargo lists Like what kubernetes has um, and I think harbour and kubernetes are the two with embargo lists that i'm aware of And i'm curious to see how others are looking to stand that up or otherwise Yeah, a lot of projects don't have anything formal. Um, which is bad Because because among other things, you know, completely aside from they may actually have a de facto process for handling security stuff But if I discover a security hole, and I'm not A regular contributor to that project. I need to know what to do Oh, yeah, yeah, so on helm we actually have this and we use the get hub security notification thing that's been added And they go out and it's a little slower to have them go get the cvs with it then me myself going out to get it we'll actually get cvs and uh Have them do it because you get private branches automatically from them when you use it And so there's a lot of neat things if you actually use it. So we've had a security process for a while Over on helm, but i'm all actually looking to say how do we revise that process to improve on it because there's this whole Okay, we've got this far, but is there a way to get better at doing this and what criteria? And then what could we share with others then too? yeah the um Yeah, and that's that's what we have to have in there, but it has to be together with sick security because They're writing guidance on this and and details of you know How you handle this that and the other thing that is like their job so totally totally that makes sense the um yeah so Yeah, so we need to actually so for matt what we've done is we'd started with So basically what we need to create falls into three areas One is sort of guidance documents or advisory documents that explain Qualitatively how to run a project Right, um often with like dawn's leadership document a whole bunch of choices Um, and then the idea was to go from that to then Providing backing material for the cncf requirements that are governance related Um And the reason we went in that order is because honestly a lot of that backing material is going to be You know in order to fulfill this requirement. You need to do this and here's the document that gives you advice on how to do that thing Okay Um, and then the third portion is templates so we have um a template project That has templates for all of the Paperwork that your project might need You know things like a contributing that md file and yeah, you know a governance That md file or a steering committee charter or any of these various pieces of paperwork your project might need Done in a sort of mock-up template format So that a cncf project that comes in with some of these things but not all of them Can honestly just fork that project and use the templates there to build the rest of their stuff Let me ask this because I see you're working through the documentation Where's the final output of the documentation going to live? In the form that people can throw in reading, right? That was actually a topic of Last week's contributor strategy meeting Because it is undetermined um because We don't actually have a good location for any resources for cncf project contributors The um Um It's just not something that cncf has created and so we're kind of punting that back to cncf Which is to say hey, we need a place for this stuff to for the approved versions of this stuff to live um and um The um And You know figuring out where that is is kind of because we came up with a couple of ideas um cncf staff Said no because of conflicts With with some of the names that you know some of the spaces that we looked at Um, and so now we're kind of in the hey there needs to be a place Where approved stuff lives ideally It should not just be in a get repo. There should be some sort of web publication So that people can actually google it Like maintainer docs dot cncf.io Yeah The um Yeah, initially we suggested maintainer dot cncf.io, but they used that for that grid Yeah, and now moving the grid would be a major website breaking issue Yeah, we spent we spent like 45 minutes bike shedding on this in the other area. Well, I'd like to avoid that and Yes yep, so um The um, but yeah, we do need a place And and and that's been an outstanding issue And I should really just go ahead and open an issue with the toc. I guess and say find us a place um The um Because there's a bunch of other stuff in addition to all this governance documentation We want a place for maintainer circle activities Um, which is another project a contributor strategy maintainer circle activities We want a place for them to post their stuff like, you know, upcoming events that sort of thing um the um, you know and other stuff for You know, this is the group of people running the cncf projects and they need a place for their stuff Yeah, we really just need a place for guides in general and then we have loads of types of different Different guides, but that's a matter of finding a place that isn't That isn't already being used by somebody and that the cncf is willing to to give up I have to drop. This was absolutely wonderful and enlightening Um, I will try to stick my nose in again and see if something jumps out for me to contribute to And if you had a name, I would actually be willing to chase that to the ground with the cncf, but we don't have a name so Um green green dot cncf.io Thanks for coming Matt Thanks, um can somebody pick up on the on any notes for the meeting just because google docs just kicked me out for no apparent reason Um, yeah The um actually do this once a day And I cannot figure it out the um So Okay, um It's really late. Um, I had another meeting but uh, yeah, I'll just just lurk unless something comes up that We can contribute to Okay, we're just finishing up here actually. Um, we don't have any open prs um, so Um, that's actually kind of the complete discussion Unless somebody has something else I'm good Good, okay Um, well, thanks everybody. We know we still have our roadmap of content that we need to prepare um for Collin we're we're actually our next step is to actually confirm The deliverables with the toc out of this morning's meeting, which will probably take some time Okay, the um, yeah, and um And that's it. So I'll see everybody in slack try to get some content documentation advisory guides written And and we will continue soldiering on Thanks everyone. Sounds good. Bye everybody