Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Add first draft of CloudEvents review #509

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

jberkus
Copy link
Contributor

@jberkus jberkus commented Sep 1, 2023

Resolves #478

Please find our first cut at a review of CloudEvents governance. There are a number of issues identified here, many of which are documentation issues, so this PR will remain WIP in order for the project to address them.

Attn: @duglin @cathyhongzhang @TheFoxAtWork @dzolotusky
@aliok @geekygirldawn

Doug, please let WG/Governance know how we can help Cloud Events resolve the identified issues.

@jberkus jberkus added wg/governance needs-liaison-approval Requires approval from TOC liaisons before merging labels Sep 1, 2023

The following aspects of governance are exemplary, and can be referenced as examples for other projects to copy:

* The [List of Implementations](https://github.com/cloudevents/spec/blob/main/docs/open-source.md) is a very useful resource, particularly for Specification projects
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use commit hashes in the links to the files in GitHub? The reviews are done using snapshots in the time.

@@ -0,0 +1,210 @@
# CloudEvents Governance Review

What follows is a governance review and assessment for the _CloudEvents project. This review is carried out by members of the Governance Working Group of TAG Contributor Strategy. The review may have been done because of a change in maturity level for the project, at the request of the TOC, or as a request by the project itself. If requested by the project, the review will be provided to the project maintainers. Otherwise, the review will be submitted to the TOC for their follow-up.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
What follows is a governance review and assessment for the _CloudEvents project. This review is carried out by members of the Governance Working Group of TAG Contributor Strategy. The review may have been done because of a change in maturity level for the project, at the request of the TOC, or as a request by the project itself. If requested by the project, the review will be provided to the project maintainers. Otherwise, the review will be submitted to the TOC for their follow-up.
What follows is a governance review and assessment for the _CloudEvents_ project. This review is carried out by members of the Governance Working Group of TAG Contributor Strategy. The review may have been done because of a change in maturity level for the project, at the request of the TOC, or as a request by the project itself. If requested by the project, the review will be provided to the project maintainers. Otherwise, the review will be submitted to the TOC for their follow-up.


**Admins**: There are four Admins, who are in charge of project administration, including permissions, ensuring regular operation, calling meetings, and similar functions. The Admins are the maintainers of the project by CNCF definition.

**(Voting) Members**: an amorphous, but well-tracked, group consisting of all regular participants in specifications meetings. These members vote on actual changes to the spec and the roadmap according to very detailed voting rules, including per-company vote limits.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**(Voting) Members**: an amorphous, but well-tracked, group consisting of all regular participants in specifications meetings. These members vote on actual changes to the spec and the roadmap according to very detailed voting rules, including per-company vote limits.
**(Voting) Members**: an amorphous, but well-tracked, group consisting of all regular participants in specifications meetings. If there is ever the need for a formal vote, then these members are the ones who have "voting rights". It is worth nothing though, for regular activity (such as approving changes to the specifications), any person in the community can comment, review and ask for changes to PRs. All open comments on PR need to be addressed prior to the PR merging. In this sense, any member of the community (voting member or not) has the ability to block a PR from being merged. It is only if there are irreconcilable differences of opinion that a formal vote will be taken. The goal is to achieve consensus. As a result, there have only been a handful for formal votes, due to a difference of opinion, during the entire lifetime of the project.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's all good information, but it belongs in your governance docs, rather than in this review.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

| Code of Conduct | Complete | Uses link to CNCF CoC | |
| Contributor Guide | Partial | [CONTRIBUTING](https://github.com/cloudevents/spec/blob/main/docs/CONTRIBUTING.md) | See discussion above |
| Contributor Ladder | Partial | [GOVERNANCE](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md) | Several roles exist, but qualifications and advancement are not explained |
| Maintainer Lifecycle | Missing | | How to become, or retire, a Voting Member is not explained anywhere |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the #voting section in the GOVERNANCE.md file covers this. Is there something missing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, ok. Can we move that section? It's in a wierd and non-obvious place. Putting it where you define voting members would be better.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how to tweak it. Under the membership section we point to #voting (specifically on the "voting member" definition), we point to #voting in the Meetings section and the voting section immediate follows the PR section.

| Maintainer List | Partial | [OWNERS](https://github.com/cloudevents/spec/blob/main/OWNERS), [Spreadsheet](https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0) | See discussion above |
| Code of Conduct | Complete | Uses link to CNCF CoC | |
| Contributor Guide | Partial | [CONTRIBUTING](https://github.com/cloudevents/spec/blob/main/docs/CONTRIBUTING.md) | See discussion above |
| Contributor Ladder | Partial | [GOVERNANCE](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md) | Several roles exist, but qualifications and advancement are not explained |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you elaborate on what might be missing from the #membership section of the GOVERNANCE.md doc?

| Project Purpose | Complete | [README](https://github.com/cloudevents/spec) | |
| Maintainer List | Partial | [OWNERS](https://github.com/cloudevents/spec/blob/main/OWNERS), [Spreadsheet](https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0) | See discussion above |
| Code of Conduct | Complete | Uses link to CNCF CoC | |
| Contributor Guide | Partial | [CONTRIBUTING](https://github.com/cloudevents/spec/blob/main/docs/CONTRIBUTING.md) | See discussion above |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what's missing here. See comments on the next two lines too.

| Governance Area | Coverage | Documents | Finding Notes |
|:----------------|:--------:|:------:|:--------------|
| Project Purpose | Complete | [README](https://github.com/cloudevents/spec) | |
| Maintainer List | Partial | [OWNERS](https://github.com/cloudevents/spec/blob/main/OWNERS), [Spreadsheet](https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0) | See discussion above |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a link to the #voting section in the GOVERNANCE.md doc should be added, but I'm not sure what's missing.

| Maintainer Lifecycle | Missing | | How to become, or retire, a Voting Member is not explained anywhere |
| Decision-making | Complete | [GOVERNANCE](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md), [SDK Governance](https://github.com/cloudevents/spec/blob/main/docs/SDK-GOVERNANCE.md) | Nonlinear, but explained in exacting detail |
| Code and Docs Ownership | Complete | [OWNERS](https://github.com/cloudevents/spec/blob/main/OWNERS), plus each repo | |
| Security Reporting and response | Missing | | A security team exists but is not documented |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the main README has a "Security Concerns" section with info on how to report security concerns. Is that not sufficient?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not according to CNCF standards, no. There needs to be a body that can handle confidential reports of undisclosed security holes. This probably isn't required for the specification (but security folks would need to decide that), but is definitely necessary for the SDKs.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've gone with the assumption that since the spec doesn't introduce any new security mechanisms (beyond whatever transport level security is already defined by other spec or tools), it's pretty much out of our concern. Meaning, any security issue raised wouldn't really be a CE issue - it would be on the transport security mechanism used. Additionally, we've had security reviews (on the spec and SDKs) and no one has expressed any concerns.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@PushkarJ , @achetal01, @sublimino can one of your sign off on this? This is really a TAG-Security requirement.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional context wrt to specs, if the spec is hosting community SDKs or reference implementations in the org level repo or project repos, discoverability of a security reporting mechanism needs to be discoverable and accessible. For OpenFeature, they were changed to be directed to a single security.md with a reporting policy described.

The intent of this was to ensure that if a researcher or reporter needed to report an issue, they didn't spend forever hunting for it. Commonly, the security.md file integrated with GitHub makes this process simpler (thanks to a lot of community work)

| Decision-making | Complete | [GOVERNANCE](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md), [SDK Governance](https://github.com/cloudevents/spec/blob/main/docs/SDK-GOVERNANCE.md) | Nonlinear, but explained in exacting detail |
| Code and Docs Ownership | Complete | [OWNERS](https://github.com/cloudevents/spec/blob/main/OWNERS), plus each repo | |
| Security Reporting and response | Missing | | A security team exists but is not documented |
| Communication and Meetings | Partial | [GOVERNANCE](https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md) | meeting process, no calendar. should link to SDK comms info |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main README points to the CNCF calendar: https://www.cncf.io/calendar/ and we're listed on there.

Added some text to the main README telling people to check the README of each SDK for its comm stuff. I'd prefer not to duplicate it in the main repo to avoid it getting out of sync or requiring multiple PRs when things change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of the SDKs have meeting/comms info, but some don't.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just checked them all and they all seem to have a section like this: https://github.com/cloudevents/sdk-javascript#community which one do you think I missed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you've filled in the missing ones, I need to do a re-check and then I can update this.

@duglin
Copy link

duglin commented Sep 11, 2023

CE edits are being made in this PR: cloudevents/spec#1224

| SDK-Csharp | Partial | Complete | Partial | |
| SDK-Javascript | Partial | Complete | Partial | |
| SDK-Rust | Missing | Complete | Partial | No maintainers listed |
| SDK-Powershell | Missing | Missing | Partial | No maintainers, no meetings or channel |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

| SDK-Java | Partial | Complete | Partial | Currently a WIP project |
| SDK-Csharp | Partial | Complete | Partial | |
| SDK-Javascript | Partial | Complete | Partial | |
| SDK-Rust | Missing | Complete | Partial | No maintainers listed |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


#### Admins

The list of Admins is current, and appears well-balanced, with four admins representing four different organizations. However, admins are listed only by GH handle, with no affiliation, contact information, or history; listing full information on each admin would enhance transparency. The Admins were set up as roles-for-life, with only one change of admin since the project was founded in 2018. There are no defined processes for removing an admin for inactivity, nor any expectation that new Admins will be recruited.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We describe the process for add/removing admins in the #admins section of the GOVERNANCE.md doc.
Correct we don't remove admins due to inactivity since most of them are inactive per the definition of the role - and we like it that way. There really isn't much for them to do, aside from run the weekly calls, and that's normally done by just one of them - with another person being their usual backup (e.g. for vacations).

It's not so much "role for life" as it's just a very minimal role and people can ask to be added, or removed, whenever they want.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but you already have the problem that an admin has effectively left the project without resigning as an admin. So there needs to be some documented way to handle that.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is, someone can open a PR to remove them: https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#admins


The list of Admins is current, and appears well-balanced, with four admins representing four different organizations. However, admins are listed only by GH handle, with no affiliation, contact information, or history; listing full information on each admin would enhance transparency. The Admins were set up as roles-for-life, with only one change of admin since the project was founded in 2018. There are no defined processes for removing an admin for inactivity, nor any expectation that new Admins will be recruited.

Since, at this time one of the four admins (Ken Owens) is no longer active in the project per Devstats and meeting tracking, it would benefit Cloud Events to document a full Admin lifecycle including recruitment, promotion, qualifications, and emeritus status. Documenting this and following it would help ensure that the project retains a continuously active leadership.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we need some more text around this, but it's a bit misleading to call it "leadership" since they really only act after approval from the group. They're more like secretaries.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That isn't clear from the documentation; on a reading from the docs the admins are treated as Maintainers. Who are the Maintainers, but the CNCF definition? Can we make that clear?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#admins
says:

Since the role of an 'Admin' is mainly administrative...

And there's also this text under the definition of admin:

Admins are Members of the group but have the ability to perform administrative actions on behalf of the group. For example, manage the website, github repos and moderate the meetings. Their actions should be done with the knowledge and consent of the group. They also have the ability to merge/close PRs, but only per the group's approval.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it's nice to think of the admins as servants of the voting members, but the admins actually have quite a bit of power over the project. As such, they need to have a clearly defined lifecycle, just like we require regular code projects to have a clearly defined lifecycle for their maintainers.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still confused. We define how admins can be added and removed - that's the lifecycle: https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#admins It's not clear to me what's missing.


#### Voting Members

In contrast to the admins, voting members are defined by their activity through participation in spec meetings, ensuring that the list of voting members is always relatively current. This makes it quite an easy route to get involved in the project, and prevents staleness. The list of voting members is tracked through a [spreadsheet](https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0), which raises some issues around transparency and auditability (for example, who owns that spreadsheet?). Balance is ensured by voting rules which do not permit employees of the same company from voting more than once.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our governance doc now says: An Admin will be responsible for updating the spreadsheet.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where's the spreadsheet stored? In whose account? The Projects staff can help you with putting it in a CNCF-owned account. We really don't want it to get deleted if someone changes jobs.


#### SDK Maintainers

SDK maintainers are not current. See Subprojects above.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Areas of potential future development include:

* Complete reorganization of governance documentation for clarity and completeness.
* Adoption of a full Admin lifecycle that encourages turnover.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure we want to encourage turnover just for the sake of turnover.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You already have turnover, but you haven't acknowledged it.

Copy link

@duglin duglin Sep 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But you seem to be asking for us to encourage it - I don't see value in that. It happens, yes. But why should we try to force it? We document how it CAN happen here: https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#admins

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a good idea to encourage it, yes. Not only to people leave, they burn out as well. If you're not doing anything to recruit new admins, then you won't get any, and pretty soon you'll be exercising the line in the governance that says what to do when the last admin leaves.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one feels like a very subjective thing. We have a process that's working, no one is complaining, we have at least 3 admins to cover stuff.... I don't see an issue. Swapping in new folks "just because" could only make things worse because it means we'll get people who might not actually want to do it beyond the initial "fake" prestige they think it'll give them and they'll half-ass it. Then the entire process runs the risk of falling apart because the folks who really do want to do it have been pushed out.


Language-specific Software Development Kits (SDKs) exist as subprojects of CloudEvents. These are largely autonomous of the main spec project in a governance sense. There is a [template for SDK governance](https://github.com/cloudevents/spec/blob/main/docs/SDK-GOVERNANCE.md) and other guidance docs, but SDK projects are largely left on their own after creation. This leads to some problems:

* Some SDKs have gone completely unmaintained
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the definition of "maintained"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"has a maintainer".

Copy link

@duglin duglin Sep 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah ok - I opened a PR for each SDK to align on common governance docs - see this PR for how the SDKs will now do it: cloudevents/spec#1226

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now completed for all SDKs

* Some SDKs have gone completely unmaintained
* There are no processes for SDK archiving or SDK Maintainer offboarding
* No SDK roles are defined other than "maintainer"
* Certification of SDKs is not up to date
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which certification are you referring to ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Compliance with versions of the spec. Several SDKs are not current.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://github.com/cloudevents/spec/blob/main/cloudevents/SDK.md#feature-support they all support v1.0 - which is sufficient since we're still in the v1.0.x track.

* Certification of SDKs is not up to date
* SDK repos do not appear to have OWNERS files or other administrative automation
* It's impossible to tell if SDKs are well governed since they have no minutes or video of their monthly meetings
* There's no defined governance relationship between other bodies and the SDKs or between maintainers of different SDKs
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which "other bodies" are you thinking of?
Do we have to have a relationship across SDKs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Admins and voting members.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you elaborate on what you're looking for beyond what in this section: https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#membership

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't have to have a relationship, but if you don't you want to spell it out: "SDKs are completely autonomous from other groups." There's some practical considerations to declaring that though, and it might not be acceptable to the TOC. For example:

  • how do SDKs get removed/archived because of abandonment?
  • who verifies that SDKs comply with the spec?
  • who handles security reports against SDKs?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened cloudevents/spec#1229 to address this.

@duglin
Copy link

duglin commented Sep 15, 2023

CE edits are being made in this PR: cloudevents/spec#1224

These "spec" level changes to CE's governance docs are now merged.

@duglin
Copy link

duglin commented Mar 26, 2024

Can we close this now that CE is graduated?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-liaison-approval Requires approval from TOC liaisons before merging wg/governance
Projects
Status: 🏗 Work In progress
Development

Successfully merging this pull request may close these issues.

[Governance Review] CloudEvents
4 participants