Repository Reorganization: Directory Structure, License Consolidation, and File Cleanup

[anvega]

This pull request includes the initial reorganization of the repository according the Information Architecture proposed, discussed, and approved by all leads to improve accessibility and maintainability. Key changes include:

• Created new directories: community/working-groups, community/events, and community/resources.
• Moved audio-versions to community/publications
• Moved supply-chain-security, compliance, and controls content to community/working-groups subdirectories and merged readmes
• Moved policy to community/working-groups/archive
• Moved design, security-lexicon, security-whitepaper, landscape, security-fuzzing-handbook to community/resources
• Moved cloud_native_security.md, and past-events.md to community/events
• Deleted unused files: policy-wg-merging.md, roadmap.md, safe_kubecon.md.
• Updated relative paths for links
• Updated a few deadlinks a different markdown files

[netlify]

✅ Deploy Preview for tag-security ready!

Name	Link
🔨 Latest commit	b8f142c
🔍 Latest deploy log	https://app.netlify.com/sites/tag-security/deploys/66bf9ac823dfee0008aff151
😎 Deploy Preview	https://deploy-preview-1283--tag-security.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[eddie-knight]

I have thought about this in recent weeks, but wasn't sure where this gets into CNCF legal territory.

[anvega]

What's the question? To simplify the repository structure and provide clarity on licensing terms, the three existing license files (LICENSE-code, LICENSE-document, LICENSE.md) were merged into a single LICENSE.md file. To be clear there are no licensing changes made here. The updated license file covesr both code and documentation, as follows:

LICENSE.md

# License

## Source Code

The source code in this repository is licensed under the MIT License. See below for the full license text.

## Documentation

The documentation in this repository is licensed under the Creative Commons Attribution 4.0 International License. See below for the full license text.

### MIT License

[Full text of the MIT]

### Creative Commons Attribution 4.0 International License

[Full text of the CC BY 4.0 License]

[anvega]

cc/ @mkdolan

[eddie-knight]

Yep, just looking for input from anyone else who can confirm what I agree with you on— merging these files looks like a good way to consolidate the presence of both licenses.

[anvega]

You mentioned CNCF legal, so I tagged them. Also, @joannalee333 can help with a thumbs up here.

There are several online resources on multi-licensing and declaring those multiple licenses. One of GitHub’s support recommendations is to use one LICENSE file in the root of your repository and add subsections for any 3rd party material, code, etc. which is the approach being pursued here.

An improvement complementary to this approach is to clearly mention the terms in the README.md:

The source code in this repository is licensed under the MIT License. The documentation is licensed under the Creative Commons Attribution 4.0 International License.

[anvega]

Heard back from CNCF legal. They said on 6/24:

Hi Andres, I reviewed. From a purely legal perspective, I have no concerns. I want to check with someone on the team here thought to make sure the change will still work with license header scanning tools used by CNCF projects.

I don't know that TAG folders are scanned, but there seems to be no issue here.

[eddie-knight]

What's happening with this word change? It seems like an impactful tweak, considering that it shifts from discussing the policy for the linked repo to implying that many policies may exist. Better to leave this for a suggested change that the WG can respond to.

[anvega]

The page doesn't exist anymore and the repository doesn't have a privacy policy. I adjusted enough to say there was a policy but that policy isn't the policy.

[anvega]

This effort is part of addressing your feedback highlighted during the approval discussion of the IA document, specifically regarding 'broken links throughout the repo that we'll need to find and clean up,' but fine by me either way.

The wording probably should be a 'privacy policy that existed for a period of time' or 'at the time.' I tried Wayback Machine to replace it with that but it wasn't able to pull it

[eddie-knight]

Ah, frick. I see how you got there.

Can we get a thumbs up from the WG lead or last committer? If we don't hear back, I'd suggest its better to leave with a broken link than update it with a commit that may not improve the doc.

[eddie-knight]

This doesn't match the link in the README above, which would place this (perhaps rightfully) as catalog/compromise-definitions.md

[anvega]

It's unclear what's meant by ./compromise-definitions.md not matching its link in compromises/README.md, as both of these files reside in the same directory. The link is working, and the dot is correctly used as the symbol for the current directory.

By README above you mean community/catalog/compromises/README.md or compromises/README.md?

[anvega]

Line 11 did have a broken link I failed to catch as was truncated by a break. It pointed to /supply-chain-security/compromises/compromise-definitions.md when it should be community/catalog/compromises/compromise-definitions.m

[eddie-knight]

see comment on catalog/compromises/compromise-definitions.md

[PushkarJ]

Looks like this needs a rebase + resolving of merge conflicts

[eddie-knight]

Do we have enough of a consensus on this proposal to nest publications within community/? An alternate proposal was to have publications as a top level directory.

I had been fond of the idea of publications living at the top, but I can also see the justification for nesting it here.

@mnm678 @PushkarJ @mlieberman85 @JustinCappos @ragashreeshekar @ashutosh-narkar @jkjell

[anvega]

There is a list of select publications in the top-level README.md, along with a link to the publications directory. The publications directory itself doesn't hold any publications; it only contains an index and the directory of audio recordings. That's the structure that we settled on in the doc.

[anvega]

I have no recollection of the alternate proposal being discussed. The only other discussion involved this PR that was merged, which reinforced the list of selected publications in the README.md and provided an index of source files with their respective locations inside publications/README.md (#1273).

[eddie-knight]

Cloud Native Security Whitepaper is currently listed on the publications page. Moving it to community resources appears to be an arbitrary downgrade.

[anvega]

Everything is listed in the publications page. As stated in the IA document, overarching/seminal/tag-wide publications that aren't owned by a workgroup are to be found there as valuable community resources.

[anvega]

Here is the structure that the group consensus settled on:

community/publications/
Index of published papers, reports, whitepapers, and audio versions of publications. The source files are located in:

community/resources/ if they are overarching documents.
community/working-groups/ if they are owned by a working group.
communityassessments/ if they are assessment documents.

[eddie-knight]

@mnm678 @mlieberman85 @jkjell Please review

[anvega]

For reviewers this was a merge the contents with the prior README.md,

[eddie-knight]

@PushkarJ @mnm678 — Since we're already breaking and fixing links, do we want to take this opportunity to migrate publications like this into the publications directory?

[anvega]

The consensus achieved through the IA document discussions settled on the structure captured there:

community/publications/
Index of published papers, reports, whitepapers, and audio versions of publications. The source files are located in:

• community/resources/ if they are overarching documents.
• community/working-groups/ if they are owned by a working group.
• communityassessments/ if they are assessment documents.

If you're proposing something different, we should discuss and plan for it after this current reorganization is complete.

[eddie-knight]

Should this be moved into the wg/archive/policy directory?

[anvega]

None of the key deliverables stated in that file were turned in. Also the Policy workgroup never really merged with TAG security and stayed they stayed their course as a Kubernetes WG.

[anvega]

This was a file captured in the doc as marked for deletion not move.

[eddie-knight]

@mnm678 @PushkarJ Pleaes review.

I agree that this file is less than ideal, but please verify we haven't lost anything by deleting it.

[anvega]

I think this predates all of you. We adopted project boards as captured in this markdown file and migrated everything worth tracking to the board and the leadership notes doc. I don't believe there is anything relevant in the old roadmap other than nostalgic value.

This was captured in the doc as an item marked for deletion.

[mnm678]

This lgtm after a rebase and fixing the failing checks

[anvega]

Yay! I don't know what changed, but suddenly deploy previews and site build logs are viewable once again. The preview error was due to a malformed URL in the Spanish translation of the whitepaper (cloud-native-security-whitepaper-spanish.md). Site is functional. Rebased and a good to go.

[anvega]

@eddie-knight Are you comfortable with the current state before merging? There was extensive commentary, but it wasn’t clear if the feedback required changes. Please let me know if there's anything else you'd like to see addressed.

[anvega]

Merging as discussed in the chair and TLs' communications channel, as no concerns were raised following the final review request earlier.