[SANDBOX PROJECT ONBOARDING] TrestleGRC

[Cmierly]

Welcome to CNCF Project Onboarding!

This is an issue created to help onboard your project into the CNCF after the TOC has voted to accept your project into the Sandbox.

We would like your project to complete onboarding within one month of acceptance.

Please track your progress by using "Quote reply" to create your own copy of this checklist in an issue, so that you can update the status as you finish items.

Review and understand

• [x] The Technical Leadership Principles that outlines the expected behavior for any maintainer in a leadership role.
• [x] The project proposal process and requirements.
• [x] The services available for your project at the CNCF.
• [x] The CNCF IP Policy.
• [x] The trademark guidelines.
• [x] The license allowlist.
• [x] The online program guidelines.
• [x] Optional: Book time with CNCF staff for any onboarding questions.

Contribute and transfer

• [x] Move your project to its own separate neutral GitHub organization. This will make it transferable to the CNCF's GitHub Enterprise account. If it's already in a GHE account, you will need to remove it from that first.
• [x] Accept the invite to join the CNCF GitHub Enterprise account. We'll then add thelinuxfoundation as an organization owner to ensure neutral hosting of your project.
• [x] Migrate your Slack channels (if any) to the Kubernetes or CNCF Slack workspace. CNCF staff can help.
• [x] Submit a pull request to add your project as a Sandbox project to the Cloud Native Landscape by updating landscape.yml following these instructions.
• [x] Transfer your domain to the CNCF. The "LF Stakeholder email" is projects@cncf.io.
• [x] Transfer any trademark and logo assets to the Linux Foundation.
• [x] Submit a pull request with your artwork.
• [x] Transfer website analytics to projects@cncf.io. CNCF staff can help.

Update and document

• [x] Ensure that DCO (preferred) or CLA are enabled for all GitHub repositories of the project.
• [x] Ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub.
• [x] Ensure LF footer is on your website and guidelines are followed (if your project doesn't have a dedicated website, please adopt those guidelines for the README file).
• [x] Create a maintainer list and add it to the aggregated CNCF maintainer list via pull request.
• [x] Provide emails for the maintainers to get access to the maintainers mailing list and Service Desk. Email them to project-onboarding@cncf.io.
• [x] Start working on written, open governance.
• [x] Start on an OpenSSF Best Practices Badge.

CNCF staff tasks

• [x] Add the project to DevStats.
• [x] Add the project to LFX Insights. This is done by adding a read-only app to your GitHub organization once it's in CNCF GHE.
• [x] Add a license scanning tool, like FOSSA or Snyk.
• [x] Send a welcome email to confirm maintainer list access.

[vikas-agarwal76]

Hi @Cmierly, Kindly update task list with 2 completed tasks as mentioned below. Also, please send an invite to join CNCF GHE account.

Welcome to CNCF Project Onboarding!

This is an issue created to help onboard your project into the CNCF after the TOC has voted to accept your project into the Sandbox.

We would like your project to complete onboarding within one month of acceptance.

Please track your progress by using "Quote reply" to create your own copy of this checklist in an issue, so that you can update the status as you finish items.

Contribute and transfer

• [X] Move your project to its own separate neutral GitHub organization. This will make it transferable to the CNCF's GitHub Enterprise account. If it's already in a GHE account, you will need to remove it from that first.
• [ ] Accept the invite to join the CNCF GitHub Enterprise account. We'll then add thelinuxfoundation as an organization owner to ensure neutral hosting of your project.
• [X] Migrate your Slack channels (if any) to the Kubernetes or CNCF Slack workspace. CNCF staff can help.

[Cmierly]

@vikas-agarwal76 The list is updated and current as of today

[krook]

Also, please send an invite to join CNCF GHE account.

Done, invite sent to https://github.com/oscal-compass

[vikas-agarwal76]

Hi @Cmierly, Can we update the name of this project from "TrestleGRC" to "oscal-compass" to match with the organization name.

[lukaszgryglicki]

DevStats instance added, project also added to All CNCF projects health.

[jflowers]

@Cmierly how do we provide you with a signed doc for?:

Transfer any trademark and logo assets to the Linux Foundation.

[Cmierly]

@jflowers You can send the document to project-onboarding@cncf.io If it's signed on your end then that's all you need to do and I'll send you back the fully executed document. If it is unsigned I will need the email for your signing authority so I can send it out via Docusign.

Thank you!

[vikas-agarwal76]

Hi @Cmierly, Kindly update task list with the following completed tasks as mentioned below.

Review and understand

• [X] The project proposal process and requirements.
• [X] The services available for your project at the CNCF.
• [X] The CNCF IP Policy.
• [X] The trademark guidelines.
• [X] The license allowlist.
• [X] The online program guidelines.
• [ ] Optional: Book time with CNCF staff for any onboarding questions.

[ancatri]

@Cmierly @jflowers I have submitted the "Transfer any trademark and logo assets to the Linux Foundation." to the IBM IP Law Resource Center Attorney. Once I get it signed I will email to provided address. Thanks

[ancatri]

@Cmierly The email address of the person responsible for signing is btopol@us.ibm.com if you want to send him a Docusign. Thank you

[ancatri]

@Cmierly Attached is the filled out document for all 3 projects: Compliance Trestle , Agile Authoring and Compliance-to-Policy, in case you need it for the Docusign.

CNCF Trademark and Account Assignment Agreement - TRESTLE AGILE AUTH C2P.docx

[degenaro]

@krook Once the invite to CNCF is accepted will there be any URL changes or will they remain unchanged from what they are at present?

[Cmierly]

Thank you @ancatri ! I have sent out the document for signing

[krook]

@krook Once the invite to CNCF is accepted will there be any URL changes or will they remain unchanged from what they are at present?

They'll remain unchanged

[degenaro]

Thx!

On Tue, Jul 23, 2024 at 3:23 PM Daniel Krook @.***> wrote:

@krook https://github.com/krook Once the invite to CNCF is accepted will there be any URL changes or will they remain unchanged from what they are at present?

They'll remain unchanged

— Reply to this email directly, view it on GitHub https://github.com/cncf/sandbox/issues/136, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD66XI5DT3MFKVGGXJXEW3ZN2USBAVCNFSM6AAAAABKRKMOQOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBWGEYTGOBWHE . You are receiving this because you commented.Message ID: @.***>

[vikas-agarwal76]

Hi @Cmierly, Kindly update task list with the following completed tasks as mentioned below.

Contribute and transfer

• [x] Accept the invite to join the CNCF GitHub Enterprise account. We'll then add thelinuxfoundation as an organization owner to ensure neutral hosting of your project.

Update and document

• [x] Ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub.

[vikas-agarwal76]

Hi @Cmierly, We don't have any specific domain for this project except for the github org http://github.com/oscal-compass. Is there anything to be done from our side on this?

• [ ] Transfer your domain to the CNCF. The "LF Stakeholder email" is projects@cncf.io.

[jflowers]

Hi @Cmierly, I wanted to share that many people are on holiday, and this will slow our progress. Please don't think the delays are due to a lack of commitment.

[Cmierly]

Hi @Cmierly, We don't have any specific domain for this project except for the github org http://github.com/oscal-compass. Is there anything to be done from our side on this?

• [ ] Transfer your domain to the CNCF. The "LF Stakeholder email" is projects@cncf.io.

If you don't have a private domain for this project then you should be good to go on this task!

[Cmierly]

Hi @Cmierly, I wanted to share that many people are on holiday, and this will slow our progress. Please don't think the delays are due to a lack of commitment.

No worries! I hope everyone is greatly enjoying their summer

[ancatri]

Hey @Cmierly , I finally got to meet with IBM Legal and confirmed that we have no trademark and no domain name for the oscal-compass projects. It seems there is nothing to sign and we can proceed with the transfer/registration to CNCF.

[ancatri]

@Cmierly I have a quick question : What is the name the suit of projects will be listed in CNCF Sandbox? The process to transfer them from IBM to open source org OSCAL-COMPASS happened in parallel with the submission to CNCF Sandbox and in the CNCF issue we called it trestle-grc, while the final naming was decided to be OSCAL-COMPASS. Do we need anything to list it in the CNCF as OSCAL-COMPASS (and not trestle-grc) ? THANKS!

[vikas-agarwal76]

@Cmierly Kindly update the list with the completed items in previous message -

[degenaro]

Welcome to CNCF Project Onboarding!

This is an issue created to help onboard your project into the CNCF after the TOC has voted to accept your project into the Sandbox.

We would like your project to complete onboarding within one month of acceptance.

Please track your progress by using "Quote reply" to create your own copy of this checklist in an issue, so that you can update the status as you finish items.

Review and understand

• [x] The project proposal process and requirements.
• [x] The services available for your project at the CNCF.
• [x] The CNCF IP Policy.
• [x] The trademark guidelines.
• [x] The license allowlist.
• [x] The online program guidelines.
• [ ] Optional: Book time with CNCF staff for any onboarding questions.

Contribute and transfer

• [x] Move your project to its own separate neutral GitHub organization. This will make it transferable to the CNCF's GitHub Enterprise account. If it's already in a GHE account, you will need to remove it from that first.
• [x] Accept the invite to join the CNCF GitHub Enterprise account. We'll then add thelinuxfoundation as an organization owner to ensure neutral hosting of your project.
• [x] Migrate your Slack channels (if any) to the Kubernetes or CNCF Slack workspace. CNCF staff can help.
• [x] Submit a pull request to add your project as a Sandbox project to the Cloud Native Landscape by updating landscape.yml following these instructions.
• [x] Transfer your domain to the CNCF. The "LF Stakeholder email" is projects@cncf.io.
• [x] Transfer any trademark and logo assets to the Linux Foundation.
• [x] Submit a pull request with your artwork.
• [x] Transfer website analytics to projects@cncf.io. CNCF staff can help.

Update and document

• [x] Ensure that DCO (preferred) or CLA are enabled for all GitHub repositories of the project.
• [x] Ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub.
• [x] Ensure LF footer is on your website and guidelines are followed (if your project doesn't have a dedicated website, please adopt those guidelines for the README file).
• [x] Create a maintainer list and add it to the aggregated CNCF maintainer list via pull request.
• [x] Provide emails for the maintainers to get access to the maintainers mailing list and Service Desk. Email them to project-onboarding@cncf.io.
• [x] Start working on written, open governance.
• [x] Start on an OpenSSF Best Practices Badge.

CNCF staff tasks

• [x] Add the project to DevStats.
• [x] Add the project to LFX Insights. This is done by adding a read-only app to your GitHub organization once it's in CNCF GHE.
• [ ] Add a license scanning tool, like FOSSA or Snyk.
• [ ] Send a welcome email to confirm maintainer list access.

[degenaro]

re: https://github.com/cncf/foundation/blob/main/agreements/CNCF%20Trademark%20and%20Account%20Assignment%20Agreement%20(2020%20-%20no%20reg%20trademarks).pdf

@Cmierly Once the trademarks agreement is completed, where does it get sent? Printed via snail mail to the address in the document itself?

[Cmierly]

@degenaro You can email the form to project-onboarding@cncf.io and I'll get it sent out for signatures! If it still needs to be signed on your end then feel free to include the information for your signing authority and I'll send it via docusign

[degenaro]

@degenaro You can email the form to project-onboarding@cncf.io and I'll get it sent out for signatures! If it still needs to be signed on your end then feel free to include the information for your signing authority and I'll send it via docusign

@Cmierly Thanks, and we need to fill out the cited form for the case where there are no trademarks to be transferred, correct?

[Cmierly]

@degenaro correct!

[degenaro]

---

Need to understand from Chris Butler trestle website analytics before checking Transfer website analytics box.

---

Hi Nate, We have no special analytics (Google, Netify or other), just the public Insights tab that comes with github. So the check box for Transfer website analytics for issue 1371 can be checked off without any actual transfer or invite, correct? Just trying to do the right thing! Thanks. Lou.

---

If all you use is the insights tab then that'll get transferred with the GitHub org, so yes, check the Transfer website analytics box (I'd include a comment on the issue explaining it so it's not just captured in this email thread). Cheers, Nate

[degenaro]

• DONE: Chris Butler added Nate with rights to transfer Google Analytics from his personal account

[ancatri]

Hi @Cmierly , please see the CNCF Trademark and Account Assignment Agreement (2020 - no reg trademarks) for no registered trademarks. Thank you for pointing out the document for this case.

OSCAL-COMPASS CNCF Trademark and Account Assignment Agreement (2020 - no reg trademarks).docx

[degenaro]

@Cmierly I'm a little bit lost with respect to the item Submit a [pull request](https://github.com/cncf/artwork) with your artwork. It seems that I can only upload individual files, but not create folders to place the artwork?

[krook]

@Cmierly I'm a little bit lost with respect to the item Submit a [pull request](https://github.com/cncf/artwork) with your artwork. It seems that I can only upload individual files, but not create folders to place the artwork?

Hi @degenaro,

The most straightforward way to do this is to fork the artwork repo, then clone it to your local machine. Then create the file structure locally as you like, following the existing convention for other projects. Then add/commit/push it all up to your fork, then open the pull request.

Otherwise, to do this in the web UI (which it sounds like you're trying to do) you can fork the repo, then choose Add file > Create new file. In the "Name your file..." start a folder name then end it with the slash character (/) to create that folder, then place a temporary new text file in there. Once you've committed that, you then will have a new folder that you can upload files to. You can delete the temporary text file.

[Cmierly]

Hi @Cmierly , please see the CNCF Trademark and Account Assignment Agreement (2020 - no reg trademarks) for no registered trademarks. Thank you for pointing out the document for this case.

OSCAL-COMPASS CNCF Trademark and Account Assignment Agreement (2020 - no reg trademarks).docx

Hi! We do need an email for the signing authority so that I can send out the document via docusign. You can send this information to project-onboarding@cncf.io

[degenaro]

Hi @Cmierly , please see the CNCF Trademark and Account Assignment Agreement (2020 - no reg trademarks) for no registered trademarks. Thank you for pointing out the document for this case. OSCAL-COMPASS CNCF Trademark and Account Assignment Agreement (2020 - no reg trademarks).docx

Hi! We do need an email for the signing authority so that I can send out the document via docusign. You can send this information to project-onboarding@cncf.io

email ancas@us.ibm.com

(I will copy this comment and send to project-onboarding@cncf.io as well)

[degenaro]

artwork PR https://github.com/cncf/artwork/pull/494

[degenaro]

landscape PR https://github.com/cncf/landscape/pull/4003

[degenaro]

Started an OpenSSF Best Practices Badge for compliance-trestle. Currently at 21%. https://www.bestpractices.dev/en/projects/9408/edit#analysis

[degenaro]

Hi @Cmierly, All the required boxes are now checked (see above), save for 2 CNCF staff tasks. How to proceed? Thx!

[krook]

@RobertKielty when you're back, can you please look into the FOSSA/Snyk task?

[nate-double-u]

The analytics have been moved to CNCF Projects. "Transfer website analytics to projects@cncf.io. CNCF staff can help" can be checked off now.

[RobertKielty]

Hi @degenaro do you and the team have a preference for FOSSA or Snyk to use as a static code checker to comply with the license policy? Let me know.

[degenaro]

I will ask...

On Mon, Sep 9, 2024 at 10:59 AM Robert Kielty @.***> wrote:

Hi @degenaro https://github.com/degenaro do you and the team have a preference for FOSSA or Snyk to use as a static code checker to comply with the license policy? Let me know.

— Reply to this email directly, view it on GitHub https://github.com/cncf/sandbox/issues/136, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD66XJMFMNRPZIXF5TMU7TZVWZTVAVCNFSM6AAAAABKRKMOQOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZYGM2TSMZRGU . You are receiving this because you were mentioned.Message ID: @.***>

[degenaro]

The consensus seems to bu Snyk. Thx.

On Mon, Sep 9, 2024 at 11:43 AM Lou DeGenaro @.***> wrote:

I will ask...

On Mon, Sep 9, 2024 at 10:59 AM Robert Kielty @.***> wrote:

Hi @degenaro https://github.com/degenaro do you and the team have a preference for FOSSA or Snyk to use as a static code checker to comply with the license policy? Let me know.

— Reply to this email directly, view it on GitHub https://github.com/cncf/sandbox/issues/136, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD66XJMFMNRPZIXF5TMU7TZVWZTVAVCNFSM6AAAAABKRKMOQOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZYGM2TSMZRGU . You are receiving this because you were mentioned.Message ID: @.***>

[degenaro]

@Cmierly Is there anything else expected from our side on this issue? Otherwise, I think we have complied with all the requirements.

[Cmierly]

@degenaro as long as you're set up with Snyk and ready to go then we can close this out as complete!

Congrats on finishing up Onboarding!

[jpower432]

Hi @Cmierly @RobertKielty I wanted to circle back and verify our setup with Synk.

Should we expect an invite to a Synk organization? What information do you need from the OSCAL Compass team? Thanks!

[RobertKielty]

@jpower432 I created a Snyk Organization for TrestleGRC and have sent invites just now to all of the project maintainers.

https://app.snyk.io/org/trestlegrc-KA4QpZ8FuRjHL9obtvAkk7

We just need one of the maintainers to accept their invitation and import the project's code repos into the TrestleGRC Snyk Org.

For the import to work, the email address to which the invite was sent will need be associated with a GitHub profile that has read/write access to the project repos.

[jpower432]

Thanks @RobertKielty! I have accepted and starting importing the projects under the organization.

[RobertKielty]

Hi @jpower432 I can see you imported 4 repos into TrestleGRC on Snyk. Thank you for importing those repos.

However, I need all 18 repos scanned. Can you please import the remaining 14 repos into Snyk? Many thanks.