Closed rchamarthy closed 2 months ago
What is the main reason for this project to be in CNCF, instead of in OCI?
@jberkus Indeed, there is an overlap and arguments as follows:
Belongs in OCI because it primarily deals with OCI specs. However, beyond the under-the-hood implementation detail, constrained by ecosystem and use cases.
Belongs in CNCF because the use cases in terms of build, deploy, policy enforcement of container images are arguably under the purvey of CNCF due to various projects and broader use cases - Kubernetes, registries, Kyverno etc. Hence, the following is a good fit. https://landscape.cncf.io/card-mode?category=application-definition-image-build&grouping=category
Full disclosure - stacker
is the from the same team that submitted zot
(https://www.cncf.io/projects/zot/) and pairs/interacts well with the latter. Furthermore, along with Kyverno (https://kyverno.io/docs/security/#fetching-the-sbom-for-kyverno), enables a OCI-based (hence vendor neutral) end-to-end software provenance pipeline.
https://github.com/kubernetes/kubernetes/issues/121742 ^ another data point why a tool such as stacker is needed.
Also, with recent PRs merged, stacker project is in a much better shape to tackle software supply chain security aligning with OCI artifacts work, meaning, it can produce both container images and sboms - enforcing that "everything must be accounted for" during build stage itself.
"Landscape: no" updated to "yes"
TAG-CS note:
Project stacker currently has:
@jberkus
no written governance (yet)
^ is this a blocker?
@rchincha Incoming Sandbox projects are not required to have written governance. It is a credit to the project if they do have one, and if the project is a single-company project, having a good written governance may reassure the TOC around product/project separation.
Follow-up from today's sandbox review, Stacker will be moved to a vote. π But please coordinate a project review with TAG-Runtime /vote
@mrbobbytables has called for a vote on [Sandbox] stacker
(#73).
The members of the following teams have binding votes: | Team |
---|---|
@cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
You can cast your vote by reacting to this
comment. The following reactions are supported:
In favor | Against | Abstain |
---|---|---|
π | π | π |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 2months 30days 2h 52m 48s
. It will pass if at least 66%
of the users with binding votes vote In favor π
. Once it's closed, results will be published here as a new comment.
/check-vote
So far 9.09%
of the users with binding vote are in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
1 | 0 | 0 | 10 |
User | Vote | Timestamp |
---|---|---|
TheFoxAtWork | In favor | 2024-06-12 18:22:12.0 +00:00:00 |
@dims | Pending | |
@rochaporto | Pending | |
@angellk | Pending | |
@mauilion | Pending | |
@linsun | Pending | |
@dzolotusky | Pending | |
@kevin-wangzefeng | Pending | |
@cathyhongzhang | Pending | |
@nikhita | Pending | |
@kgamanji | Pending |
/check-vote
Votes can only be checked once a day.
/check-vote
So far 81.82%
of the users with binding vote are in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
9 | 0 | 0 | 2 |
User | Vote | Timestamp |
---|---|---|
kevin-wangzefeng | In favor | 2024-06-18 3:54:07.0 +00:00:00 |
dzolotusky | In favor | 2024-06-18 5:13:08.0 +00:00:00 |
angellk | In favor | 2024-06-18 13:11:48.0 +00:00:00 |
linsun | In favor | 2024-06-18 14:26:33.0 +00:00:00 |
TheFoxAtWork | In favor | 2024-06-12 18:22:12.0 +00:00:00 |
nikhita | In favor | 2024-06-18 4:32:44.0 +00:00:00 |
rochaporto | In favor | 2024-06-18 7:59:05.0 +00:00:00 |
dims | In favor | 2024-06-18 13:47:59.0 +00:00:00 |
kgamanji | In favor | 2024-06-18 6:38:17.0 +00:00:00 |
@mauilion | Pending | |
@cathyhongzhang | Pending |
The vote passed! π
81.82%
of the users with binding vote were in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
9 | 0 | 0 | 2 |
User | Vote | Timestamp |
---|---|---|
@dzolotusky | In favor | 2024-06-18 5:13:08.0 +00:00:00 |
@nikhita | In favor | 2024-06-18 4:32:44.0 +00:00:00 |
@angellk | In favor | 2024-06-18 13:11:48.0 +00:00:00 |
@kevin-wangzefeng | In favor | 2024-06-18 3:54:07.0 +00:00:00 |
@rochaporto | In favor | 2024-06-18 7:59:05.0 +00:00:00 |
@dims | In favor | 2024-06-18 13:47:59.0 +00:00:00 |
@kgamanji | In favor | 2024-06-18 6:38:17.0 +00:00:00 |
@linsun | In favor | 2024-06-18 14:26:33.0 +00:00:00 |
@TheFoxAtWork | In favor | 2024-06-12 18:22:12.0 +00:00:00 |
Hello and congrats on being accepted as a CNCF Sandbox project!
Here is the link to your onboarding task list: https://github.com/cncf/sandbox/issues/140
Feel free to reach out with any questions you might have!
Application contact emails
ravi@chamarthy.dev rchincha@cisco.com
Project Summary
a vendor-neutral OCI-native container image builder
Project Description
Software supply chain security is front and center in the minds of all security practitioners, especially given vital US government compliance requirements. stacker and OCI registries such as zot (a CNCF sandbox project) make a vendor-neutral end-to-end (build, publish, deploy) secure software supply chain viable.
Differentiation:
Org repo URL (provide if all repos under the org are in scope of the application)
https://github.com/project-stacker
Project repo URL in scope of application
https://github.com/project-stacker/stacker
Additional repos in scope of the application
https://github.com/project-stacker/stacker-bom https://github.com/project-stacker/stacker-build-push-action
Website URL
https://stackerbuild.io
Roadmap
https://github.com/orgs/project-stacker/projects/1
Roadmap context
Contributing Guide
https://github.com/project-stacker/stacker/blob/main/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/project-stacker/stacker/blob/main/CODE_OF_CONDUCT.md
Adopters
https://github.com/project-stacker/stacker/blob/main/ADOPTERS.md
Contributing or Sponsoring Org
https://www.cisco.com
Maintainers file
https://github.com/project-stacker/stacker/blob/main/MAINTAINERS.md
IP Policy
Trademark and accounts
Why CNCF?
The goals of this project are compatible with CNCF.
Benefit to the Landscape
Cloud Native 'Fit'
"Application Definition & Image Build"
Container images are the defacto application lifecycle mechanism in the cloud native world making CNCF a great fit for this project since it can also be readily used to meet secure software supply chain requirements in a vendor-neutral fashion.
Cloud Native 'Integration'
Although stacker is a standalone tool, the container images and artifacts it produces can be stored on OCI registries such as zot and deployed in Kubernetes. Furthermore, the artifacts such as SBOMs that it produces can be used for policy enforcement using tools such as Kyverno.
Cloud Native Overlap
Similarities:
Similar projects
Similar projects:
https://github.com/containers/buildah https://github.com/docker/buildx
Landscape
yes
Business Product or Service to Project separation
N/A
Project presentations
https://github.com/project-stacker/stacker#conference-talks
Project champions
Stephen Augustus - https://github.com/justaugustus
Additional information
No response