[Proposal] CNCF Mentorship proposals

[jkjell]

Description: what's your idea?

Impact: Describe the customer impact of the problem. Who will this help? How will it help them?

Help grow community interest and participation in all aspects of TAG Security and related work. This will also support the broader CNCF efforts around mentorship: https://github.com/cncf/mentoring

Scope: How much effort will this take? ok to provide a range of options if or "not yet determined" for initial proposals. Feel free to include proposed tasks below or link a Google doc

I see two aspects to this:

1. Proposing project ideas to different mentorship programs. This would be an ongoing effort to submit proposals to the different programs.
2. Collecting a list of possible mentors in the security space. It generally looks like the programs listed in CNCF Mentoring last around 3 months. The time commitment for mentoring will need to be matched with the mentee's experience and the projects requirements.

For program proposals, we could collaborate with other CNCF projects interested in performing security related work (i.e. securing their supply chain, performing security self-assessments, establishing security policies) or we could propose items that would be for work more directly related to TAG Security and its working groups.

TO DO

• [ ] Security TAG Leadership Representative:
• [ ] Project leader(s):
• [ ] Project Members:
• [ ] Fill in addition TODO items here so the project team and community can see progress!
• [ ] Scope
• [ ] Deliverable(s)
• [ ] Project Schedule
• [ ] Slack Channel (as needed)
• [ ] Meeting Time & Day:
• [ ] Meeting Notes (link)
• [ ] Meeting Details (zoom or hangouts link)
• [ ] Retrospective

[ragashreeshekar]

Thanks for bringing this idea @jkjell. This sounds interesting, and an initiative I wanted to support for sometime now. I can support as one of the TAG reps.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[PushkarJ]

@eddie-knight to share more about the maintainer needs he heard during security slam

[eddie-knight]

During the Security Slam we use CLOMonitor to measure projects against the CNCF security hygiene standards. Projects we've spoken who aren't able to meet the standard generally fall into three categories:

1. Projects who have plenty of maintainer presence but the security hygiene standards presented by CNCF are a lower priority than their existing backlog of work.
2. Projects who don't have a strong maintainer presence, and are barely keeping up with their backlog of work.
3. Projects who don't understand or agree with the hygiene standards.

In the case of the first two types of project, a strong case could be made for guiding mentees to make the recommended security hygiene contributions. There is a body of material that can already streamline some of this work, but some elements will likely need a bit more guidance.

I don't want to name any projects here in case the situations change over time, but I'm happy to collab with anyone who wants to help pair mentees with projects who would benefit most from the support.

[PushkarJ]

Thank you @eddie-knight. These are great insights.

Would you mind making introductions with one or two project maintainers (Slack group chat is ok) that you have in mind and share with them https://lfx.linuxfoundation.org/tools/mentorship as a way to get some security items off their plate with some expectation for mentoring? Let's be transparent and say that this will be pilot but one or more of us from TAG Security can help craft the project / program proposal with them.

[eddie-knight]

I reached out to the ContainerSSH maintainers, and they're excited to hear more about this. Making an intro on Slack now.

Will do the same when I hear back from a second interested project.