[Incubation] wasmCloud Incubation Application

[thomastaylor312]

wasmCloud Incubation Application

Project Repo(s): https://github.com/wasmCloud/wasmCloud Project Site: https://wasmcloud.com Sub-Projects:

• https://github.com/wasmCloud/wadm
• https://github.com/wasmCloud/wasmcloud-operator

Communication: slack.wasmcloud.com

Project points of contacts:

• Taylor Thomas, taylor@oftaylor.com
• Brooks Townsend, brooksmtownsend@gmail.com
• Bailey Hayes

Incubation Criteria Summary for wasmCloud

Adoption Assertion

The project has been adopted by the following organizations in a testing and integration or production capacity:

• Adobe
• TM Forum (includes Orange, Vodafone, Etisalat)
• Machine Metrics
• SigScale
• Cosmonic

Application Process Principles

Suggested

N/A

Required

• [X] Give a presentation and engage with the domain specific TAG(s) to increase awareness

  • This was completed and occurred on 15-06-2023, and can be discovered at https://youtu.be/j_cUEQttTuw?si=jJTGdnMRUif1w-qb.

• [X] TAG provides insight/recommendation of the project in the context of the landscape

This was done in the TAG meeting above as well as in the Wasm WG of TAG Runtime: https://youtu.be/cyKC3Rse37Y?si=vBIJ3Sr6piyJdnXU/.

• [X] All project metadata and resources are vendor-neutral.

• [X] Review and acknowledgement of expectations for Sandbox projects and requirements for moving forward through the CNCF Maturity levels.

Met during Project's application on 23-05-2024.

• [X] Due Diligence Review.

Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisifies the Due Diligence Review criteria.

• [X] Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.

For full documentation, including walkthroughs, architecture, and code samples, see the wasmCloud docs site: https://wasmcloud.com/docs

Governance and Maintainers

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

• [X] Clear and discoverable project governance documentation.

Governance documentation is available at the top level repo: https://github.com/wasmCloud/wasmCloud/blob/main/GOVERNANCE.md

• [X] Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.

Our governance docs were based on other incubating and graduated CNCF projects with feedback from multiple community members who are long time CNCF contributors. We have updated the docs as needed to clarify and evolve them

• [X] Governance is up to date with actual project activities, including any meetings, elections, leadership, or approval processes.

The Governance doc is up to date and additional information on meetings and contribution are available in the README and CONTRIBUTING docs

• [X] Governance clearly documents vendor-neutrality of project direction.

Our commitment to standards-based development is well documented throughout our project, but in particular can be found here: https://wasmcloud.com/docs/concepts/components. Everything that runs against WebAssembly standards will run with wasmCloud and vice versa.

• [X] Document how the project makes decisions on leadership, contribution acceptance, requests to the CNCF, and changes to governance or project goals.

Documented in GOVERNANCE

• [X] Document how role, function-based members, or sub-teams are assigned, onboarded, and removed for specific teams (example: Security Response Committee).

Roles are assigned and removed by org or project maintainers as decisions are made. Because the project is still small enough, all onboarding is done generally in the form of "ride alongs" with existing maintainers. As the project grows, we plan to put more formal procedures around onboarding in place

• [X] Document a complete maintainer lifecycle process (including roles, onboarding, offboarding, and emeritus status).

Defined in our contribution ladder

• [X] Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.

We have added and removed various project and org maintainers over the years with clear announcements in the project Slack and in our weekly community meetings

• [X] If the project has subprojects: subproject leadership, contribution, maturity status documented, including add/remove process.

There are currently only two active subprojects, both of which are directly related to the main wasmCloud project (which is a monorepo containing several projects). These projects are at the same level of maturity as wasmCloud and are governed by our governance documentation

Required

• [X] Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.

A full list of all teams and contributors is available on GitHub: https://github.com/orgs/wasmCloud/teams

• [X] A number of active maintainers which is appropriate to the size and scope of the project.

• We have 11 committers (maintainers) who manage wasmCloud and its various projects.

• In addition to our maintainers, we have a total of 86 contributors to the project since conception, and over the last year we have averaged over 16 contributors on a month-by-month basis.

• [X] Code and Doc ownership in Github and elsewhere matches documented governance roles.

Our teams list and permissions are aligned with our defined roles and are further documented in our CODEOWNERS file

• [X] Document agreement that project will adopt CNCF Code of Conduct.

We will adopt the CNCF code of conduct

• [x] CNCF Code of Conduct is cross-linked from other governance documents.

We don't have this linked yet. Should this be added after we adopt the full code of conduct?

• [X] All subprojects, if any, are listed.

Yes. See the top of this document

Contributors and Community

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

• [X] Contributor ladder with multiple roles for contributors.

Defined in our contribution ladder document

Required

• [X] Clearly defined and discoverable process to submit issues or changes.

Available in our README and CONTRIBUTING docs

• [X] Project must have, and document, at least one public communications channel for users and/or contributors.

Both our README and wasmcloud.com have links to the community Slack

• [X] List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.

Project communication is done through Slack, GitHub, and our weekly community meeting

• [X] Up-to-date public meeting schedulers and/or integration with CNCF calendar.

Our weekly meeting appears on the CNCF calendar

• [X] Documentation of how to contribute, with increasing detail as the project matures.

Available in CONTRIBUTING.md

• [X] Demonstrate contributor activity and recruitment.

• We have a total of 86 contributors to the project since conception, and over the last year we have averaged over 16 contributors on a month-by-month basis.

• Over the last year, we have averaged 486 commits and 110 PRs on a monthly basis

Engineering Principles

Suggested

• [X] Roadmap change process is documented.

Our roadmaps are documented both on the website and on GitHub with regular updates and discussions in the community call.

• [X] History of regular, quality releases.

We have a long history of releases, maintaining backwards compatibility and well-documented breaking changes

Required

• [X] Document project goals and objectives that illustrate the project’s differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.

The main goals and objectives are documented here. For those who want to run Wasm in production for its unique benefits, wasmCloud is only one of a few options available that focuses on general purpose production use cases. Within the CNCF itself, there is only one other Wasm native project, and that is WasmEdge. WasmEdge is a runtime and not a platform (and has different goals). wasmCloud is highly focused on delivering a standards compliant application platform built on the Component Model and most projects in this space are new. A partial list of projects also in the space include Spin, WasmEdge, Nginx, and Wasm Workers Server. Most of these projects focus on FaaS style workloads and HTTP triggered applications. wasmCloud also follows various cloud native patterns such as reconcilation loop based workloads and native integration with existing tools such as Kubernetes and OCI.

• [X] Document what the project does, and why it does it - including viable cloud native use cases.

Main documentation about what the project does can be found on wasmcloud.com. Below we've added a few additional bullet points that summarize the main points in context of Cloud Native:

• wasmCloud is an open, secure and production-ready platform for orchestrating distributed WebAssembly (Wasm) components at scale and in any location.

• wasmCloud can run as a single binary, as a container, or in Kubernetes using our Operator, or as a part of a standalone deployment. In addition, wasmCloud uses various CNCF projects and standards such as NATS for the messaging layer of its application; running its WebAssembly binaries by downloading from OCI compliant registries; exporting traces, logs, and metrics to OTEL compatible collectors; and defines its declarative application manifests using the Open Application Model. Essentially, the wasmCloud project can integrate into any existing Cloud Native architecture at various extension points depending on needs.

• Our commitment to architecting in a Cloud Native style can be seen in our wasmCloud Application Deployment Manager (wadm) project that enables declarative wasmCloud applications. Wadm manages a set of application deployment specifications, monitoring the current state of compute, and issuing the appropriate control commands required to close the gap between observed and desired state (i.e a reconciliation loop). As useful a tool as Kubernetes is, it is inextricably tied to containers. A wasmCloud application includes distributed WebAssembly Components and capability providers. We are able to take advantage of the unique constraints and opportunities of scheduling for a WebAssembly runtime that can run from edge to cloud. Combined with the wasmcloud-operator, wadm offers WebAssembly Components native orchestration with tight integration and extensibility in Kubernetes.

• [X] Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.

Our roadmaps are documented both on the website and on GitHub

• [X] Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.

See the previous bullet point on viable cloud native use cases for a full overview of design principles and ideas. The Concepts section of our docs (as well as other parts of our docs) contains even more information about how the project works and integrates with other cloud native technologies

• [X] Document the project's release process.

Release times/dates are decided by project maintainers and the release process is mostly automated with documentation available

Security

Note: this section may be augmented by a joint-assessment performed by TAG Security.

Suggested

N/A

Required

• [X] Clearly defined and discoverable process to report security issues.

This is documented in our SECURITY.md document.

• [X] Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)

As previously documented above, our repo uses GitHub teams and CODEOWNERS files to enforce merge and commit privileges. Because the project is on GitHub, 2FA is mandatory and enabled

• [X] Document assignment of security response roles and how reports are handled.

This is documented in our SECURITY.md document.

• [X] Document Security Self-Assessment.

In October 2023, Trail of Bits completed a full security audit of the wasmCloud project in which we passed with the discovery of only a few minor security issues.

• [X] Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.

We have achieved this badge, with results available here: https://www.bestpractices.dev/en/projects/6363

Ecosystem

Suggested

N/A

Required

• [X] Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)

Our public list of adopters can be found here. Some who have spoken about it in public (listed at the top of the document) are currently working on adding themselves to this list

• [X] Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)

In addition to the adopters listed at the top of the document, we also have at least 2 other non-public adopters using it at large companies. As appropriate, we will update our list as we get permissions from those companies.

• [ ] TOC verification of adopters.

Leaving this item unchecked until TOC can verify adopters

Refer to the Adoption portion of this document.

• [X] Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.

These integrations are documented on wasmcloud.com.

For reference, we either integrate with or build on top of the following projects:

• NATS (CNCF)
• OpenTelemetry (CNCF)
• Open Application Model (CNCF)
• Kubernetes (CNCF)
• Wasmtime (ByteCode Alliance)
• Component Model (W3C)
• OPA (CNCF)
• OCI and related ecosystem (e.g. SigStore, Chainguard, etc) (LF)

Additional Information

[thomastaylor312]

This supersedes #1198 as we needed to update to use the new templates and process!

[mauilion]

Hey Folks what is the status of the adoption of the Code of Conduct?

[thomastaylor312]

@mauilion We're totally good to add it in. My comment under that section was

We don't have this linked yet. Should this be added after we adopt the full code of conduct?

I just wasn't sure if we did this before final approval or if you want us to do it now. As confirmed in the issue, we will adopt the code of conduct, it was just unclear when it was needed. I can go ahead and open a PR now if that will be easier!

[thomastaylor312]

@mauilion We got all the approvals from org maintainers and have made sure we have officially adopted and linked out to the CNCF code of conduct: https://github.com/wasmCloud/wasmCloud/blob/main/GOVERNANCE.md#code-of-conduct.

I've marked off the checkbox for that item in the list

[mauilion]

I have begun the adopter interview process and am working on the due diligence.

[TheFoxAtWork]

Due to unexpected circumstances, this project is being reassigned. The current DD document will be picked up by the next TOC assignee, we anticipate this project’s public comment period to be soon. Our sincerest apologies to the project for the lengthy delay in conducting this due diligence. We’ll be correcting the TOC governance to ensure it does not occur again.

[angellk]

2 of 3 Adopter interviews have been approved for public inclusion in DD - waiting for 3rd approval.

PR for public comment will be submitted today.

cc: @dims @TheFoxAtWork

[angellk]

All 3 Adopter interviews have been added and the wasmCloud Incubation DD is open for TOC review and public comment until November 8 when it will move to TOC vote.

xref: https://github.com/cncf/toc/pull/1468

[angellk]

@mrbobbytables could you please confirm okay to close?