Closed jessfraz closed 6 years ago
Jumping in here because I have strong opinions and GitHub is a great place to share them...
I think the incubation phase is just plain wrong.
If an inception process is all we have... then yes.. That model seems flawed to me.
However, if we didn't have a way to formally work together on a piece of open source code then the project would be total anarchy. Which is why I think getting the CNCF involved as a mediator/peace keeper is a win.
Ideally we would live in a world where an open source project could CHOOSE to live alone and solve it's own problems (Just like what we did with kubicorn) or it could CHOOSE to migrate to a more formal governance plan (like an incubator project).
This still gives the engineers behind the code the choice on which way to steer their project, and ideally projects would shift between the two banalities with ease.
tldr; If inception works for you, then feel free to use it and make the process awesome. If it doesn't work for you, then get out of the incubator. I was able to create a successful project from thin air using nothing but twitter, reddit, and hacker news, etc for promotion... So can you....
@jessfraz at the next TOC meeting we have an agenda item to discuss updating the graduation levels: https://lists.cncf.io/g/cncf-toc/topic/agenda_for_upcoming_cncf/9463078?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,9463078
The inception level serves a similar purpose as the Apache Incubator, not all projects are expected to succeed, it gives the @cncf/toc freedom to support projects it thinks have good practices, they are given space at our conferences to grow and build a community.
We've also started to update all projects pages to delineate and explain the different project levels. We are also redoing the landscape to reflect the different project levels, which should be out in a month or so.
Please see my proposed agenda for Feb 6 TOC meeting. You are most welcome to join that discussion.
The CNCF is the only foundation I am aware of that strives to align with how open source actually works. It does not try to "make fetch happen". The opposite is the case. Nobody wants Inception to be a mark of "We made it". It was created due to demand for an open space with some very modest rules so that very early projects could get a certain type of collaboration. Basically a sandbox - see "agenda for Feb 6" above.
Some of the structures in CNCF were forced on us by being in Start Up mode, also known as running before you can walk. Inception projects are supposed to have a failure rate & get cleaned up and/or removed. This is not widely known and has caused confusion. Last TOC we agreed to request that Inception's lower status was made clearer in our marketing. We may need to do more hence - see "agenda for Feb 6" above.
I don't want to go on and on. But, I think you have this wrong.
@kris-nova I think jess meant "inception" in her text
@monadic: Yeah @jbeda just pointed that out too 😄
I got them mixed up because its all the same letters kinda and I'm a dingus but yeah inception haha
I think also making it very clear to outsiders what it is in inception and what is in incubation is needed so that's good to hear. I have some problems where I think projects were even added to incubation solely for political reasons but that's just my opinion.
Honestly you all do you. And I hope the reputation of the CNCF becomes a place of real open source but it's pretty much already tainted in my mind. But I'm sure you can fix it before the rest become privy to what is actually happening.
In the meantime I will continue to use my platforms (uh twitter lol) to help boost the projects I believe in like Cilium.
I got them mixed up because its all the same letters kinda and I'm a dingus but yeah inception haha
we are all dingi ;-)
I think also making it very clear to outsiders what it is in inception and what is in incubation is needed so that's good to hear.
happening
I have some problems where I think projects were even added to incubation solely for political reasons but that's just my opinion.
say more?
Honestly you all do you.
?
And I hope the reputation of the CNCF becomes a place of real open source but it's pretty much already tainted in my mind.
say more? even if painful, say it
But I'm sure you can fix it before the rest become privy to what is actually happening.
!
I'm going to have a lot of people mad at me for this, but really ok, I'll be the bad guy, I'll call out all BS:
notary: no one actually uses it, it is integrated into docker but could never be turned on by default because LOL this issue https://github.com/moby/moby/issues/25852 (fwiw I actually use a notary server and signer with my private registry but I still think this was a political move because i personally see all the errors in its ways)
rkt and containerd: c'mon this screams politics... why both... really tho why... do you really want me to touch this very political mess here because I will. Also begs the question "wtf is OCI then?"
TLDR on the issue I linked but you literally cannot run an image you built locally when content trust is turned on.... like c'mon.... seriously... and that's the only project notary is built into....
Let me just reiterate in case ya missed it: you cannot build an image and then run it when notary is turned on in docker
So instead you must build the image, push the image, pull the image, and then.... you can run the image!!!
Honestly I don't think the people choosing what should be in the foundation have actually tried using the things or they would have seen what I saw. And the container runtime one is a different story obviously but not one I really want to get into tbqh.
Also I know no one uses notary in docker, the one project where it is integrated, because I was the sole person filing issues when official images went unsigned and you could not pull an image if it was turned on https://github.com/docker-library/official-images/issues/2537 (this happened multiple times and I just reused the same issue, you can see that there)
Someone sold you a lemon there and I'm unsure if you all were aware of it or not.
use std::disclaimer;
[Notary] ... the one project where it is integrated
You don't have 100% knowledge of Notary usage: in addition to the Docker Registry, VMWare's Harbor and CoreOS's Quay also support DCT. Quay even extended Notary by working with the TUF maintainers to add multiple roots of trust all in order to improve the poor UX. If the ecosystem cared, Quay would extend support to Application repositories, and then Helm charts and Kubernetes resources, for example, could also be secured by TUF.
I think it's a noble cause to give support to Notary/TUF, sadly you're correct that where it really needs help is not in the governance, but rather in the client-side UX and adoption.
Incubation is hard because it will always be contentious. Kubernetes operates on a smaller scale and has similar struggles with its own incubation process. I think this space is moving quickly and nobody fully understands the social implications of including a project in the CNCF.
So the foundation’s job is now to get the bad projects fixed? Instead of just adding good projects to start with.
Can someone please inform me of what the overall goal of this foundation is? Because I thought it was to give projects that are used and innovative help. Not help lost causes.
Also super confused about social implications I thought this was all technical merit and actual usage.
I would be willing to bet money that more people use my dotfiles than have notary turned on in docker.
Can I add my dotfiles to CNCF?
@jessfraz IMO the goal of the foundation is to foster rapid adoption of cloud native via good projects and education, in a manner that helps projects and gives end users confidence. See also https://github.com/cncf/toc/blob/master/PRINCIPLES.md
The first couple of years of CNCF have been 'start up mode'. Choose your metaphor: flying the plane while still attaching the wings, etc. We have focussed on getting velocity by working with projects that we think are part of the 'picture'. As we go along we learn more about what we need to do, how we can help projects, and more.
For example the Inception tier was something that we found we needed. But creating Inception has had negative unintended consequences - see slide 7 of https://docs.google.com/presentation/d/1fJ2luQv9JkwFfpg6i775gP6JH1zB21yiZSjJBiIG8ZI/edit?ts=5a5d3fac#slide=id.g2ee78fecd0_0_0
So we are taking action to clarify Inception. That starts with the marketing side - fixing the cncf.io website story on it. Some of that was delayed last year while CNCF/LF interviewed and made an offer to a full time marketing person.
I think we may need to do more! See https://lists.cncf.io/g/cncf-toc/message/1521 and please do feel welcome to join TOC calls where this will be discussed.
A few more points if I may:
One decision we reached late last year was that DD needs to be Moar Diligent. We want to raise the bar, IOW. We now have a clearer idea of what we are doing and more concrete projects to benchmark against. If we had tried to write all that down before having a bunch of projects, we would have spent years talking and disconnected from reality. Now we have some projects and we have TOC Contributors who volunteer to do real heavy-lifting in the DD stage. You are very welcome to help out here in DD if you wish.
We are about to Graduate some projects. This will force us to further clarify the tiering Inception>Incubation>Graduation.
The TOC also has the right to remove projects from CNCF, and in general adapt to needs as they emerge. Our view is that we (the TOC people with votes) are as ignorant as the next person when it comes to "what the future holds". We fully expect to be surprised by how some projects turn out. We cannot and will not try to predict the future of OCI-compliant implementations. Yes there are several right now. Yes we wanted some in the tent - because containers are right now pretty fundamental to the whole cloud native thing. A future TOC might take a strong view on some aspect of this, if it helps projects and users overall.
There is an End User group. This only just got formed - we needed critical mass. That group will be influential in the future, in some of the matters you raise.
Apart from Notary, containerd and rkt, is there any project that you feel is Bad or otherwise "in question"?
A transparent DD, or an yardstick against which similar solutions are evaluated is currently missing.
The DD need not be comprehensive from day 1 but at least a live doc that keeps getting updated. It is quite possible that some that have moved into Graduation > Archived, because those projects no longer make sense (problems no longer exist) or a better solution has emerged.
One decision we reached late last year was that DD needs to be Moar Diligent. We want to raise the bar, IOW. We now have a clearer idea of what we are doing and more concrete projects to benchmark against. If we had tried to write all that down before having a bunch of projects, we would have spent years talking and disconnected from reality. Now we have some projects and we have TOC Contributors who volunteer to do real heavy-lifting in the DD stage. You are very welcome to help out here in DD if you wish.
@kmova do you mean something like this? https://github.com/cncf/toc/blob/9d4f27c5bd029d2a9a9284719c0b768feab9cb88/process/due-diligence-guidelines.md
Think the guidelines need to be broken up by graduation, or at least a bit of exposition on how the questions in the due diligence guidelines relate to the graduation criteria at each tier?
Some of the proposals have been very early stage - not having a lot of the technical questions even covered yet, but as the inception criteria is "add value to cloud native computing (i.e., containerization, orchestration, microservices, or some combination) and be aligned with the CNCF charter," it's hard to say to no to a project on the grounds on not being able to answer most of those due diligence questions satisfactorily.
@randomvariable we have said no to quite a few projects.
You are very welcome to help out here in DD if you wish.
I thought this was the TOCs job? I figured the TOC would at least try to use the thing they are going to add. If they did try to use it they would have seen it did not work and I wouldn’t be sitting here having the same argument I had two years ago about how it doesn’t work.
Those three projects are the ones I’d label as being added by politics but honestly I haven’t done due diligence in all the projects in the foundation because that’s not my job. I thought that was the TOCs.
As the DD load has increased and the bar has gotten higher we have been asking more and more people for help. The role of TOC Contributor was created ....
If you look at recent DD docs and Github threads I think you will see this is taken rather seriously.
Here's info along with explanation of why TOC contributors exist: https://github.com/cncf/toc/blob/master/CONTRIBUTORS.md#toc-contributor-information
This is not only about individual contribution. It is also about rallying help from your employer. Given the breadth of projects represented by cloud native, it is impossible for anyone to be an expert in all technologies that we’re evaluating. We’re particularly interested in TOC Contributors that can act as a focal point for tapping relevant expertise from their organizations and colleagues in order to engage with CNCF discussions in a timely manner. The TOC already has the pattern of encouraging non-members to make non-binding votes, so no change in the TOC charter is necessary to allow Contributors.
If you are interested in engaging in this way, we would encourage you to issue a pull request here that you desire to become a TOC Contributor. Although there is not an actual limit of having one TOC Contributor per company, we would encourage CNCF member companies to designate an official TOC Contributor who is tasked with consulting internal experts and expressing a semi-official view on a given project.
We can't expect the @cncf/toc to be experts in every aspect of software and rely on our community to pitch in during the due diligence phase which every project goes through.
Nah sorry if I’m going to devote time to something I’d like a real vote.
If needed I can be a volunteer to try to every project and see if it works - that would be fun :)
@jessfraz why?
@lukaszgryglicki thank you please let @caniszczyk know
Because I'd rather spend my time actually writing software than playing politics on mailing lists. This is exhausting, I actually don't know how people do this. And this is not my first rodeo, it's not even my first rodeo on the "notary is flawed by design" argument. I have other places I would like to devote my time, so if I had a vote I would take it seriously but no, otherwise I'm not going to waste time trying to use politics to convince you all I am right.
Some notary stats can be found there: https://notary.cncftest.io https://notary.cncftest.io/dashboard/db/project-statistics?orgId=1 https://notary.cncftest.io/dashboard/db/companies-stats?orgId=1
I don't need stats to know that no one actually uses it in docker ;)
Sure, I've just posted this - it may be useful for somebody...
@jessfraz just in case it was not clear from my previous comments, the CNCF is not a retirement home for dead projects. The TOC are fully empowered to remove projects that do not play a role.
Re "if I’m going to devote time to something I’d like a real vote" you said "I'd rather spend my time actually writing software than playing politics on mailing lists".
Here is a DD example: Vitess. Would you be willing to comment on whether this DD is enough, or not, and how the process could be improved? Please note that Vitess is not uncontroversial.
Overall Guidelines: https://github.com/cncf/toc/blob/master/process/due-diligence-guidelines.md
Doc: https://docs.google.com/document/d/1p7gqlpQNJpZtsolHeX6vXR4NXXwGrCMsCz8rSi5jsBA/edit#
Github: https://github.com/cncf/toc/pull/67
Mailing list thread: https://lists.cncf.io/g/cncf-toc/message/1537
I understand the due diligence stuff and I think it has a good purpose.
My point is, if I am going to "vet" a project as being ok, then I am going to have to read about vitess, install vitess, run vitess for a few days, look at original design docs, and actually grow an informed opinion on vitess. Maybe I am just a perfectionist, but I would spend quite a bit of time looking into it, and my time is not free. I love y'all and I think what you are trying to do is noble, but I would rather be writing software with my free time or take a walk in nyc.
Quite a few people, other than myself, died on the "notary is flawed by design" hill two years ago. So I was not really keen on jumping right into that fire again, especially when I was assuming projects got added purely based on politics.
@jessfraz re "... read about vitess, install vitess, run vitess for a few days, look at original design docs, and actually grow an informed opinion on vitess".
We have been turning over a lot of rocks with vitess for a long time, and consulting with production end users.
I like your (implied) suggestion that DD should include a DD volunteer trying to install and run the software from scratch. I'm sorry you are too busy to be that person from time to time (note: most of us are busy). Could you perhaps add a PR to https://github.com/cncf/toc/blob/master/process/due-diligence-guidelines.md ? That would be helpful IMO.
I do hear you re Notary and I want to address your general points first.
I will chime in the future when I have informed opinions but I like to remain silent when I’m not informed :)
Sure I can also add that to the process
Quite a few people, other than myself, died on the "notary is flawed by design" hill two years ago.
This may not be the correct venue, but I'd like to hear more about this. From what you've discussed, it sounds more like a problem of integrating Notary client with Docker and nothing inherent to TUF.
I have no problems with TUF my problem is that notary is flawed by design. If you can’t use it client side and everyone just keeps it turned off because it’s unusable when it’s turned on and breaks the very workflow that made docker popular, than ya it doesn’t work. Security that is unusable, will not be used.
@jzelinskie as far as the internal politics that unfolded around that issue, you can ping me on the k8s slack :)
@jessfraz thanks, yes please do chime in on DD process guidelines.md
Re: Notary. The TOC evaluated TUF and Notary together and it was a long and slow process involving many points of view. That process may have been flawed, and if you could take a look at the discussions it could help too. If you do not want to do that, then time will tell if Notary moves forward, backward, up or down. The CNCF is constituted so as to react appropriately.
I saw the discussion, and points of view are motivated. I think people who have binding votes should form opinions not based on motivated opinions.
I'll cross my fingers that some nice soul at CoreOS or otherwise can fix the flawed design and actually get it to work. Or ya know they can always build and design something that works from the very start :)
If the design is flawed as you say, then fixing it would be better than removing the project or the whole tier
if the design is flawed as you say
Ya I would consider something that breaks the very workflow that made docker popular flawed. But open to hearing from others as to how that is not true :)
Almost like “double jeopardy” I don’t think you can die on the same hill twice so I’m willing to have this argument now
I think everyone else may have left the room now :-(
In all seriousness, if projects have flaws, then either they are fixable ("let's fix them!") or they are fundamental and may even be non-obvious. If so then time will flush them out.
may the odds be ever in their favor :)
I think there is fair amount of due diligence being done by folks, often behind the scenes. I know I've spent quite a bit of time the past few months digging into SPIFFE, etc. to provide an outside / independent security analysis.
If you have the time, in my experience the community here is quite appreciative.
For me, there are only so much time I can walk along the Brooklyn Heights promenade or Prospect park before I want to dig back into some tech. :)
On Tue, Jan 30, 2018 at 2:23 PM, Jess Frazelle notifications@github.com wrote:
I understand the due diligence stuff and I think it has a good purpose.
My point is, if I am going to "vet" a project as being ok, then I am going to have to read about vitess, install vitess, run vitess for a few days, look at original design docs, and actually grow an informed opinion on vitess. Maybe I am just a perfectionist, but I would spend quite a bit of time looking into it, and my time is not free. I love y'all and I think what you are trying to do is noble, but I would rather be writing software with my free time or take a walk in nyc.
Quite a few people, other than myself, died on the "notary is flawed by design" hill two years ago. So I was not really keen on jumping right into that fire again, especially when I was assuming projects got added purely based on politics.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cncf/toc/issues/85#issuecomment-361705117, or mute the thread https://github.com/notifications/unsubscribe-auth/AA0XD4EoZvOb8s7APlHMoWL9UDipC90Kks5tP2w1gaJpZM4RxCt- .
@justincappos to each their own. I can have a lot more impact spending my time building, designing, and writing innovative software.
I commend your ability to enter a burning building or maybe you didn’t spend your time reading the whole thread.
@jessfraz I appreciate your perspective on this issue, your detailed understanding of notary, and I think we all agree that we can, if not exactly do better, be more specific about what we can do in vetting projects. But I would like to remind everyone on this thread that we are trying to build a collaborative community and this thread to me feels like it has become unproductive to that end. I would appreciate if we remembered that collaboration is hard in the face of blame, and remind ourselves of that community goal in further discussions
I will leave this to you all as my last request before stepping aside from caring about this.
Please consider removing inception. It was described to me as being there mainly for things like "linkerd" so service meshes before service meshes were cool. Now service meshes are cool. Actually I can't stop hearing about service meshes. Everyone is drinking the service mesh koolaid.
Can you directly tie the service mesh awareness now to accepting linkerd? because I honestly think it was more Envoys release that caused service meshes to become A Thing ™️
I think the inception phase is just plain wrong. Open source is awesome because projects that are good and fill a real need get traction. Without a doubt they get traction by being open source and actually filling a need people have. Look at docker, or literally anything in the explore section of github https://github.com/explore. Projects get organic growth when they are good! I am not buying this whole "we need to put it in inception so people notice it" thing. That's quite frankly BS. If it doesn't have traction maybe that's because no one needs it.
Inception feels like an attempt to play god. Or become a startup incubator. This should not be the role of the foundation to bootstrap growth of random open source projects. Let the projects grow organically and when they have so much growth they cannot handle it, then let them join.
Not that I have a project with enough users, but if I did I'd honestly consider adding it to a real foundation like Software Conservancy and not Linux foundation derivative which are all 501(c)(6) which is a trade association (see https://www.irs.gov/charities-non-profits/other-non-profits/business-leagues)
In the words of Regina George "stop trying to make fetch happen". It will happen if it happens. Thanks.