Dealing with Legal Affairs in Kubernetes

[dims]

Over time, when we had questions about some legal issues, we would open issues where some folks with legal background at CNCF would help us navigate them, examples are

• https://github.com/cncf/foundation/issues/143
• https://github.com/kubernetes/community/issues/5734

more recently,

• https://github.com/cncf/foundation/issues/290

Committees like Steering, CoCC and Security Response Committee (SRC) are typically entities in Kubernetes that ask/require this sort of help due to the nature of the business they have to conduct in the community. SRC takes care of securing Kubernetes with CVE reporting/embargo processes. Steering makes decisions on top level communications/trademarks/licenses and difficult people situations and the CoCC helps with enforcing and maintaining the Code of Conduct and deals with situations as they arise. Due to this very nature, members of these Committees may very well be under extra scrutiny for their actions from a legal perspective. As an open source project under a foundation it would be best to get more "official" help from the foundation (CNCF or LF) publicly and privately to leaders from the community who are taking on roles in the community.

There are a variety of things we have seen in the open source community such help. Some of the foundations have a private legal related list where folks can privately raise concerns and research options. Others have legal counsel on retainer for when issues arise. Some counsel do pro-bono work in the open source community. In some cases an individual is covered by their companies legal counsel, in the case of many part-timers, more often than not, they are not.

When folks are acting on behalf of the project in a named role, their company counsel may or may not have experience/expertise in how open source works and frankly may not even want to take a risk on behalf of the company. Often, folks don't know what their exposure is either. Mostly we have done fine so far with what we have, But that may not be the case going forward, so we need to come up with fresh ideas and shield our community members and support them in their work for our community.

Here are some of the possibilities:

• [ ] Private Mailing List (say "legal@kubernetes.io") with participants and their legal counsel including CNCF staff and counsel
• [ ] Highlight risk to potential future members of the committees in our governance documentation for an informed decision
• [ ] Directors and Officers Insurance (see funding request here)
• [ ] Well-defined process for retaining of legal counsel for answers/advice/risk when situations arise
• [ ] Thorough vetting of our current processes in CoCC, SRC and Steering to find holes in existing processes (and when we define new ones)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[mrbobbytables]

/remove-lifecycle stale /lifecycle frozen