lfai / foundation

Documentation related to the operation of LF AI & Data (https://lfaidata.foundation/)
9 stars 5 forks source link

Onboarding Tracker for Artigraph #35

Closed ibrahimhaddad closed 1 year ago

ibrahimhaddad commented 2 years ago

The following tasks are required to complete onboarding for a Sandbox level project joining the LF AI & Data Foundation. LF Staff will engage with the technical project lead via this issue and work through the checklist to completion.

LF AI & Data Staff: Review each item, confirm completion, and add any relevant notes.

Note: (ED) Executive Director, (Tech) Technical Lead, (PM) Program Management & Operations Lead, (Mktg) Marketing Lead

TECHNICAL PROJECT DETAILS

--Maturity Level Proposed: Sandbox --Company Sponsor (Full Legal Name): N/A --Technical Contact: Jacob Hayes
--Legal Contact: N/A --TAC Sponsor: Ibrahim Haddad --TAC Approval Date: 01/27/2022 --Project in SFDC: --Project License: Apache 2.0 --Project Presentation: Slides --Project Proposal per LF AI & Data: Link to GH --Project Artwork: https://github.com/artigraph/artwork

LICENSING

CONTRIBUTION

PROJECT ASSETS

TAC & GOVERNING BOARD REVIEW

INFRASTRUCTURE

OPERATIONS

MARKETING

LEGAL FOLLOW UP

ErinThacker commented 2 years ago

@JacobHayes - do you have a Linux Foundation ID (LF ID)? If not, can you sign up for one here? [https://identity.linuxfoundation.org/user/login?destination=user]

We're in the middle of a migration to another platform, so if you have issues creating a new ID, let me know.

JacobHayes commented 2 years ago

@ErinThacker Just made one - it should be JacobHayes!

ErinThacker commented 2 years ago

@JacobHayes - a few more steps. LFX Security is now onboarded in the PCC at (https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview)

It requires the security bot to be installed on the repo by someone with admin access. Once you're there, navigate to the + sign on the right of the "Connect" field, enter artigraph as the GitHub repo, and follow the instructions for installing the security bot.

This is a new process for us, so please don't hesitate to reach out if you have any issues with installing the security bot. Once you've finished this task, let me know and I'll let our team know the project is ready to be secured. Thx!

ibrahimhaddad commented 2 years ago

@JacobHayes @ErinThacker - I activated LFX Security.

@JacobHayes - a few more steps. LFX Security is now onboarded in the PCC at (https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview)

It requires the security bot to be installed on the repo by someone with admin access. Once you're there, navigate to the + sign on the right of the "Connect" field, enter artigraph as the GitHub repo, and follow the instructions for installing the security bot.

This is a new process for us, so please don't hesitate to reach out if you have any issues with installing the security bot. Once you've finished this task, let me know and I'll let our team know the project is ready to be secured. Thx!

JacobHayes commented 2 years ago

@ErinThacker @ibrahimhaddad FYI - I don't have access to https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview, but I requested access for the future.

JacobHayes commented 2 years ago

The https://lists.lfaidata.foundation/g/artigraph-security description says "Use this mailing list to report security vulnerabilities in the OpenBytes project" rather than "the Artigraph project". Can this be updated? I don't appear to be able to.

ErinThacker commented 2 years ago

@JacobHayes - this has been fixed, thank you!

JacobHayes commented 2 years ago

Question on this CII Silver badge question:

The project MUST be able to continue with minimal interruption if any one person dies, is incapacitated, or is otherwise unable or unwilling to continue support of the project. In particular, the project MUST be able to create and close issues, accept proposed changes, and release versions of software, within a week of confirmation of the loss of support from any one individual. This MAY be done by ensuring someone else has any necessary keys, passwords, and legal rights to continue the project. Individuals who run a FLOSS project MAY do this by providing keys in a lockbox and a will providing any needed legal rights (e.g., for DNS names). (URL required) [access_continuity]

I'm currently the only project member, but @ibrahimhaddad has been added to the @artigraph organization - will that suffice? I guess pypi keys aren't shared / releases automated in GH yet.

Similar on this question:

The project SHOULD have a "bus factor" of 2 or more.

JacobHayes commented 2 years ago

Also, FYI - I won't be able to access LFX Security for Artigraph as I'm not part of a backing organization (support ticket). That's probably fine, I just can't see what security issues were detected (only that there were 230 😅).

ErinThacker commented 2 years ago

@JacobHayes - re: the CII Silver badge question: all projects should have thelinuxfoundation & ibrahimhaddad added which should suffice for that requirement. @ibrahimhaddad - can you please confirm?

On LFX Security - sorry about the current limitations, you can consider this item "done" until more access is available.

jzcardoso commented 2 years ago

@ibrahimhaddad and @ErinThacker -- We are pretty close to finishing the onboarding for Artigraph. Can you take a look an the open items you are working on and update the tracker?

@ErinThacker If you have any questions, please reach out.

ErinThacker commented 2 years ago

@ibrahimhaddad - can you give me an update on these items: Licensing (FOSSology scan) and Project Assets (artwork)

ErinThacker commented 1 year ago

No artwork at this time as this is a Sandbox project. Upon graduation to Incubation stage, logo will become available.