Onboarding Tracker for Artigraph

[ibrahimhaddad]

The following tasks are required to complete onboarding for a Sandbox level project joining the LF AI & Data Foundation. LF Staff will engage with the technical project lead via this issue and work through the checklist to completion.

LF AI & Data Staff: Review each item, confirm completion, and add any relevant notes.

Note: (ED) Executive Director, (Tech) Technical Lead, (PM) Program Management & Operations Lead, (Mktg) Marketing Lead

TECHNICAL PROJECT DETAILS

--Maturity Level Proposed: Sandbox --Company Sponsor (Full Legal Name): N/A --Technical Contact: Jacob Hayes
--Legal Contact: N/A --TAC Sponsor: Ibrahim Haddad --TAC Approval Date: 01/27/2022 --Project in SFDC: --Project License: Apache 2.0 --Project Presentation: Slides --Project Proposal per LF AI & Data: Link to GH --Project Artwork: https://github.com/artigraph/artwork

LICENSING

• [x] (Tech/ED) Project license exists and is OSI-approved
• [x] (Tech/ED) Proposed license inline with umbrella's IP Policy
• [x] (Tech/ED) Pre-intake FOSSology scan complete, shared with project, and no major incompatible licenses detected
• [x] (Tech/ED) Determine known components/dependencies not under compatible license

CONTRIBUTION

• [x] (Tech/ED) Deactivation of CLA/DCO in place and adopt GitHub's DCO at https://github.com/apps/dco
• [x] (Tech/ED) Share/Discuss Project Charter Template and Finalize with Project (update New Projects Onboarding with Legal Status Tracking) Note: The technical charter is tailored for LF AI & Data - Copy is to be created for each project - The technical charter will always need the following information dropped in place: the short name of the project (where [Community Name] appears); a short mission statement following the "The mission of the project is to..." convention; and confirmation of the specific licenses in Section 7 for code and/or data (many projects will not need data and this subjection regarding data licensing in those cases can be removed)
• [x] (Tech/ED) Share/Discuss Account & Trademark Assignment Template and Finalize with Project (update New Projects Onboarding with Legal Status Tracking) Note: The trademark assignment agreement is also tailored for LF AI & Data - Copy is to be created for each project - As for the trademark agreement, we will entertain changes from companies contributing projects but we ask that the following be made clear to project sponsors: the contribution agreement was prepared to be a balanced agreement -- A large number of our members sign this as drafted; and extensive comments and revisions to the agreement will involve time which will slow down a project's start with LF AI & Data
• [x] (Tech/ED) Verify CII Badge (Silver) link and passing status --https://bestpractices.coreinfrastructure.org/en/projects/5561#quality

PROJECT ASSETS

• [x] (Tech/ED) Logos confirmation // If logos exist post to GitHub Artwork repo and save in Project Logos in LF internal Google Drive folder
• [x] (Tech/ED) Domain name confirmation // We bought artigraph.io and transfered artigraph.dev
• [x] (Tech/ED) Project website tracking // Add link and name/email of authorized user for website to LF internal tracking // we will design a website for the project when it graduated into Incubation stage

TAC & GOVERNING BOARD REVIEW

• [x] (Tech/ED) Provide project proposal process/template to project sponsor (https://github.com/LFDLFoundation/proposing-projects/tree/master/proposal-process)
• [x] (Tech/ED) Confirm/Schedule presentation date during TAC meeting - Add to TAC Mtg Agenda Tracking
• [x] (Tech/ED) Review and confirm final proposal and presentation deck
• [x] (Tech/ED) Add project presentation to TAC agenda/deck and send to tac-general mail list with agenda info
• [x] (Tech/ED)Send project presentation and proposal to tac-private mail list with reminder on attendance and quorum requirements for voting members
• [x] (PM) Verify TAC minutes with project TAC vote results

INFRASTRUCTURE

• [x] (Tech/ED) Update proposal to show project accepted in GitHub Project List
• [x] (Tech/ED) Setup org in Github, add 'thelinuxfoundation' as an owner - Allows us to maintain continuity of GH ownership
• [x] (Tech/ED) Migrate code repository to new GH org
• [x] (Tech/ED) Add project to LF AI & Data Landscape and mark it as an LF AI & Data project

OPERATIONS

• [x] (PM) Post final technical charter to GH Project Charters repo and ensure it is saved in LF internal Projects Google Drive folder
• [x] (PM) Add project to Current Projects section on LF AI & Data wiki --replace logo as soon as artwork is finished
• [x] (PM) Set up other misc collaboration tools agreed upon during proposal/acceptance, if any
• [x] (PM) Set up project mail lists (announce, tsc, technical-discuss, security) under LF AI & Data Groups.io
• [x] (PM) Add initial project lead(s) to applicable mail lists (main, announce, events, tac-general, project mail lists, technical-projects)
• [x] (PM) Set project lead as moderator for mail lists as applicable for ongoing management
• [x] (PM) Add LF AI & Data marketing manager to project announce mail list as moderator for sending announcements
• [x] (PM) Send onboarding email with next steps info and resources - Includes Technical Getting Started Checklist
• [x] (PM) Set up project wiki space under LF AI wiki - Upon request only per onboarding email info provided to project --pending request from project.
• [x] (PM) Request project to be added to LFX Insights via Jira Service Desk for request --revisit when onboarding resumes in April --marked as resolved on 09/27/2022, tracked in LF AI & Data Trello Board for Insights v.2 release on 09/30/2022.
• [x] (PM) Request project to be added to [LFX Security] (https://security.lfx.linuxfoundation.org/#/a0941000012Y73ZAAS/foundation-details) via Jira Service Desk for request (will need to first confirm LF ID for project lead for access to be granted for bot installation on GitHub repo) --pending LF ID from lead --pending security bot install by lead
• [x] (PM)Share new project update w/Outreach Committee (Chair) to include in upcoming committee meeting
• [x] (PM) Include update on new project in upcoming GB meeting agenda
• [x] (PM) Update "LF AI & Data Getting Involved Guide" deck --project slide created, update when artwork is available.
• [x] (PM) Update "[LF AI & Data Overview] (https://docs.google.com/presentation/d/1SPUXnS89U8M7gIr_FM3_dzBMaabppHonLi2Kt-vIXf8/edit)" deck
• [x] (PM) Upload "LF AI Getting Involved Guide" and "LF AI Overview Deck" on LF AI & Data GH presentations repo --update when artwork is available.

MARKETING

• [x] (PM) Update LF AI & Data Timeline with new project - Creative Services Jira ticket required (Ref LP- 6341) - Save updated file in internal LF AI & Data G Drive and on LF AI & Data GH --(https://app.asana.com/0/search/1201867910991089/1201787617960500/f)
• [x] (PM) Build landing page on LF AI & Data website and add to All Projects section - Creative Services Jira ticket required (Ref LP-6711) --https://app.asana.com/0/1201187889631310/1201874804880945/f
• [x] (Mktg) Coordinate announcement (press release or blog post) and social promotion with project company - Add to internal LF AI & Data PR/Comms tracker - Sandbox projects are announced via social followed by blog announcement on a quarterly basis --aim for publication in early March
• [x] (Mktg) Follow project and member company on Twitter/LinkedIn from LF AI & Data accounts, if applicable
• [x] (Mktg) Publish announcement (Blog/PR+Social+Mail Lists) --April 14, 2022
• [x] (Mktg) Transfer social account domain ownership to LF AI & Data shared account use set up, if applicable - Projects retain ongoing management of accounts - Reference internal process documentation --no social media listed in proposal

LEGAL FOLLOW UP

• [x] (PM) Confirm ongoing license scanning is set up through Steve W. - Add to internal LF AI & Data tracker --added to spreadsheet
• [x] (PM) Confirm export control filings are done through Steve W. for all projects via ticket at https://www.linuxfoundation.org/export/ (trademark/contribution agreement + website needed for filing request via Legal Jira ticket ) + Add to internal LF AI & Data tracker for future scans planned through Software Freedom Law Center for Graduate level projects --https://legaljira.linuxfoundation.org/servicedesk/customer/portal/1/LR-988 --marked as resolved on 09/27/2022, tracked in LF AI & Data Trello Board for legal follow up w/ Jeff Shapiro
• [x] (PM) Include all projects in Trademark Registrations review cycles - Graduate level projects addressed at start of each calendar year - Add to internal LF AI & Data tracker

[ErinThacker]

@JacobHayes - do you have a Linux Foundation ID (LF ID)? If not, can you sign up for one here? [https://identity.linuxfoundation.org/user/login?destination=user]

We're in the middle of a migration to another platform, so if you have issues creating a new ID, let me know.

[JacobHayes]

@ErinThacker Just made one - it should be JacobHayes!

[ErinThacker]

@JacobHayes - a few more steps. LFX Security is now onboarded in the PCC at (https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview)

It requires the security bot to be installed on the repo by someone with admin access. Once you're there, navigate to the + sign on the right of the "Connect" field, enter artigraph as the GitHub repo, and follow the instructions for installing the security bot.

This is a new process for us, so please don't hesitate to reach out if you have any issues with installing the security bot. Once you've finished this task, let me know and I'll let our team know the project is ready to be secured. Thx!

[ibrahimhaddad]

@JacobHayes @ErinThacker - I activated LFX Security.

@JacobHayes - a few more steps. LFX Security is now onboarded in the PCC at (https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview)

It requires the security bot to be installed on the repo by someone with admin access. Once you're there, navigate to the + sign on the right of the "Connect" field, enter artigraph as the GitHub repo, and follow the instructions for installing the security bot.

This is a new process for us, so please don't hesitate to reach out if you have any issues with installing the security bot. Once you've finished this task, let me know and I'll let our team know the project is ready to be secured. Thx!

[JacobHayes]

@ErinThacker @ibrahimhaddad FYI - I don't have access to https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview, but I requested access for the future.

[JacobHayes]

The https://lists.lfaidata.foundation/g/artigraph-security description says "Use this mailing list to report security vulnerabilities in the OpenBytes project" rather than "the Artigraph project". Can this be updated? I don't appear to be able to.

[ErinThacker]

@JacobHayes - this has been fixed, thank you!

[JacobHayes]

Question on this CII Silver badge question:

The project MUST be able to continue with minimal interruption if any one person dies, is incapacitated, or is otherwise unable or unwilling to continue support of the project. In particular, the project MUST be able to create and close issues, accept proposed changes, and release versions of software, within a week of confirmation of the loss of support from any one individual. This MAY be done by ensuring someone else has any necessary keys, passwords, and legal rights to continue the project. Individuals who run a FLOSS project MAY do this by providing keys in a lockbox and a will providing any needed legal rights (e.g., for DNS names). (URL required) [access_continuity]

I'm currently the only project member, but @ibrahimhaddad has been added to the @artigraph organization - will that suffice? I guess pypi keys aren't shared / releases automated in GH yet.

Similar on this question:

The project SHOULD have a "bus factor" of 2 or more.

[JacobHayes]

Also, FYI - I won't be able to access LFX Security for Artigraph as I'm not part of a backing organization (support ticket). That's probably fine, I just can't see what security issues were detected (only that there were 230 😅).

[ErinThacker]

@JacobHayes - re: the CII Silver badge question: all projects should have thelinuxfoundation & ibrahimhaddad added which should suffice for that requirement. @ibrahimhaddad - can you please confirm?

On LFX Security - sorry about the current limitations, you can consider this item "done" until more access is available.

[jzcardoso]

@ibrahimhaddad and @ErinThacker -- We are pretty close to finishing the onboarding for Artigraph. Can you take a look an the open items you are working on and update the tracker?

@ErinThacker If you have any questions, please reach out.

[ErinThacker]

@ibrahimhaddad - can you give me an update on these items: Licensing (FOSSology scan) and Project Assets (artwork)

[ErinThacker]

No artwork at this time as this is a Sandbox project. Upon graduation to Incubation stage, logo will become available.