Prepare for the donation

[FeynmanZhou]

We discussed and aligned in the community meeting that we are going to donate Ratify to a open-source foundation. CNCF would be a potential home for our donation.

This issue provides a checklist and recommended actionable items before donating Ratify to CNCF based on the CNCF Sandbox submission form.

The next CNCF Sandbox project review meeting is April 9, 2024. We need to make sure all required information and process are completed by that date.

• [x] Application contact emails

• [x] Project Summary

• [ ] Org repo URL (provide if all repos under the org are in scope of the application): we will need to create a new organization for Ratify and migrate two repos to the new org

• [x] Project repo URL in scope of application: https://github.com/deislabs/ratify

• [x] Website URL: https://ratify.dev/

• [x] Roadmap: it would be better to create a document to clarify the short-term and long-term plans for the roadmap. Make others quickly understand the vision and goalds of the project

• [x] Contributing Guide: https://github.com/deislabs/ratify/blob/main/CONTRIBUTING.md

• [x] Code of Conduct (CoC): Changed from Microsoft Open Source Code of Conduct to CNCF CoC**

• [x] Adopters: added Adopters.md in #1360

• [x] Contributing or Sponsoring Org: Microsoft. Maybe we can ask whether AWS has any interest in joining the project as the contributing org

• [ ] Maintainers file: Ratify has a MAINTAINERS file but need to update the maintainer seats based on contributor metrics

• [x] IP Policy

• [x] Trademark and accounts

• [x] Why CNCF: Ratify is an extensible verification framework for container images and other artifacts that can examine and use custom policies that you create to approve deployments in Kubernetes. This aligns seamlessly with CNCF's mission to foster and sustain an ecosystem of open source and vendor-neutral projects. We believe CNCF is a neutral home for Ratify because it has a flourish and active community can help the future success of Ratify through the development of third party integrations.

• [x] Benefit to the Landscape: Ratify's mission is to safeguard the container supply chain by ratifying trustworthy and compliant container images and other software artifacts. As a open framework in CNCF security & compliance area, Ratify is designed with different interface models to allow for its integration at different stages of the containers secure supply chain. Ratify has already collaborated and integrated with some CNCF projects and provide joint solutions to CNCF ecosystem users.

• [x] Cloud Native 'Integration': Notary Project, OPA Gatekeeper, Trivy (non-CNCF), ORAS, Sigstore Cosign (OpenSSF)

• [x] Cloud Native 'Fit': Ratify enables Kubernetes clusters to verify artifact security metadata (signatures and attestations including vulnerability reports, SBOM, provenance data, and VEX documents) prior to deployment and admit for deployment only those that comply with an admission policy that you create. With Ratify, cloud-native workloads can be verifiable on deployment, eventually increase the security posture of cloud-native ecosystem users.

• [x] Cloud Native Overlap: To our knowledge, there isn't any direct overlap with other CNCF projects today.

• [x] Similar projects: Kyverno

• [x] Product or Service to Project separation: Azure Kubernetes Service has developed a managed addon based on the Ratify project for customer clusters. The development and roadmap of the open source project and the managed addon have always remained entirely separate, and that will continue to be true going forward. In addition, Venafi CodeSigning and AWS Signer have related managed services that support Ratify.

• [ ] Project presentations: Suggest presenting the project in CNCF Security TAG and collect their feedback from TAG chairs. Need to create an issue on Security-TAG to request a presentation in their community meeting.

• [x] Project champions: @lachie83

[evankanderson]

Was #1626 part of this effort? (The project ownership is a little confusing at the moment.)

[evankanderson]

Also related: https://github.com/cncf/sandbox/issues/96

[FeynmanZhou]

Hi @evankanderson ,

Yes.

The Ratify project was initially started by Microsoft in 2021 so we used Microsoft CLA for contributors. As more and more contributors from other vendors and organizations engaged with Ratify, the Ratify project becomes community-driven. Thus we chose to donate Ratify to CNCF and transfer the Ratify repos from Microsoft-owned GitHub organization to a neutral org and removed Microsoft CLA. We plan to move to use CNCF DCO once the sandbox application is approved. Is this movement consistent with the CNCF donation criteria?

[evankanderson]

I think so, I just came across this today and thought "who currently owns this?"

[FeynmanZhou]

I think so, I just came across this today and thought "who currently owns this?"

@evankanderson The major owner is Microsoft before CNCF accepts Ratify as a sandbox project. Microsoft is sponsoring this project.

[FeynmanZhou]

From https://github.com/cncf/toc/blob/main/.github/ISSUE_TEMPLATE/project-onboarding.md

Review and understand

• [x] The project proposal process and requirements.
• [x] The services available for your project at the CNCF.
• [x] The CNCF IP Policy.
• [x] The trademark guidelines.
• [x] The license allowlist.
• [x] The online program guidelines.
• [x] Optional: Book time with CNCF staff for any onboarding questions.

Contribute and transfer

• [x] Move your project to its own separate neutral GitHub organization. This will make it transferable to the CNCF's GitHub Enterprise account. If it's already in a GHE account, you will need to remove it from that first.
• [x] Accept the invite to join the CNCF GitHub Enterprise account. We'll then add thelinuxfoundation as an organization owner to ensure neutral hosting of your project.
• [x] Migrate your Slack channels (if any) to the Kubernetes or CNCF Slack workspace. CNCF staff can help.
• [x] Submit a pull request to add your project as a Sandbox project to the Cloud Native Landscape by updating landscape.yml following these instructions.
• [ ] Transfer your domain to the CNCF. The "LF Stakeholder email" is projects@cncf.io.
• [x] Transfer any trademark and logo assets to the Linux Foundation.
• [ ] Submit a pull request with your artwork.
• [ ] Transfer website analytics to projects@cncf.io. CNCF staff can help.

Update and document

• [x] Ensure that DCO (preferred) or CLA are enabled for all GitHub repositories of the project.
• [x] Ensure that that the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub.
• [x] Ensure LF footer is on your website and guidelines are followed (if your project doesn't have a dedicated website, please adopt those guidelines for the README file).
• [ ] Create a maintainer list and add it to the aggregated CNCF maintainer list via pull request.
• [ ] Provide emails for the maintainers to get access to the maintainers mailing list and Service Desk. Email them to project-onboarding@cncf.io.
• [ ] Start working on written, open governance.
• [x] Start on an OpenSSF Best Practices Badge.

[susanshi]

HI @FeynmanZhou , is there a timeline that we should complete all these task? let us know if there are tasks devs can help out with.

[susanshi]

Hi @shahramk64 , please help with item "Ensure LF footer is on your website". Please refer to https://notaryproject.dev/

[FeynmanZhou]

HI @FeynmanZhou , is there a timeline that we should complete all these task? let us know if there are tasks devs can help out with.

It would be better that complete the items in checklist by end of Sep. Currently, most of these are non-technical work items. The only one needs front-end code change in the website repo is "Ensure LF footer is on your website". This can be taken by @shahramk64 if you are interested.

[susanshi]

discussed in community meeting: we are on track to complete the list by end of Sep