projects: add umoci proposal

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

README.md

@@ -26,6 +26,7 @@ https://groups.google.com/a/opencontainers.org/forum/#!forum/tob (tob@opencontai
 * [Image Format Spec](proposals/image-format)
 * [SELinux](proposals/selinux.md)
 * [Tools](proposals/tools.md)
+* [umoci](proposals/umoci.md)
 
 ## Voting
 

proposals/umoci.md

@@ -0,0 +1,113 @@
+# OCI umoci Project Proposal #
+
+## Abstract ##
+The need for a "works out of the box" image tool that is supported by OCI has been clear for several years.
+umoci was initially developed to fulfil this requirement, and after several years of development and wide-spread production usage, we feel it is time to include it within the OCI.
+The following proposal outlines how this would be achieved.
+
+## Proposal ##
+Change the ownership of the existing umoci project from openSUSE:
+
+  https://github.com/openSUSE/umoci
+
+And move it inside the `opencontainers` organisation:
+
+  https://github.com/opencontainers/umoci
+
+The import paths will correspondingly be "github.com/opencontainers/umoci" (umoci does have some Go API users, but since the project will be renamed -- and GitHub will add a redirect -- there will be no significant downstream impact of the change).
+In future we may opt to use vanity imports (such as "umo.ci/cmd/umoci").
+
+The project's domain "umo.ci" will also be transferred to the Linux Foundation so that it can be managed by someone other than the maintainers (though maintainers must maintain the necessary administrative access to maintain the website).
+
+### Initial Maintainers ###
+Initial maintainers of the umoci project would be:
+
+* Aleksa Sarai <cyphar@cyphar.com> (@cyphar)
+* Tycho Andersen <tycho@tycho.ws> (@tych0)
+* Vincent Batts <vbatts@hashbangbash.com> (@vbatts)
+
+### Code of Conduct ###
+This project would incorporate (by reference) the OCI [Code of Conduct][code-of-conduct].
+
+[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md
+
+### Governance and Releases ###
+This project would incorporate the Governance and Releases processes from the OCI project template: https://github.com/opencontainers/project-template.
+
+It should be noted that since umoci is not a specification, it is not bound by the ordinary quorum and voting rules for specification release.
+As such, new versions will be released as regularly as needed without the need for a quorum vote.
+This is to avoid the serious delays in releases encountered within the runc project.
+
+Until there are enough additional maintainers, PRs will be merged with only one maintainer LGTM required.
+Maintainers are encouraged to not merge their own PRs immediately (preferably waiting at least 24 to 48 hours to allow another maintainer to review it), but this is not a strict rule.
+
+### Project Communications ###
+The proposed project would continue to use existing channels in use by the OCI developer community for communication including:
+
+ * GitHub for issues and pull requests.
+ * The [`dev@opencontainers.org`][oci-ml] email list.
+ * The weekly OCI developer community conference call.
+ * The `#opencontainers` IRC channel on Freenode.
+ * The [OCI Slack workspace][oci-slack].
+ * The [OCI Matrix Room][oci-matrix].
+
+[oci-ml]: mailto:dev@opencontainers.org
+[oci-slack]: https://opencontainers.slack.com/
+[oci-matrix]: https://matrix.to/#/#opencontainers:matrix.org
+
+### Roadmap ###
+umoci still has a fairly large scope of work, and this work would continue under OCI.
+Examples of such work include:
+
+ * Hookable execution to allow for custom storage drivers to be defined by users (to avoid the maintenance overhead of supporting such drivers within umoci).
+ * Security hardening by porting umoci to [libpathrs][libpathrs].
+ * Re-thinking the method by which images are referenced in the command-line.
+ * Expanded support for configuring descriptor annotations in arbitrarily-structured OCI metadata trees.
+ * Committing to a stable Go API and releasing a 1.0 of the project.
+ * Experimental design work for a new OCI image-spec layer format (code-named "OCIv2").
+
+[libpathrs]: https://github.com/openSUSE/libpathrs
+
+## Frequently Asked Questions (FAQ)
+> *Does this proposal change the OCI Charter?*
+
+This proposal does not intend to amend the [OCI Charter][oci-charter].
+
+[oci-charter]: https://github.com/opencontainers/tob/blob/master/CHARTER.md
+
+> *Where does umoci fit into the OCI suite of projects?*
+
+umoci is intended to be a reference implementation of the OCI image-spec, and to fill a role akin to runc's relationship with the OCI runtime-spec.
+While umoci is usable on its own, it is expected that the vast majority of umoci's users will be consuming it as part of a larger build system which uses umoci internally to abstract away the specifics of the OCI image-spec.
+
+> *What about image-tools?*
+
+The original intention of umoci was to be a wrapper around the OCI image-tools and slowly upstream the work.
+Unfortunately, in the past 4 years, the image-tools project has not developed at a consistent pace -- and umoci works today and is fairly widely used.
+It is far more important that the OCI provide a solid "works out of the box" image manipulation tool, and umoci is (in our view) the best candidate for this role.
+
+In a future proposal, we may decide to sub-tree merge the OCI image-tools project into umoci (and archive the original project) in order to maintain the legacy of the work done by previous contributors and maintainers.
+Alternatively we may decide to split out the validation code from the OCI image-tools project and place it inside an OCI conformance project.
+However, we believe that these decisions should be considered a separate topic to the question of umoci's inclusion in the OCI.
+
+> *Why bless umoci over other alternative tools?*
+
+umoci is the only OCI image tool which was designed to be usable as a component to build other image-building tools.
+This has proven to be a practical benefit, with several tools ([KIWI][kiwi], [stacker][stacker], and several others) being built on top of umoci.
+In addition, umoci has been used by the [LXC project][lxc-oci] to support OCI-based images from *outside* the OCI ecosystem, something that was only reasonable because of umoci's unopinionated stance on images.
+umoci has seen production usage for several years as part of the [Open Build Project][obs]'s build system, building container images using [kiwi][kiwi].
+
+[kiwi]: https://osinside.github.io/kiwi/building/build_docker_container.html
+[stacker]: https://github.com/anuvu/stacker
+[lxc-oci]: https://github.com/lxc/lxc/blob/lxc-4.0.2/templates/lxc-oci.in
+[obs]: https://openbuildservice.org/
+
+> *How do we avoid the runc issue with implementation-specific quirks becoming a de-facto standard?*
+
+When developing new features in umoci (which are within the scope of the image-spec), a strong effort will be made to include those features in the upstream specification.
+The scope of the image-spec is thankfully smaller than the runtime-spec, so this should not be as much of a concern as with runc.
+However, the maintainers will be mindful of the issue and will make use of their experiences working on runc and the runtime-spec to avoid this situation occurring with umoci and the image-spec.
+
+> *Who are the other target users of umoci?*
+
+End-users who want a simple tool to deal with OCI images, and developers of image-building tools that want a tried and tested implementation of the OCI image format.