Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add zarf as an openssf sandbox project #341

Merged
merged 7 commits into from
Jun 20, 2024
Merged

Conversation

salaxander
Copy link
Contributor

No description provided.

@salaxander salaxander requested a review from a team as a code owner June 5, 2024 16:35
@salaxander salaxander changed the title docs: add zarf as an openssf sandbox project add zarf as an openssf sandbox project Jun 5, 2024
Signed-off-by: Xander Grzywinski <xandergrzyw@gmail.com>
@lehors
Copy link
Contributor

lehors commented Jun 5, 2024

As documented in the Project creation or change of lifecycle stage this PR should also modify the table listing the projects in the README of this repo. In this case it should add the project with the status as Sandbox, with a link to the change request md file that you are adding as part of this PR.
Thank you.

@hythloda
Copy link
Member

hythloda commented Jun 5, 2024

We have requested the IP / License for this project intake

Signed-off-by: Xander Grzywinski <xandergrzyw@gmail.com>
@salaxander
Copy link
Contributor Author

As documented in the Project creation or change of lifecycle stage this PR should also modify the table listing the projects in the README of this repo. In this case it should add the project with the status as Sandbox, with a link to the change request md file that you are adding as part of this PR. Thank you.

Note: I've added Zarf to the table in the README. We will be moving the project to a company independent GitHub org in the near future. At that time I'll be sure to update this link.

@SecurityCRob
Copy link
Contributor

@hepwori has this been discussed and approved by the SCI WG?

@SecurityCRob SecurityCRob added TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review. labels Jun 5, 2024
README.md Outdated Show resolved Hide resolved
@lehors
Copy link
Contributor

lehors commented Jun 5, 2024

We will be moving the project to a company independent GitHub org in the near future. At that time I'll be sure to update this link.

Since you have to move it you might want to consider simply moving it under ossf.

Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Xander Grzywinski <xandergrzyw@gmail.com>
@hepwori
Copy link
Contributor

hepwori commented Jun 5, 2024

@hepwori has this been discussed and approved by the SCI WG?

Preliminarily, yes! We've had two live briefings over the last few months, and in the WG meeting earlier today we had a show of hands as to adding Zarf with no objections. The final approval step will be to inform the mailing list; I hope to send that out today, referencing the link to this issue.

Copy link

Bennett will work with the maintainers of Zarf following TAC action on the application to move it to the right org.

Signed-off-by: Xander Grzywinski <xandergrzyw@gmail.com>
@steiza
Copy link
Member

steiza commented Jun 7, 2024

Does this require a TAC vote? Or once @hepwori says it's accepted are we good to go (modulo any missing information on the pull request?)

From https://github.com/ossf/tac/blob/main/process/project-lifecycle.md:

Projects must seek one TAC sponsor or one WG sponsor (if reporting to a WG)

  • TAC or WG sponsor agrees to attend Project meetings regularly
  • TAC or WG sponsor does not need to have a formal role in Project, e.g., maintainer
  • TAC or WG sponsor requests TAC approval

If the project is reporting to SCI WG, and @hepwori is the WG sponsor and says it's good, I think we're good to go? It is possible I misunderstand the process!

@hythloda
Copy link
Member

hythloda commented Jun 7, 2024

Before merging we need to review the IP and license review.

Before any announcement the charter needs approval by zarf and the contribution agreement needs signed.

@sevansdell
Copy link
Contributor

I approve pending IP and license review. the charter approval by zarf and the contribution agreement signed, the SCI WG approval, and the TAC sponsor is identified. (I will be out the June 11 TAC meeting, and am trying to be proactive).

Copy link
Contributor

@marcelamelara marcelamelara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approve, pending the IP and license review.

@SecurityCRob
Copy link
Contributor

Does this require a TAC vote? Or once @hepwori says it's accepted are we good to go (modulo any missing information on the pull request?)

From https://github.com/ossf/tac/blob/main/process/project-lifecycle.md:

Projects must seek one TAC sponsor or one WG sponsor (if reporting to a WG)

  • TAC or WG sponsor agrees to attend Project meetings regularly
  • TAC or WG sponsor does not need to have a formal role in Project, e.g., maintainer
  • TAC or WG sponsor requests TAC approval

If the project is reporting to SCI WG, and @hepwori is the WG sponsor and says it's good, I think we're good to go? It is possible I misunderstand the process!

Yes, if SCI agrees, then we just need LF Legal to work their magic, and consider the TAC "informed". It sounds like we are in agreement on this proposal though. Looking forward to seeing cool things out of the team!

Copy link
Contributor

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isaac and SCI have agreed on including zarf into their WG.

@hythloda
Copy link
Member

The IP and License Review is expected by June 21st. Sorry for the delay.

Copy link
Contributor

@lehors lehors left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I support the proposal but request the answer about the IP and licensing due diligence be modified once the due diligence is completed. (The request for change will also prevent premature merge of this PR.)

process/project-lifecycle-documents/zarf_sandbox_stage.md Outdated Show resolved Hide resolved
@salaxander
Copy link
Contributor Author

@hythloda everything going ok with the license review? Definitely let us know if there's anything we can do to help move things along :)

Thanks!

@hythloda
Copy link
Member

@hythloda everything going ok with the license review? Definitely let us know if there's anything we can do to help move things along :)

Thanks!

Thanks @salaxander ! The review just takes some internal time. Hoping it gets done soon this week rather than later :)

@jeffcshapiro
Copy link

LF License Intake Scan Report:

LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: Zarf
DISTRIBUTION: Amanda Martin, #341

  • This intake scan is a static analysis of the source code in your repository. A dependency scan was not performed. Once a project is added to LFX [https://security.lfx.linuxfoundation.org], you can use SNYK to view a dependency scan for both licenses and vulnerabilities.

CODE SCANNED: [pulled 19–JUNE-2024]
https://github.com/defenseunicorns/zarf

PROJECT LICENSE: Apache-2.0

  • Top level project license file found in repo

SPDX LICENSE IDENTIFIERS: SPDX license identifiers were found in source file headers.

PERMISSIVE LICENSES: Apache-2.0

COPYLEFT LICENSES: None found

SOURCE AVAILABLE LICENSES: None found

PROPRIETARY LICENSES: None found

LICENSE CONFLICTS: None found

BINARY / PACKAGE FILES: None found

THIRD PARTY CODE / DEPENDENCIES: None found

THIRD PARTY NOTICE FILE: None found

SUMMARY FINDINGS: All of the scanned code is under the project license, Apache-2.0. SPDX license identifiers were found in source file headers. No license conflicts found. No dependencies or third party code detected in repo.

Signed-off-by: Xander Grzywinski <xandergrzyw@gmail.com>
@salaxander
Copy link
Contributor Author

@lehors updated now that the license scan is complete

Copy link
Contributor

@lehors lehors left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All clear. Welcome to OpenSSF!

@lehors lehors merged commit 629838b into ossf:main Jun 20, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
TI Lifecycle Issue/PR related to TIs' lifecycle status. Needs 5 approvals, 10d review.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants