-
Notifications
You must be signed in to change notification settings - Fork 634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maturity Levels: consider new Graduated+ stage #1496
Comments
Is there a plan to add a Graduated++ level after this to address
Graduated+ project reviews being stale as well?
More seriously, given it often takes quite a bit of time for the TOC / TAB
to get around to reviewing projects moving levels (more than a year in some
cases), I worry that adding more review steps will make this problem
worse, especially given the sheer number of projects in the CNCF. I think
this may just end up pushing the backlog further back and making it so that
projects with political support from TOC / TAB members maintain a high
status level while others are not as highly prioritized and lapse through
no fault of their own.
…On Thu, Nov 28, 2024 at 10:06 AM Ricardo Rocha ***@***.***> wrote:
During the TOC offsite during Kubecon NA in Salt Lake City, there was a
discussion on the best way to track project health post graduation.
A suggestion is to introduce a new maturity level: graduated+. Details to
be discussed and agreed but the main goals would be:
- Establish the criteria that will define the health of the project
(both from TOC and End User TAB)
- Setup a process for regular reviews of graduated projects
(suggestion to do it every 2 years)
Projects need a valid review in the last 2 years to keep the Graduated+
level.
Process should be driven by both TOC and TAB.
—
Reply to this email directly, view it on GitHub
<#1496>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGRODZSXFIOW6WK4DJOZE32C4WPHAVCNFSM6AAAAABSVK5BICVHI2DSMVQWIX3LMV43ASLTON2WKOZSG4YDENBWG44DENQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Thanks @JustinCappos . The discussion was also around automating the validation as much as possible, so Graduated+ doesn't require a full DD process and the load remains low. |
Okay, thanks for clarifying. This makes sense.
Could it perhaps be changed so that projects do not automatically "fail
down" to the next level if not renewed, but that the TOC is supposed to
review every 2 years and affirmatively take the action to move them down if
warranted? This should address my concerns about an overwhelmed TOC not
prioritizing projects that aren't from its members and a project thus
falling levels due to TOC inaction.
…On Thu, Nov 28, 2024 at 10:27 AM Ricardo Rocha ***@***.***> wrote:
Is there a plan to add a Graduated++ level after this to address
Graduated+ project reviews being stale as well? More seriously, given it
often takes quite a bit of time for the TOC / TAB to get around to
reviewing projects moving levels (more than a year in some cases), I worry
that adding more review steps will make this problem worse, especially
given the sheer number of projects in the CNCF. I think this may just end
up pushing the backlog further back and making it so that projects with
political support from TOC / TAB members maintain a high status level while
others are not as highly prioritized and lapse through no fault of their
own.
Thanks @JustinCappos <https://github.com/JustinCappos> . The discussion
was also around automating the validation as much as possible, so
Graduated+ doesn't require a full DD process and the load remains low.
—
Reply to this email directly, view it on GitHub
<#1496 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD4REFJ5UHWGUSXGHZT2C4Y5BAVCNFSM6AAAAABSVK5BICVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMBWGM3DIOJWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I need to think about this is a bit more, but instead of creating a new level, maybe we have an annual or biannual review for graduated projects to keep things simpler? We are essentially just wanting to do a health check |
Adding some context here... The request to have graduated projects verify that they are maintaining stability & security guarantees and other production readiness requirements for operating in production environments came up in our TAB-TOC meeting at KubeCon NA in SLC. This verification/review could be streamlined but would be immensely useful to end users. Another factor as to why a new level (Graduation+) was explored by the TOC is because some CNCF graduated projects have also seen declining number of contributors and maintainers post graduation which is a project health concern. |
Imo, rather than a new level, there could occasionally be a project health check (hopefully automated), with the outcome made public. Adding another level(s) could be confusing to the community. If the project is not healthy, steps could be recommended to make it 'healthy' again. If, after N health checks, the project doesn't improve its health, then a decision would have to be made (archive, lower level, etc.). |
Some useful prior art ... https://www.apache.org/foundation/board/reporting
|
@caniszczyk This was intended to be a biannual review for graduated projects that was conducted by the TAB instead of the TOC. Perhaps not another level - but a 'certification' or 'badge' that the project did complete and pass the biannual review. |
I thought of it like a "badge". The original idea was to have it be opt-in for projects with incentives to encourage projects to participate. Think a badge, some swag (go go swag driven development!), maybe some additional recognition in the project pavilion etc. The process SHOULD be relatively light and seen as a general health checkup with minimal work required from the projects. If problems ARE surfaced (or frankly if a project continually opts not to participate) it's likely a sign that they do need help in some way. |
If this is like a badge similar to https://www.bestpractices.dev than I'm all for it (or something automated via clomonitor.io) I just want to avoid additional process where we may not need it (like a full new maturity level review) |
I think the original idea was to ensure end users the maturity as evaluated during graduation is still valid. It should be a lot easier to do than what a full DD requires. @mrbobbytables what do you mean by opt-in? If it's like a badge, you either have it or don't? |
optional - the graduated projects don't have to go through the graduated+ process if they don't want to, but it should heavily be incentivized to do so. |
Here are a few thoughts and data points that may help guide this discussion:
I believe almost all graduated projects have a vendor that sells some commercial or hosted version of them (except etcd, which has moved, or was moving, to be a sub-project of Kubernetes). All projects are likely to want to meet the new review bar. What happens in the case where they are told they do not? Last year, when the topic of revising the matriculation/moving levels process came up, I floated the idea of eliminating levels entirely and replacing them with badges. However, changes to the levels concept were postponed to Phase 2, which, unfortunately, we have not yet progressed to. I understand that the intention is not for this to be a TOC process, but more a reflection of production readiness by the TAB. However, if there were to be a desire to introduce a new level, might I suggest considering putting it between Incubating and Graduated, such as to speed up the movement between the existing levels? Consider lowering the bar for being an incubating project — putting the onus back onto the CNCF being an incubator, where projects are helped to meet these requirements. Alternatively, consider replacing Graduation with a series of badges that reflect the various different axes that an end user might consider an application (multiple vendors, regular releases, time to fix security vulnerabilities, etc). |
Given the workload on the TOC I'm pretty sure the last thing we need is another project maturity level that needs manual assessment! But an indicator of whether a (graduated) project remains as healthy as it was when it went through DD would be really useful. I understand that the End User TAB are working with LFX Insights to automate some health metrics. Would it make sense to have those automated metrics in place first, and then think about how we use them e.g. for regular re-reviews? |
This so much. If this is to help give indicator to community that project is still alive and healthy, then metrics and automation should be able to help indicate that.
I would use the metrics as indicators and based on those, projects can be asked/required to get a review when there is a risk. Let's not do this on a cadence for cadence sake, let's use indicators as a trigger instead. |
No one wants to add unnecessary work burden to the TAB or TOC, so automation is key here. Once we have the metrics and automation in place, I would expect the additional burden here to be very low, as little should be needed as long as all the metrics for a project look good. I think a badge that is kept up to date with a potential review if metrics fall below thresholds would meet the intent of monitoring health, provide some incentive to projects while still minimizing workload. Once the metrics and automation are in place, this shouldt be opt-in, but rather just part of the best practices expected from graduated projects. |
If this idea goes forth, one other thing to consider is that metrics will
vary a lot for healthy projects. For example, a specification project
like TUF has very few updates because, well, it makes sense for a
specification to rarely change. Whereas a code first project is getting
features, bug fixes, etc. added all the time.
…On Mon, Dec 9, 2024 at 11:49 AM Henrik Blixt ***@***.***> wrote:
No one wants to add unnecessary work burden to the TAB or TOC, so
automation is key here. Once we have the metrics and automation in place, I
would expect the additional burden here to be very low, as little should be
needed as long as all the metrics for a project look good.
I think a badge that is kept up to date with a potential review if metrics
fall below thresholds would meet the intent of monitoring health, provide
some incentive to projects while still minimizing workload. Once the
metrics and automation are in place, this shouldt be opt-in, but rather
just part of the best practices expected from graduated projects.
—
Reply to this email directly, view it on GitHub
<#1496 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD5QOVMUP4BEBK273X32EXCYLAVCNFSM6AAAAABSVK5BICVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRYGY4DEMJTHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Agreed, I didnt mean that we should apply the same thresholds across projects, I would hope we can make the automation smart enough to take individual project trends and uniqueness etc into account rather than trying to see all metrics as equal across projects. |
Can the End User TAB confirm that all their concerns would be allayed with only the use of metrics? |
Trying to summarize the discussion, there seem to be two main points.
|
What if we implemented a ‘verified’ checkmark to indicate that a health review was completed within the past 1–2 years? This checkmark could display the date of the review and include a link to the health check report as a point-in-time reference. This approach avoids adding unnecessary complexity by introducing a new level or term like graduated+. Over time, the process could potentially be automated to ensure efficiency and consistency. |
To follow up on the badging discussion, perhaps we could replicate the OpenSSF Best Practices Badge Program , which has a great level of automation built in as well |
During the TOC offsite during Kubecon NA in Salt Lake City, there was a discussion on the best way to track project health post graduation.
A suggestion is to introduce a new maturity level: graduated+. Details to be discussed and agreed but the main goals would be:
Projects need a valid review in the last 2 years to keep the Graduated+ level.
Process should be driven by both TOC and TAB.
The text was updated successfully, but these errors were encountered: