Post-Graduation Suggestion Tracker #35
Description
In the due diligence PR for cert-manager's graduation, there's a list of suggestions made by TAG Security and TAG Contributor Strategy during their respective reviews of the cert-manager project.
This is a catch-all issue for us to track progress towards achieving those suggested tasks.
WIP: We'll create sub tasks for individual suggestions which will take more work. For now, this is a tracking issue.
- Complete a joint assessment with TAG Security reviewers.
- TAG Security encourages the expansion of the current use of go vet and implement govulncheck as planned. It would be beneficial to update your OpenSSF Best Practices information if these have been addressed.
- TAG Security recommends completing the silver and gold level criteria, as the project likely already meets most of them.
- TAG Security suggests considering security audits for sub-projects like trust-manager and csi-driver. Perhaps the CNCF can batch these in a follow-up audit.
- TAG Contributor Strategy recommends to add in/out of scope information to the readme, roadmap, or contributor documentation.
- TAG Contributor Strategy recommends to add role qualifications for each step on the contributor ladder. This is particularly important for the maintainers, where other docs refer to Maintainer qualifications that don't exist.
- TAG Contributor Strategy recommends to add a process for removing Maintainers (and SC members) for reasons other than inactivity, such as violating the CoC or disruptive behavior. (Update governance docs around code of conduct violations #36)
- TAG Contributor Strategy recommends to link to the list of official channels and meetings in the contributor docs from the Governance document.
- TAG Contributor Strategy recommends to gradually build up the sub-projects into their own entities, allowing new contributors to take ownership of them. This will require adding to the main Governance for these roles.
- TAG Contributor Strategy recommends to have another Steering meeting, in order to keep Steering members engaged.
- TAG Contributor Strategy recommends to make sure that the Community repo is linked from appropriate other places, like the main development repos and the contributor docs.
- TAG Contributor Strategy recommends to figure out a low-effort way to record maintainer decisions for posterity, such as a simple text log.