[Incubation] WasmEdge Incubation Application #1316
Comments
|
Hi @alabulei1 @hydai @q82419 @ibmibmibm Here are some suggestions to improve the governance, security, and code of conduct aspects of the WasmEdge project based on our current assessment of the details you have provided and are available to everyone as part of the project: Governance:
Security:
Code of Conduct:
Roadmap:
Separation of vendor and community hats:
Specific items to complete before reapplying for incubation:
By addressing these points, the WasmEdge project can improve its governance, security practices, code of conduct, and overall transparency, fostering a strong and inclusive community/ When you resubmit in say 4-6 months, the TOC can give your project high priority given it is a resubmit for the project. Thanks a ton for your work in the community! |
|
Marked this as |
|
Going to close - please reopen/reapply when the project meets the requirements outlined earlier in this issue. Do reach out if you have any questions! |
|
Hi @dims Thanks for your valuable feedback. We will work hard to add the missing documentation and the self-assessments for security and governance. |
|
Hi @dims , Thanks for your valuable feedback, which makes WasmEdge a stronger community. Governance:
Security:
Code of Conduct:
Roadmap:
Separation of vendor and community hats:
Specific items to complete before reapplying for incubation:
|
WasmEdge Runtime Incubation Application
Project Repo(s): https://github.com/WasmEdge/WasmEdge
Project Site: https://wasmedge.org/
Sub-Projects: None
Communication: #WasmEdge in the CNCF slack channel and the seperate WasmEdge Discord server.
Project points of contacts:
Michael Yuan, [email protected]
Incubation Criteria Summary for WasmEdge
Adoption Assertion
The project has been adopted by the following organizations in a testing and integration or production capacity:
A list of WasmEdge adopters can be found at here. Additionally, many of them are not disclosed.
Application Process Principles
Suggested
N/A
Required
Give a presentation and engage with the domain specific TAG(s) to increase awareness
The WasmEdge runtime was presented to the wg-wasm group under the TAG-runtime in July 2023. You can view the recorded video here.
TAG provides insight/recommendation of the project in the context of the landscape
To be completed by TAG runtime.
All project metadata and resources are vendor-neutral.
When WasmEdge joined the CNCF Sandbox in 2021, the project was renamed to ensure vendor neutrality.
Review and acknowledgement of expectations for Sandbox projects and requirements for moving forward through the CNCF Maturity levels.
Met during sandbox onboarding.
Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisifies the Due Diligence Review criteria.
To be completed by TOC sponsor.
Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.
Governance and Maintainers
Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.
Suggested
Clear and discoverable project governance documentation.
The Governance documentation can be found under the WasmEdge GitHub repo: https://github.com/WasmEdge/WasmEdge/blob/master/docs/GOVERNANCE.md
Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.
Example: The WasmEdge community has evolved its code of conduct to require clear acknowledgement of derivative work. Those lessons were learnt from disputes between two LFX interns in our community.
Document a complete maintainer lifecycle process (including roles, onboarding, offboarding, and emeritus status).
The contributor lifecycle can be found here: https://github.com/WasmEdge/WasmEdge/blob/master/docs/GOVERNANCE.md
Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.
The documentaton about adding and removing maintainers can be found here: https://github.com/WasmEdge/WasmEdge/blob/master/docs/GOVERNANCE.md
If the project has subprojects: subproject leadership, contribution, maturity status documented, including add/remove process.
N/A
Required
Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.
You can find the list of reviewers, committers, and maintainers here.
A number of active maintainers which is appropriate to the size and scope of the project.
The WasmEdge runtime project has 4 maintainers, all of whom are active.
Code and Doc ownership in Github and elsewhere matches documented governance roles.
DCO is enforced on all code contributions.
https://github.com/WasmEdge/WasmEdge/blob/master/docs/OWNER.md reflects the maintainer lists.
Document agreement that project will adopt CNCF Code of Conduct.
Adopted during sandbox onboarding.
CNCF Code of Conduct is cross-linked from other governance documents.
See the CODE_OF_CONDUCT here.
All subprojects, if any, are listed.
N/A
Contributors and Community
Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.
Suggested
Contributor ladder with multiple roles for contributors.
Currently, WasmEdge has three roles of contributor: reviewer, commiter, and maintainer. See the GOVERNANCE documentation.
Required
Clearly defined and discoverable process to submit issues or changes.
Guides for creating a GitHub issue.
Project must have, and document, at least one public communications channel for users and/or contributors.
The public communicaion channel is published on WasmEdge docs and project README.md.
List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.
The primary communication channel for WasmEdge is GitHub, where we welcome all kinds of issues, discussions, and pull requests.
For real-time communication, you can join #WasmEdge on the CNCF Slack workspace or the WasmEdge Discord server.
Additionally, we maintain a dedicated Twitter account for updates and announcements related to WasmEdge.
While we have a mailing list through lists.cncf.io, it is only for very infrequent announcements to avoid spam.
You can find more information about these communication channels in the WasmEdge project README.md and WasmEdge docs.
Up-to-date public meeting schedulers and/or integration with CNCF calendar.
We have a community meeting page under the CNCF community: https://community.cncf.io/wasmedgeruntime-community/
Documentation of how to contribute, with increasing detail as the project matures.
The contribution guide can be found here.
Demonstrate contributor activity and recruitment.
76 commiters have created PRs in the last 12 months and 278 contributors have interacted with the project on GitHub.
Engineering Principles
Suggested
Roadmap change process is documented.
Roadmap can be found here. The items are proposed by community members, approved by maintainers, and tracked in GitHub.
History of regular, quality releases.
The WasmEdge community has released sixteen new versions of the software since joining CNCF sandbox.
Required
Document project goals and objectives that illustrate the project’s differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.
WasmEdge is a lightweight, high-performance, OCI-compatible, and extensible WebAssembly runtime for cloud-native, edge, and decentralized applications. It powers serverless apps, embedded functions, microservices, smart contracts, and IoT devices. Compared with other WebAssembly runtimes, WasmEdge is a fully featured and yet lightweight runtime with support for advanced networking, asynchronous functions, AI inference, and container tooling. WasmEdge could be seamlessly integrated with existing cloud-native ecosystems like Kubernetes and Docker. You can learn more about WasmEdge runtime here.
Document what the project does, and why it does it - including viable cloud native use cases.
WasmEdge use cases includes serverless apps, AI inference, embedded functions, microservices, smart contracts, and IoT devices. They are documented here. Specially, cloud-native use cases include serverless functions and microservices.
Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.
The WasmEdge project roadmap can be found here.
Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.
Document the project's release process.
The WasmEdge release process can be found here: https://wasmedge.org/docs/contribute/release
Security
Note: this section may be augemented by a joint-assessment performed by TAG Security.
Suggested
N/A
Required
Clearly defined and discoverable process to report security issues.
The securirty policy can be found here: https://github.com/WasmEdge/WasmEdge/blob/master/SECURITY.md
Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)
The WasmEdge code base is hosted on GitHub under the CNCF organization. It adheres to access control best practices of both GitHub and CNCF, including two-factor auth for repo admins, protected main branches, and required DCA signatures for every commit.
WasmEdge is adpoted by Google OSS Fuzz. It strictly adheres to Google program requirements to fix identified bugs in a timely manner.
The WasmEdge security reporting and response policies are described in the SECURITY.md document.
WasmEdge has a large number of CI tests that must pass for each release. Many of these tests are security related. It also makes extensive use of code coverage tools that generate reports for every PR.
WasmEdge is also an active participant in Google's OSS fuzz program. All issues identified by fuzzing are fixed before every release.
Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.
OpenSSF Best Practices passed.
Ecosystem
Suggested
N/A
Required
Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)
Adopters
Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)
These will be provided to our TOC sponsor.
The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.
TOC verification of adopters.
To be completed by the TOC
Refer to the Adoption portion of this document.
Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.
With WasmEdge, users can use their already-familiar cloud-native and container tools to manage lightweight, portable, and secure Wasm apps. WasmEdge has integrated with crun, youki, containerd’s runwasi (A CNCF project), and Docker Desktop. WasmEdge has demonstrated integrations with Kubernetes (A CNCF project), SuperEdge (A CNCF project), OpenYurt (A CNCF project), Kuasar (A CNCF project)and KubeEdge (A CNCF project). WasmEdge aligns with the mission of CNCF in empowering organizations to bring the cloud-native and serverless application paradigms to “edge” scenarios.
Additional Information
N/A
The text was updated successfully, but these errors were encountered: