The Jenkins project uses Individual and Company CLAs (see this repo). This CLA is required ONLY for contributors who want to get special permissions (i.e. Jenkins core repo permissions, Security team membership, access to social media and YouTube accounts, etc.). We do not require the CLA to be signed by plugin maintainers or by common contributors.
In any case the Jenkins CLA process is subject to rework once the project assets are officially transferred to CDF. Our CLA process is also pretty tedious and time-consuming for signees and board members who process CLAs and verify that the submitted documents are correct and, in the case of Company CLAs, legit. The CLA doc is also quite obsolete, and it does not fully represent the current community processes (e.g. no reference to Jenkins code of conduct which was introduced after CLA). Switching to EasyCLA is one of the options we discussed last time, and I believe there was a consensus that we'd like to explore that in the future. According to the blogs and video recordings I watched, it is a pretty convenient tool if a project wants to enforce CLA.
On Fri, Jul 10, 2020 at 8:28 AM Dan Lorenc via lists.cd.foundation <dlorenc=google.com@...> wrote:
Jumping back up thread:
We don't have a blanket CLA policy for the CDF - we allow projects to choose what they want. The LF has tooling in place (EasyCLA) to make it easy for projects to use a CLA if they choose (Tekton uses this for example). Jenkins X and Spinnaker on the other hand, do not use CLAs. As far as recommendations/reasons to use one or not use one - we'd need to ask LF/corporate legal teams for their recommendations.
On Tue, Jul 7, 2020 at 2:57 PM Tara Hernandez <tarahernandez@...> wrote:
Damn, had forgotten all about those (so, yay for me adding it to the notes against that eventuality)
:)
I don't have a list of repos per se, this was more around a general policy question that arose out of another discussion -- do we have any kind of consistent policy or recommended best practice for our projects with regards to CLAs and should the CDF be handling that on behalf of the projects. Put another way, is there a reason NOT to just do it everywhere?
The second item also came up during that discussion because we realized the CDF repos were pretty locked down and nobody seemed to have admin access other than Dan (and now Brian), so getting some teams and roles in there would be lovely.
On Tue, Jul 7, 2020 at 6:07 AM Dan Lorenc <dlorenc@...> wrote:
Tara had a couple TOC agenda items for today:
[tara] Need a CLA or similar for ambassadors/contributors to clarify contributions from individuals vs. corps
Tara, could you clarify which repos you'd like to get the CLA setup on? We should be able to use EasyCLA for this.
[tara] TOC should define teams/policies around github org access
On Fri, Jul 10, 2020 at 8:28 AM Dan Lorenc via lists.cd.foundation <dlorenc=google.com@...> wrote:
Jumping back up thread:
We don't have a blanket CLA policy for the CDF - we allow projects to choose what they want. The LF has tooling in place (EasyCLA) to make it easy for projects to use a CLA if they choose (Tekton uses this for example). Jenkins X and Spinnaker on the other hand, do not use CLAs. As far as recommendations/reasons to use one or not use one - we'd need to ask LF/corporate legal teams for their recommendations.
On Tue, Jul 7, 2020 at 2:57 PM Tara Hernandez <tarahernandez@...> wrote:
Damn, had forgotten all about those (so, yay for me adding it to the notes against that eventuality)
:)
I don't have a list of repos per se, this was more around a general policy question that arose out of another discussion -- do we have any kind of consistent policy or recommended best practice for our projects with regards to CLAs and should the CDF be handling that on behalf of the projects. Put another way, is there a reason NOT to just do it everywhere?
The second item also came up during that discussion because we realized the CDF repos were pretty locked down and nobody seemed to have admin access other than Dan (and now Brian), so getting some teams and roles in there would be lovely.
On Tue, Jul 7, 2020 at 6:07 AM Dan Lorenc <dlorenc@...> wrote:
Tara had a couple TOC agenda items for today:
[tara] Need a CLA or similar for ambassadors/contributors to clarify contributions from individuals vs. corps
Tara, could you clarify which repos you'd like to get the CLA setup on? We should be able to use EasyCLA for this.
[tara] TOC should define teams/policies around github org access
We don't have a blanket CLA policy for the CDF - we allow projects to choose what they want. The LF has tooling in place (EasyCLA) to make it easy for projects to use a CLA if they choose (Tekton uses this for example). Jenkins X and Spinnaker on the other hand, do not use CLAs. As far as recommendations/reasons to use one or not use one - we'd need to ask LF/corporate legal teams for their recommendations.
On Tue, Jul 7, 2020 at 2:57 PM Tara Hernandez <tarahernandez@...> wrote:
Damn, had forgotten all about those (so, yay for me adding it to the notes against that eventuality)
:)
I don't have a list of repos per se, this was more around a general policy question that arose out of another discussion -- do we have any kind of consistent policy or recommended best practice for our projects with regards to CLAs and should the CDF be handling that on behalf of the projects. Put another way, is there a reason NOT to just do it everywhere?
The second item also came up during that discussion because we realized the CDF repos were pretty locked down and nobody seemed to have admin access other than Dan (and now Brian), so getting some teams and roles in there would be lovely.
On Tue, Jul 7, 2020 at 6:07 AM Dan Lorenc <dlorenc@...> wrote:
Tara had a couple TOC agenda items for today:
[tara] Need a CLA or similar for ambassadors/contributors to clarify contributions from individuals vs. corps
Tara, could you clarify which repos you'd like to get the CLA setup on? We should be able to use EasyCLA for this.
[tara] TOC should define teams/policies around github org access
You are receiving this courtesy email at the account cdf-toc@... because you are an attendee of this event.
To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.
Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.
The CDF is sponsoring a track and a virtual booth at DevOps World 2020. We are offering this benefit to all of our members and ambassadors. This offers the opportunity for you to have a presence at DevOps World through the CDF booth.
We are asking for you to volunteer an hour of your time to come and represent your company. We also have the opportunity to share your marketing collateral in our booth for our attendees to download. If you are interested, please sign up to volunteer and represent your company, an incubating project, or the CDF.
We are seeking speakers to help curate the CDF sponsored track! We have 30 min & 1 hr speaking slots available at first come, first serve basis.Please sign up here! Deadline: August 10, 2020!
We are seeking volunteers to help virtually staff the CDF booth. The minimum requirement is 1 hour of your time. If you are interested in helping please sign up here! (DEADLINE: July 10, 2020).
Any CDF members (all tiers) that volunteer - we are also asking them to provide the following marketing collateral from their companies. This is an opportunity to speak about your company's technology and represent the CDF & its projects all in one place. The collateral will be available for attendees who stop by the booth to download. Please provide in PDF format by DEADLINE: July 10, 2020 & send to jsalinas@...
Case studies
White papers
Data sheets
Infographics
Swag
We are seeking technical folks who can speak about the following projects:
Spinnaker
Tekton
Screwdriver
Jenkins
Jenkins X
CI/CD & DevOps general topics
We are also seeking volunteers from the Governing Board, TOC, and Ambassador program to help represent the CDF and speak to its initiatives. If you have any questions, feel free to reach out to me. Thanks!
We are seeking volunteers to help virtually staff the CDF booth. The minimum requirement is 1 hour of your time. If you are interested in helping please sign up here! (DEADLINE: July 6, 2020).
Any CDF members (all tiers) that volunteer - we are also asking them to provide the following marketing collateral from their companies. This is an opportunity to speak about your company's technology and represent the CDF & its projects all in one place. The collateral will be available for attendees who stop by the booth to download. Please provide in PDF format by DEADLINE: July 10, 2020 & send to jsalinas@....
Case studies
White papers
Data sheets
Infographics
Swag
We are seeking technical folks who can speak about the following projects:
Spinnaker
Tekton
Screwdriver
Jenkins
Jenkins X
CI/CD & DevOps general topics
We are also seeking volunteers from the Governing Board, TOC, and Ambassador program to help represent the CDF and speak to its initiatives. If you have any questions, feel free to reach out to me. Thanks!
The CDF is sponsoring a track at DevOps World 2020! We are looking for volunteers to submit their talk ideas to us and we will curate the content for the track on behalf of the CDF.
The track includes twentynine, 30 min sessions over the course of 3 days. We have the flexibility to combine into whatever length and format we want. We have offered our CD Summit EU speakers this opportunity first since we had to cancel CD Summit EU this year as result of COVID19. THIS IS OFFERED TO YOU AS A FIRST COME, FIRST SERVE BASIS.
We invite CDF members & Community Ambassadors to submit their talk ideas to the CDF.
On Jul 7, 2020, at 1:10 PM, Brian Warner <bwarner@...> wrote:
Dan - Yep, I can do that. You should be an owner now, I just updated it.
Tara - For CLAs, generally the governing board sets the policy for the Foundation in the IP policy (e.g., "We require Foundation projects to use this particular CLA" or "Foundation projects may use this approved CLA if they choose, or not" or "We are using inbound=outbound with the DCO"). From that point, it's just a matter of tooling. We've got that reasonably well covered on the LF side, and I can walk you through that if it would help.
Also, I'm always up for making sure the ACLs are right... if it would be helpful, I can create a list of the teams, who is on them, and which repos they have access to?
Best,
Brian
On Tue, Jul 7, 2020 at 3:57 PM Tara Hernandez <tarahernandez@...> wrote:
Damn, had forgotten all about those (so, yay for me adding it to the notes against that eventuality)
:)
I don't have a list of repos per se, this was more around a general policy question that arose out of another discussion -- do we have any kind of consistent policy or recommended best practice for our projects with regards to CLAs and should the CDF be handling that on behalf of the projects. Put another way, is there a reason NOT to just do it everywhere?
The second item also came up during that discussion because we realized the CDF repos were pretty locked down and nobody seemed to have admin access other than Dan (and now Brian), so getting some teams and roles in there would be lovely.
On Tue, Jul 7, 2020 at 6:07 AM Dan Lorenc <dlorenc@...> wrote:
Tara had a couple TOC agenda items for today:
[tara] Need a CLA or similar for ambassadors/contributors to clarify contributions from individuals vs. corps
Tara, could you clarify which repos you'd like to get the CLA setup on? We should be able to use EasyCLA for this.
[tara] TOC should define teams/policies around github org access
Dan - Yep, I can do that. You should be an owner now, I just updated it.
Tara - For CLAs, generally the governing board sets the policy for the Foundation in the IP policy (e.g., "We require Foundation projects to use this particular CLA" or "Foundation projects may use this approved CLA if they choose, or not" or "We are using inbound=outbound with the DCO"). From that point, it's just a matter of tooling. We've got that reasonably well covered on the LF side, and I can walk you through that if it would help.
Also, I'm always up for making sure the ACLs are right... if it would be helpful, I can create a list of the teams, who is on them, and which repos they have access to?
On Tue, Jul 7, 2020 at 3:57 PM Tara Hernandez <tarahernandez@...> wrote:
Damn, had forgotten all about those (so, yay for me adding it to the notes against that eventuality)
:)
I don't have a list of repos per se, this was more around a general policy question that arose out of another discussion -- do we have any kind of consistent policy or recommended best practice for our projects with regards to CLAs and should the CDF be handling that on behalf of the projects. Put another way, is there a reason NOT to just do it everywhere?
The second item also came up during that discussion because we realized the CDF repos were pretty locked down and nobody seemed to have admin access other than Dan (and now Brian), so getting some teams and roles in there would be lovely.
On Tue, Jul 7, 2020 at 6:07 AM Dan Lorenc <dlorenc@...> wrote:
Tara had a couple TOC agenda items for today:
[tara] Need a CLA or similar for ambassadors/contributors to clarify contributions from individuals vs. corps
Tara, could you clarify which repos you'd like to get the CLA setup on? We should be able to use EasyCLA for this.
[tara] TOC should define teams/policies around github org access
Damn, had forgotten all about those (so, yay for me adding it to the notes against that eventuality)
:)
I don't have a list of repos per se, this was more around a general policy question that arose out of another discussion -- do we have any kind of consistent policy or recommended best practice for our projects with regards to CLAs and should the CDF be handling that on behalf of the projects. Put another way, is there a reason NOT to just do it everywhere?
The second item also came up during that discussion because we realized the CDF repos were pretty locked down and nobody seemed to have admin access other than Dan (and now Brian), so getting some teams and roles in there would be lovely.
I messed up on the previous meeting and my sincerest apologies. We have rescheduled, time zones have been triple checked & confirmed. I will send weekly reminders to the community as we get closer to the meeting date. All the info is below on how to log in to be part of the End User Counsel working group.
I messed up on the previous meeting and my sincerest apologies. We have rescheduled, time zones have been triple checked & confirmed. I will send weekly reminders to the community as we get closer to the meeting date. All the info is below on how to log in to be part of the End User Counsel working group.
On Mon, Jun 22, 2020, 19:00 Jacque Salinas <jsalinas@...> wrote:
Hi all,
I messed up on the previous meeting and my sincerest apologies. We have rescheduled, time zones have been triple checked & confirmed. I will send weekly reminders to the community as we get closer to the meeting date. All the info is below on how to log in to be part of the End User Counsel working group.
I messed up on the previous meeting and my sincerest apologies. We have rescheduled, time zones have been triple checked & confirmed. I will send weekly reminders to the community as we get closer to the meeting date. All the info is below on how to log in to be part of the End User Counsel working group.
Hi all, I've added Beth Fuller, a product manager at Armory who has been doing a lot of work on the Security SIG. I think she can be of further assistance with this F5 inquiry.
On Mon, Jun 15, 2020 at 11:56 AM Rosalind Benoit via lists.cd.foundation <rosalind.benoit=armory.io@...> wrote:
Checking to see if we can assist.
On Mon, Jun 15, 2020 at 8:59 AM Michael Galloway <mgalloway@...> wrote:
Netflix unfortunately does not anything that we can share.
Perhaps Armory may be able to help, Rosalind?
On Mon, Jun 15, 2020 at 8:29 AM Chris Aniszczyk <caniszczyk@...> wrote:
This is exactly what the security audit will provide once it's open sourced and shared with the community.
I believe it was procured recently and is being scheduled. Brian Warner can chase it down.
There may be older audits that Netflix done that they can choose to open source and share but I'm not familiar with those.
On Mon, Jun 15, 2020 at 10:13 AM Michael Galloway via lists.cd.foundation <mgalloway=netflix.com@...> wrote:
Is this something our security review is supposed to provide?
I’ll ask folks on the Spinnaker project as well, to see if there is any material.
On Mon, Jun 15, 2020 at 6:47 AM Jacque Salinas <jsalinas@...> wrote:
Hello,
Who should I route this to?
---------- Forwarded message --------- From: Suhrud Kumar CHILUVERU<s.chiluveru@...> Date: Thu, Jun 11, 2020 at 2:00 AM Subject: Security/Compliance reports regarding Spinnaker To: info@... <info@...>
Hello CD Foundation Team,
We, at F5 Networks, are looking to implement Spinnaker as Continuous Delivery Platform for our services. However to integrate with our internal services, our Information Security team is looking for some security and compliance reports for the spinnaker product.
Can you please see if you can provide the following (where available): • SOC2 type 2 (SSAE16) report • PCI DSS compliance report • ISO 27001 and/or 27018 certification(s) • Security related system diagrams • One of the following: o Clean software analysis report (from Veracode, or equivalent) showing code is malware-free or o Contractual Attestation that software is malicious-code free
This would greatly help us in clearing our Third Party Security Assessment and start using Spinnaker as our CD platform.
Sharing...please support Rosalind, Outreach Committee Chair and Director of Community at Armory as she hosts Spinnaker.Live today.
---------- Forwarded message --------- From: Jesse Casman<jesse@...> Date: Thu, Jun 18, 2020 at 9:16 AM Subject: [cdf-outreach] Join Us at Spinnaker Live TODAY! To: <cdf-outreach@...>
CDF Outreach!
Spinnaker.live is, uh, spinning up in about 45 minutes from now. If you want to participate, it's still easy to register and get involved.
