Introduce Sandbox Stage in project lifecycle policy#10
Introduce Sandbox Stage in project lifecycle policy#10CowFreedom wants to merge 3 commits intomainfrom
Conversation
Added 'Sandbox Stage' section with definitions, examples, expectations, acceptance criteria, approval process, and benefits for projects.
|
|
||
| ##### Expectations | ||
|
|
||
| A project can remain a Sandbox project for a maximum of one year. |
There was a problem hiding this comment.
Could we add here, that sandbox projects are experimental and their outputs are not intended for end‑user or production use. Projects that release production‑ready artifacts should transition to a more mature stage.
There was a problem hiding this comment.
I think a project can already have production use without it being accepted into incubation. I dont see this as an issue tbh. I thought project stage can declare maturity, but who are we to judge if someone uses the project in production?
There was a problem hiding this comment.
It's not meant to be rule, it's more about setting expectations. Sandbox projects may already be used in production (however we define that). But the default end-user expectation should be that this is unfinished software.
There was a problem hiding this comment.
Agreed totally on that caution note, makes sense 💯
There was a problem hiding this comment.
Good additions, added to the expectations chapter.
|
+1 |
Clarified the definition and expectations for Sandbox projects, emphasizing their experimental nature and production readiness.
|
|
||
| ##### Expectations | ||
|
|
||
| A project can remain a Sandbox project for a maximum of one year. Sandbox projects are experimental and their output is not intended to be used in production. Projects that release production-ready artifacts should transition to a more mature stage. |
There was a problem hiding this comment.
You might want to give the TAC some wiggle room here that allows the TAC to extend being in Sandbox longer under certian circumstances.
There was a problem hiding this comment.
What do you think about:
A project can remain a Sandbox project for a maximum of one year unless extended by the TAC.
| * Submission of the Project Proposal, as defined above. | ||
| * A TAC sponsor to champion the project and provide mentorship as needed. | ||
| * Have a charter document with an intellectual property policy that leverages open licenses, including, in the case of contributions of code, the use of one or more licenses approved as "open" by the Open Source Initiative. The staff of the NeoNephos Foundation can assist projects in preparing a technical charter following the NeoNephos Foundation’s standard template. | ||
| * In the case of existing projects, an agreement to transfer the project name and electronic account assets (source code repository, social media accounts, domain names, etc.) to Linux Foundation Europe for the benefit of the NeoNephos Foundation. |
There was a problem hiding this comment.
L126-L130 likely should be changed, as this is the same requirement for Sandbox
There was a problem hiding this comment.
Yes, that is correct.
|
|
||
| To be considered for the Sandbox Stage, the project must meet the following requirements: | ||
| * Submission of the Project Proposal, as defined above. | ||
| * Have a charter document with an intellectual property policy that leverages open licenses, including, in the case of contributions of code, the use of one or more licenses approved as "open" by the Open Source Initiative. The staff of the NeoNephos Foundation can assist projects in preparing a technical charter following the NeoNephos Foundation’s standard template. |
There was a problem hiding this comment.
I'd recommend replacing L94-95 with:
- Complete and approve the Technical Charter and agree to transfer any relevant trademarks and/or assets to Linux Foundation Europe, and to assist in filing for any relevant unregistered ones.
There was a problem hiding this comment.
Sounds good, thanks.
- Resolve CVE MUST/SHOULD contradiction: advisory links MUST be in release notes, CVE identifier MUST only when assigned (Section 6.4 stays SHOULD) - Align all timelines to report receipt (Day 0), matching Google Project Zero practice; remove "from triage completion" phrasing - Clarify embargo starts from report receipt, not acknowledgement - Fix conformance matrix: split secret scanning (MUST) from push protection (SHOULD) into separate rows - Make CI/CD section platform-neutral: generic requirements with "On GitHub:"/"On GitLab:" implementation guidance - Quick-start checklist: fix item neonephos#10 (secret scanning only, push protection is SHOULD) and #12 (platform-neutral wording) - Template: convert italic instructions to HTML comments - Template: add PVR enablement reminder before GitHub section - Template: use absolute URLs for cross-repo portability - Template: add "What to Include" section for reporters - Template: make security contacts table platform-neutral - Template: clarify attribution (OpenSSF vs NeoNephos) per item - Template: add footnote explaining 90-day ceiling vs fix targets Signed-off-by: Gerald Morrison <gerald.gm.morrison@gmail.com>
7 participants
Situation
We currently have four stages:
Incubation,Growth,GraduatedandEmeritus.Many other foundations have an additional stage, called
Sandbox.This stage is for projects that are either experimental or too nascent for
Incubation.The
Sandboxstage is a low threshold way for projects to join our foundation. To not have projects build up in this stage, aSandboxproject must become compatible to the other stages quickly.Why do we need a low threshold way to join?
It can be reasonably expected that there are interesting projects that want to apply for NeoNephos inclusion but are in a very early stage. Nevertheless, it could be useful to have them in the "NeoNephos portfolio", in order to nurture them "from the start". Lastly, some of our projects might come from initiatives (e.g. IPCEI-CIS, IPCEI-AI) and are experimental. We might still want to have them as we know they will be worthwhile to our ecosystem.
Why not use
Incubation?The
Incubationstage usually places additional requirements in terms of governance, openssf badging and community contributions. Since NeoNephos' stage requirements are still in flux, it is expected that ourIncubation stagewill also be strengthened.Sandboxwould then remain the only low threshold way for projects to join the foundation (on a trial basis).Precedence
Next to LF Energy , the CNCF is another prominent foundation with this kind of setup (Note: CNCF has no growth stage).