[Governance Review]: in-toto

[trishankatdatadog]

Project Name

in-toto

Project Website

https://in-toto.io/

Contact Details 1

@SantiagoTorres

Contact Details 2

@JustinCappos

Links to communication channels

https://cloud-native.slack.com/archives/C056XS0VD6K

Reason for governance review request

Application for moving levels from Incubation to Graduation

Are there any sub-projects, plugins, and related?

• Most reference implementations of in-toto are listed here
• Witness and Archivista are two projects that have been donated by TestifySec to the in-toto org
• Major integrations or deployments of in-toto are listed here
• The Attestation framework is a notable subproject used heavily by SLSA (an OpenSSF project)
• SBOMit, GUAC, and gittuf are other OpenSSF projects that also use in-toto
• Last but not least, Sigstore is another major OpenSSF project that also heavily uses in-toto

Governance model

We took the governance model from graduated projects like SPIFFE and lightly adapted it to meet our needs. We have a spec-based project (as does SPIFFE), which has a variety of different implementations that are managed by diverse groups. So, we felt this made the most sense.

Governance documents

• Project purpose
  • https://github.com/in-toto/community/blob/main/README.md
• Maintainer List (with employer information)
  • https://github.com/in-toto/community/blob/main/STEERING-COMMITTEE.md
• How your project is making decisions
  • https://github.com/in-toto/community/blob/main/GOVERNANCE.md
• How and when contributors are moving through the contributor ladder (e.g. becoming a maintainer)
  • https://github.com/in-toto/community/blob/main/GOVERNANCE.md
• Maintainer life cycle with information about how and when maintainers are demoted
  • https://github.com/in-toto/community/blob/main/GOVERNANCE.md
• Code of Conduct
  • https://github.com/in-toto/community/blob/main/CODE-OF-CONDUCT.md
  • https://github.com/cncf/foundation/blob/master/code-of-conduct.md
• Contributor Guide
  • https://github.com/in-toto/community/blob/main/CONTRIBUTING.md
• How your community conduct communication and meetings
  • Our community meeting minutes are here: https://hackmd.io/Czv1Si4jQkieo_qByoMkPQ
  • We heavily use GitHub issues on our repositories as well as the Slack channels (#in-toto, #in-toto-itsc, #in-toto-itsc-public)
• How your community handles security reporting and response
  • https://github.com/in-toto/in-toto/blob/develop/SECURITY.md
• Who owns what code and docs
  • The maintainer documents for each subproject delineate this. The core documentation is owned by the steering committee.

Governance Execution Examples

• Voting
  • First ITSC election thread in-toto/community#5
• Promoting a contributor / demoting a maintainer
  • in-toto/in-toto-golang@90ae48e
• Security response
  • GHSA-vrxp-mg9f-hwf3
  • GHSA-wc64-c5rv-32pf
  • GHSA-jjgp-whrp-gq8m
  • https://github.com/in-toto/specification/security/advisories
• Meeting recordings:
  • https://hackmd.io/Czv1Si4jQkieo_qByoMkP

Governance Evolution

We switched from a “BDFL” model to the more horizontal model we use today in January of 2023: in-toto/community#3

Any specific aspects of your governance structure are you seeking feedback on?

No response

Do you have any concerns or specific areas where you feel your governance could be improved?

No response

Additional notes and resources

We look forward to your review, so please let us know if you have questions. Thanks!

[jberkus]

@trishankatdatadog thanks! Some questions/follow-up:

Are there any sub-projects, plugins, and related?

This section is for sub-projects of In-Toto. Not for integrations, users, etc. We're looking for subprojects/WGs/SIGs/teams/whatever that form semi-autonmous groups within the project -- if you have any. A lot of projects do not. Please update, thanks.

We switched from a “BDFL” model to the more horizontal model we use today in January of 2023: in-toto/community#3

Any commentary on how that transition went? Anything you particularly would like us to look at?

Like a security audit, the governance review is your chance to have an independant 3rd party examine your "project paperwork" and make suggestions. So please add anything you'd like us to review for your benefit.

[trishankatdatadog]

@trishankatdatadog thanks! Some questions/follow-up:

Are there any sub-projects, plugins, and related?

This section is for sub-projects of In-Toto. Not for integrations, users, etc. We're looking for subprojects/WGs/SIGs/teams/whatever that form semi-autonmous groups within the project -- if you have any. A lot of projects do not. Please update, thanks.

We switched from a “BDFL” model to the more horizontal model we use today in January of 2023: in-toto/community#3

Any commentary on how that transition went? Anything you particularly would like us to look at?

Like a security audit, the governance review is your chance to have an independant 3rd party examine your "project paperwork" and make suggestions. So please add anything you'd like us to review for your benefit.

Thanks, Josh. I'm busy traveling in an opposite time zone at the moment, but I'll confer with the rest of the in-toto Steering Committee, and will keep you posted.