-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Governance improvements to improve #24
base: main
Are you sure you want to change the base?
Conversation
Updated terms and roles to more accurately reflect the current working group norms and future efforts. Signed-off-by: Michael Winser <[email protected]>
Refined and clarified Steering Committee Member terms and elections and responsibilities. Signed-off-by: Michael Winser <[email protected]>
Changed the Steering Committee size to exactly 5 so that supermajority can be explicit for 2.4 Fixed a typo (repeated "be") Signed-off-by: Michael Winser <[email protected]>
Moved the paragraph for Steering Committee actions for adding or removing Maintainers to the Steering Committee responsibilities section. Signed-off-by: Michael Winser <[email protected]>
@@ -6,57 +6,55 @@ As a community effort organized within the [Supply Chain Integrity WG](https://g | |||
|
|||
The SLSA Project described in this document is the "Working Group" for purposes of the [Community Specification License 1.0](./1._Community_Specification_License-v1.md). | |||
|
|||
The SLSA Project is comprised of multiple "Work Streams." These Work Streams represent different tracks of specification work or tools implementation. Work Streams are not strictly tied to unique repositories in the slsa-framework GitHub organization. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit/optional: can we use "workstream" instead of "work stream"
https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/w/workstream
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hah, Michael and I discussed this. It seems like "workstream" is more from the tech industry while "work stream" is grammatically correct. I don't have a strong opinion though :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hah, Michael and I discussed this. It seems like "workstream" is more from the tech industry while "work stream" is grammatically correct.
Aren't we part of the tech industry? :-) I prefer workstream, noting that this is how it appears in various places in our repo already: https://github.com/slsa-framework/slsa/tree/main?tab=readme-ov-file#active-workstreams
|
||
**1.3. Maintainers.** "Maintainers" are responsible for reviewing and merging all proposed changes, and they guide the overall technical direction of the Project within the guidelines established by the Steering Committee. The "Specification Maintainers" are the default set of Maintainers for all Project repositories, recorded in slsa.git's [MAINTAINERS.md](https://github.com/slsa-framework/slsa/blob/main/MAINTAINERS.md). Other Project repositories may have a distinct set of Maintainers, defined in their respective MAINTAINERS.md files. | ||
**1.3. Maintainers.** "Maintainers" are responsible for reviewing and merging all proposed changes, and they guide the overall technical direction of a Work Stream within the guidelines established by the Steering Committee. Each Work Stream will record its Maintainers in a Maintainers.md file in the appropriate repositories + path locations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the file is usually/always capitalized?
**1.3. Maintainers.** "Maintainers" are responsible for reviewing and merging all proposed changes, and they guide the overall technical direction of a Work Stream within the guidelines established by the Steering Committee. Each Work Stream will record its Maintainers in a Maintainers.md file in the appropriate repositories + path locations. | |
**1.3. Maintainers.** "Maintainers" are responsible for reviewing and merging all proposed changes, and they guide the overall technical direction of a Work Stream within the guidelines established by the Steering Committee. Each Work Stream will record its Maintainers in a MAINTAINERS.md file in the appropriate repositories + path locations. |
|
||
The Steering Committee may add additional Steering Committee Members as it deems necessary. | ||
**1.5. Steering Committee Member Terms.** Steering Committee Members have a one year term. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this set us up for all the seats expiring at one time and then there's no steering committee members?
Perhaps the old language had that problem too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We propose to not stagger elections like in the current governance since that adds more overhead. To your point, we should note that nominations & elections should occur before the term is up, maybe a month in advance to give enough time.
## 1. Roles. | ||
|
||
The Project includes the following roles. Additional roles may be adopted and documented by the Steering Committee. | ||
|
||
**1.1. Participants.** "Participants" are those that have (a) made Contributions to the Project subject to the Community Specification License; (b) contributed code or documentation to Project assets other than specifications; and/or (c) otherwise contributed to or participated in the SLSA community, such as by attending meetings. | ||
**1.1. Participants.** "Participants" are those that have contributed to or participated in the SLSA community, such as by attending meetings, engaging in conversations on Slack, or commenting on documents. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the motivation for removing the 'Community Specification License'?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We thought the current governance, where the Participant requirement could be met with any of these three, was overly precise. (a) or (b) meet the requirements for Contributor, and of course a Contributor is a Participant as well. (c) is all that is necessary to be a Participant.
Note for follow up: @michaelwinser and I have reviewed https://github.com/slsa-framework/slsa-proposals/tree/main/0007 and found no major differences, but are planning to do another pass. One difference I noted was the explicit SC requirement that an SC member be well-versed with SLSA. In our proposed changes, any Participant is able to nominate themselves. @michaelwinser, should we include more specifics on the nomination process to align with 0007, namely a requirement that you include "Evidence of performing some of the role's duties over the recent past" (from 0007)? |
|
||
The Steering Committee may add additional Steering Committee Members as it deems necessary. | ||
**1.5. Steering Committee Member Terms.** Steering Committee Members have a one year term. | ||
At the expiration of a Steering Committee Member term, any Participant may submit a nomination to fill the seat. An individual may be nominated for and serve any number of successive terms. However, Steering Committee Members are encouraged to allow other longstanding Participants to contribute as Steering Committee Members. Steering Committee Members are elected by current Participants. Steering Committee Members must resign if they become inactive. Steering Committee Members may be removed through an extraordinary vote by current Participants. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Steering Committee Members may be removed through an extraordinary vote by current Participants."
I think that's a totally reasonable provision to have but note that this very much sounds like a setup for a "coup", something people took offense with when I suggested we might need to resort to in order to refresh the current defunct SC. :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was meant for forced removal if a member is inactive. To remove this concern of a "coup", we could define inactive as a fixed period of time (6 months maybe? Also need to account for members who may go on personal leaves. We could state that an SC member should appoint a temporary member if on leave for more than 6 months). If an SC member is inactive for more than that period, then they are presumed resigned and a vote is held.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we leave this in I think it needs a clear definition. Is it just a simple majority? How are the total number of participants measured?
I think defining the rules under which this happens can address this concern, but it also seems hard to address all the details well. Might be easier to leave this out and let the TAC handle issues like this if necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think defining clear criteria would go a long way but indeed leaving it to the TAC might be simpler.
We cannot have an elected member designate a proxy that hasn't been elected. This would violate the basic principles that the SC is composed of elected members. We could allow for a member to designate another delegate as their proxy if deemed necessary but I'm not sure it is.
I suggest to try to keep this as simple as possible. If we try to address every possible edge case we might encounter one day it's going to become very heavy.
I've annotated 0007 below to note differences or similarities. We are mostly aligned. Proposed changes to incorporate from 0007 are noted immediately below.
@michaelwinser, do you agree to the above? I can either propose these changes as comments or you can incorporate them.
SC is down to 5. We've proposed no guidelines for maintainer seats. I wouldn't recommend this, as this amount of churn for maintainers would make it hard to maintain velocity.
We have specified self-nomination. We have not noted evidence as a requirement.
We have made it a vote by Participants, not by SC members. I think this is a good process, as it gives the community a vote for its leadership.
This process has been noted for SC members.
We have not explicitly stated this, we should.
I don't think this is necessary to state explicitly, the OSSF TAC always has oversight over its projects.
Noted as a responsibility of the SC.
We've made a change to note a Participant is just someone who adds to discussions. The current language is confusing because it includes language from being a Contributor as well.
We've added an example to Contributor to note it's someone who is authoring code or specifications. A Contributor does not directly have permissions over repositories, so there is no need to delegate from a Maintainer to Contributor.
We've proposed a similar definition but without core vs subproject. We've added "workstreams" to denote between different specs and tooling efforts, and each has its own maintainer. I don't think we need a special Core Maintainer role, as that only sounds administrative and that is a responsibility of the SC.
Agreed on all points, this is noted in the proposal.
We don't have a Core Maintainer role, but I've noted SC members should be GitHub admins.
We've noted this as a requirement for an SC member.
This whole section was not explicitly added to the proposal. I've noted our need to add it.
Added as a follow up.
Our proposal differs, SC members are added by vote, maintainers approve new maintainers.
Added already.
We can remove this.
We can add.
This is already in governance.
This was not added, and I think we should be OK based on the new rules that SC members are voted in immediately and there is an odd number always. |
Do you need any feedback on this from anyone in particular right now? |
No, just wanted to note my thoughts publicly. You can wait until we’ve integrated my suggested changes. |
Please tag me (and others) specifically when ready to review. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, pending the open discussions, particularly around referring to the TAC for extraordinary removals.
|
||
* enabling the smooth running of the Project | ||
* coordinating activities between workstreams and Maintainers | ||
* collectively reviewing and revising the roadmap on a biannual basis | ||
* collectively reviewing and revising the Project mission, vision, strategy, and roadmap on a biannual basis |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: "biannual" can be interpreted as twice a year or every two years. Can we replace with less ambiguous language?
Updated terms and roles to more accurately reflect the current working group norms and future efforts.
Updated Steering Committee Member terms and elections and responsibilities.
Changed the Steering Committee size to exactly 5 and updated rules for governance update to depend on that size
Still missing some text to encourage Maintainers of Work Streams to make decisions more quickly in a smaller setting. This probably belongs in the Work Stream lifecycle rather than governance.