Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Incubation] WasmEdge Incubation Application #1316

Closed
41 of 44 tasks
alabulei1 opened this issue May 8, 2024 · 5 comments
Closed
41 of 44 tasks

[Incubation] WasmEdge Incubation Application #1316

alabulei1 opened this issue May 8, 2024 · 5 comments

Comments

@alabulei1
Copy link
Contributor

alabulei1 commented May 8, 2024

WasmEdge Runtime Incubation Application

Project Repo(s): https://github.com/WasmEdge/WasmEdge
Project Site: https://wasmedge.org/
Sub-Projects: None
Communication: #WasmEdge in the CNCF slack channel and the seperate WasmEdge Discord server.

Project points of contacts:
Michael Yuan, [email protected]

Incubation Criteria Summary for WasmEdge

Adoption Assertion

The project has been adopted by the following organizations in a testing and integration or production capacity:

A list of WasmEdge adopters can be found at here. Additionally, many of them are not disclosed.

Application Process Principles

Suggested

N/A

Required

  • Give a presentation and engage with the domain specific TAG(s) to increase awareness

    The WasmEdge runtime was presented to the wg-wasm group under the TAG-runtime in July 2023. You can view the recorded video here.

  • TAG provides insight/recommendation of the project in the context of the landscape

To be completed by TAG runtime.

  • All project metadata and resources are vendor-neutral.

    When WasmEdge joined the CNCF Sandbox in 2021, the project was renamed to ensure vendor neutrality.

    • Communication: WasmEdge maintains its own communication channels such as its website, social media accounts, Slack, and Discord server.
    • Hosting: WasmEdge hosts community meetings, events, resources, and infrastructure on vendor-neutral, third-party platforms.
    • Architectural Decisions: WasmEdge is a cross-platform runtime built on open-source and vendor-neutral tools, such as LLVM and Rust. It supports many different application frameworks, OSes, CPUs and GPUs.
    • Governance: WasmEdge is self-governing, adhering to the CNCF code of conduct. The GOVERNANCE document clearly defines the contribution-based process and leadership structure.
  • Review and acknowledgement of expectations for Sandbox projects and requirements for moving forward through the CNCF Maturity levels.

    Met during sandbox onboarding.

  • Due Diligence Review.

Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisifies the Due Diligence Review criteria.

To be completed by TOC sponsor.

Governance and Maintainers

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

  • Clear and discoverable project governance documentation.

    The Governance documentation can be found under the WasmEdge GitHub repo: https://github.com/WasmEdge/WasmEdge/blob/master/docs/GOVERNANCE.md

  • Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.

Example: The WasmEdge community has evolved its code of conduct to require clear acknowledgement of derivative work. Those lessons were learnt from disputes between two LFX interns in our community.

  • Governance is up to date with actual project activities, including any meetings, elections, leadership, or approval processes.
  • Document how the project makes decisions on leadership, contribution acceptance, requests to the CNCF, and changes to governance or project goals.
  • Document how role, function-based members, or sub-teams are assigned, onboarded, and removed for specific teams (example: Security Response Committee).

N/A

Required

  • Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.

    You can find the list of reviewers, committers, and maintainers here.

  • A number of active maintainers which is appropriate to the size and scope of the project.

    The WasmEdge runtime project has 4 maintainers, all of whom are active.

  • Code and Doc ownership in Github and elsewhere matches documented governance roles.

    DCO is enforced on all code contributions.
    https://github.com/WasmEdge/WasmEdge/blob/master/docs/OWNER.md reflects the maintainer lists.

  • Document agreement that project will adopt CNCF Code of Conduct.

    Adopted during sandbox onboarding.

  • CNCF Code of Conduct is cross-linked from other governance documents.

    See the CODE_OF_CONDUCT here.

  • All subprojects, if any, are listed.

N/A

Contributors and Community

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

  • Contributor ladder with multiple roles for contributors.

    Currently, WasmEdge has three roles of contributor: reviewer, commiter, and maintainer. See the GOVERNANCE documentation.

Required

  • Clearly defined and discoverable process to submit issues or changes.

    Guides for creating a GitHub issue.

  • Project must have, and document, at least one public communications channel for users and/or contributors.

    The public communicaion channel is published on WasmEdge docs and project README.md.

  • List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.

    The primary communication channel for WasmEdge is GitHub, where we welcome all kinds of issues, discussions, and pull requests.

    For real-time communication, you can join #WasmEdge on the CNCF Slack workspace or the WasmEdge Discord server.

    Additionally, we maintain a dedicated Twitter account for updates and announcements related to WasmEdge.

    While we have a mailing list through lists.cncf.io, it is only for very infrequent announcements to avoid spam.

    You can find more information about these communication channels in the WasmEdge project README.md and WasmEdge docs.

  • Up-to-date public meeting schedulers and/or integration with CNCF calendar.

    We have a community meeting page under the CNCF community: https://community.cncf.io/wasmedgeruntime-community/

  • Documentation of how to contribute, with increasing detail as the project matures.

    The contribution guide can be found here.

  • Demonstrate contributor activity and recruitment.

    76 commiters have created PRs in the last 12 months and 278 contributors have interacted with the project on GitHub.

Engineering Principles

Suggested

  • Roadmap change process is documented.

    Roadmap can be found here. The items are proposed by community members, approved by maintainers, and tracked in GitHub.

  • History of regular, quality releases.

The WasmEdge community has released sixteen new versions of the software since joining CNCF sandbox.

Required

  • Document project goals and objectives that illustrate the project’s differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.

    WasmEdge is a lightweight, high-performance, OCI-compatible, and extensible WebAssembly runtime for cloud-native, edge, and decentralized applications. It powers serverless apps, embedded functions, microservices, smart contracts, and IoT devices. Compared with other WebAssembly runtimes, WasmEdge is a fully featured and yet lightweight runtime with support for advanced networking, asynchronous functions, AI inference, and container tooling. WasmEdge could be seamlessly integrated with existing cloud-native ecosystems like Kubernetes and Docker. You can learn more about WasmEdge runtime here.

  • Document what the project does, and why it does it - including viable cloud native use cases.

    WasmEdge use cases includes serverless apps, AI inference, embedded functions, microservices, smart contracts, and IoT devices. They are documented here. Specially, cloud-native use cases include serverless functions and microservices.

  • Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.

    The WasmEdge project roadmap can be found here.

  • Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.

  • Document the project's release process.

    The WasmEdge release process can be found here: https://wasmedge.org/docs/contribute/release

Security

Note: this section may be augemented by a joint-assessment performed by TAG Security.

Suggested

N/A

Required

  • Clearly defined and discoverable process to report security issues.

    The securirty policy can be found here: https://github.com/WasmEdge/WasmEdge/blob/master/SECURITY.md

  • Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)

The WasmEdge code base is hosted on GitHub under the CNCF organization. It adheres to access control best practices of both GitHub and CNCF, including two-factor auth for repo admins, protected main branches, and required DCA signatures for every commit.

WasmEdge is adpoted by Google OSS Fuzz. It strictly adheres to Google program requirements to fix identified bugs in a timely manner.

  • Document assignment of security response roles and how reports are handled.

The WasmEdge security reporting and response policies are described in the SECURITY.md document.

  • Document Security Self-Assessment.

WasmEdge has a large number of CI tests that must pass for each release. Many of these tests are security related. It also makes extensive use of code coverage tools that generate reports for every PR.

WasmEdge is also an active participant in Google's OSS fuzz program. All issues identified by fuzzing are fixed before every release.

Ecosystem

Suggested

N/A

Required

  • Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)

    Adopters

  • Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)

    These will be provided to our TOC sponsor.

The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.

  • TOC verification of adopters.

    To be completed by the TOC

Refer to the Adoption portion of this document.

  • Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.

    With WasmEdge, users can use their already-familiar cloud-native and container tools to manage lightweight, portable, and secure Wasm apps. WasmEdge has integrated with crun, youki, containerd’s runwasi (A CNCF project), and Docker Desktop. WasmEdge has demonstrated integrations with Kubernetes (A CNCF project), SuperEdge (A CNCF project), OpenYurt (A CNCF project), Kuasar (A CNCF project)and KubeEdge (A CNCF project). WasmEdge aligns with the mission of CNCF in empowering organizations to bring the cloud-native and serverless application paradigms to “edge” scenarios.

Additional Information

N/A

@dims
Copy link
Member

dims commented Jun 4, 2024

Hi @alabulei1 @hydai @q82419 @ibmibmibm

Here are some suggestions to improve the governance, security, and code of conduct aspects of the WasmEdge project based on our current assessment of the details you have provided and are available to everyone as part of the project:

Governance:

Security:

Code of Conduct:

Roadmap:

  • Update the ROADMAP.md file if it's outdated.
  • Document how decisions were made to add new features like "AI Inference" support.

Separation of vendor and community hats:

  • Clearly distinguish the WasmEdge CNCF project from the company (Second State) on websites and resources.
  • Separate community channels (like Discord) from vendor-specific channels.

Specific items to complete before reapplying for incubation:

  • Complete the CNCF TAG-Security Security Assessment (TSSA) Process.
  • Complete the CNCF TAG-Contributor-Strategy Governance Review.
  • Work with the CNCF TAG Runtime to get insights and recommendations for the project in the context of the landscape.

By addressing these points, the WasmEdge project can improve its governance, security practices, code of conduct, and overall transparency, fostering a strong and inclusive community/

When you resubmit in say 4-6 months, the TOC can give your project high priority given it is a resubmit for the project. Thanks a ton for your work in the community!

@dims dims added the not-ready label Jun 4, 2024
@dims
Copy link
Member

dims commented Jun 4, 2024

Marked this as not-ready for now. I'll leave this open for a few days for any follow up questions and close it end of the week. thanks!

@dims
Copy link
Member

dims commented Jun 5, 2024

Going to close - please reopen/reapply when the project meets the requirements outlined earlier in this issue. Do reach out if you have any questions!

@dims dims closed this as completed Jun 5, 2024
@github-project-automation github-project-automation bot moved this from Assigned to Done in CNCF TOC Board Jun 5, 2024
@dims dims moved this from Done to Not Ready-Will Return in CNCF TOC Board Jun 5, 2024
@alabulei1
Copy link
Contributor Author

Hi @dims

Thanks for your valuable feedback. We will work hard to add the missing documentation and the self-assessments for security and governance.

@alabulei1
Copy link
Contributor Author

Hi @dims ,

Thanks for your valuable feedback, which makes WasmEdge a stronger community.
Just want to update the progress we have made some progress in the past two months. Let me know if there is any improvements we can make.

Governance:

  • Consider adding a section for sub-projects if there are any

WasmEdge doesn't have a sub-project. WasmEdge is the main repo, including the plugins.

  • Add information about emeritus maintainers if applicable.

WasmEdge doesn't have any emeritus maintainers.

  • Document the Developer Certificate of Origin (DCO) process somewhere.

We have added the DCO process in the contributor guide documentation. See here.

WasmEdge follows the CNCF governance mainater, ie council. For the roadmap discussion, the maintainers will have a public discussion via GitHub issues before it's implemented. See an example here.

  • Document how technical decisions are made, including whether the design process is public, whether non-maintainers can participate, and provide examples of decisions made in a neutral/community-based fashion.

For each quarter's technical roadmap decision, there will be a public discussion via GitHub issue. Everyone is welcome to join the conversation.

  • See an example here.
  • See the process here

Security:

  • The security process should be owned and run by community participants, not just a vendor (see email in SECURITY.md)

We have changed the email to an email group created by CNCF. See the documents here.

Yes, the current WasmEdge security policies follow CNCF security guidelines. We added a disclosure policy documentation and embargo policy documentation.

Yes. The WasmEdge's security.md, SECURITY_CONTACTS.md, and embargo-policy.md were created by using the CNCF tag-security templates.

Code of Conduct:

  • Separate the dependency/license/copyright information from the CODE_OF_CONDUCT.md file.

Yes, the WasmEdge license is a single file from day 1. See here.

  • Have a dedicated email address or contact point for reporting conduct issues, separate from the general mailing list ( [email protected] )

Besides the general mailing list, community members also can report conduct issues by sending an email to a private email list [email protected].

Updated. See here.

Roadmap:

  • Update the ROADMAP.md file if it's outdated.

See the ongoing Q3 Roadmap file here.

  • Document how decisions were made to add new features like "AI Inference" support.

As mentioned before, for each quater's technical roadmap decision, there will be a public disscusion via GitHub issue. Everyone is welcome to join the coversation. See the policy here.

Separation of vendor and community hats:

  • Clearly distinguish the WasmEdge CNCF project from the company (Second State) on websites and resources.

Second State and WasmEdge have separate websites and social media accounts. We have been consistently clear in our communications that Second State is one of WasmEdge contributors and it provides commercial services around the WasmEdge open-source software.

  • Separate community channels (like Discord) from vendor-specific channels.

WasmEdge now has two community channels, Discord, and Slack, which are designed for community and without vendor branding.

Specific items to complete before reapplying for incubation:

  • Complete the CNCF TAG-Security Security Assessment (TSSA) Process.

It's an ongoing work. We don't have an expected time right now. See the PR here.

  • Complete the CNCF TAG-Contributor-Strategy Governance Review.

It's an ongoing work, which is expected to be completed in early September. See the request issue here.

  • Work with the CNCF TAG Runtime to get insights and recommendations for the project in the context of the landscape.

We demoed WasmEdge in the wg-wasm under the CNCF TAG Runtime when we raised the incubation issue. See the video here. Should we reach out to the CNCF TAG Runtime again?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Not Ready-Will Return
Development

No branches or pull requests

2 participants