feat: Update governance process #135
Conversation
|
@vikas-agarwal76 @jflowers I've opened issue #136 to discuss the process for future alterations to our governance documents. To ensure transparency and minimize the impact of sweeping changes, I propose we adopt a practice of documenting individual decisions and significant changes within dedicated issues or PR descriptions. This will allow for a clearer understanding of their rationale and potential ramifications. What do you think? |
Yes, I agree. Thanks for the suggestion. |
|
@vikas-agarwal76 Is this ready for review or feedback? |
|
Hello! Thank you for your work on evolving the I've reviewed the proposed changes, and I'd like to offer some feedback based on best practices from the CNCF and its graduated projects. My main concern is that some of the proposed changes could inadvertently create a more closed-off governance system than is typical for successful open-source communities. I'd like to suggest a few amendments to ensure we build a model that is as open, transparent, and meritocratic as possible, in line with CNCF principles. My primary concern is with the new line introduced at line 23: "In case of any conflict between the decision of the oversight committee and that of individual projects, the decision of the oversight committee will be binding." While the Oversight Committee should indeed be a point of escalation for unresolved disputes, this "binding" clause could unintentionally undermine the autonomy of our individual projects. A core CNCF principle is that technical decisions should reside with the project maintainers who are closest to the code. A top-down, binding override from the committee should be a measure of last resort for resolving deadlocks, not the default expectation for any conflict. To better align with CNCF principles, I suggest we rephrase this to emphasize collaboration and the committee's role as a facilitator, rather than a top-down authority. For example: "While technical decisions for a project reside with its maintainers, the Oversight Committee may be asked to help mediate cross-project disputes or resolve decisions that a project's maintainers are unable to reach a consensus on." This preserves the committee's authority to resolve blocking issues without undermining the day-to-day autonomy of the projects. This concern about top-down control is also reflected in a few other changes in this PR. To ensure we are building a truly community-driven project, I would also recommend we discuss the following:
I believe that incorporating this feedback will help us create a governance model that is more transparent, resilient, and aligned with the best practices of successful open-source projects. I am happy to discuss these points further. Thank you again for your work on this important document. |
MEMBERSHIP.md
Outdated
| * You have been sponsored by **two Maintainers**. **Note the following requirements for sponsors**: | ||
| * Sponsors must have close interactions with the prospective Reviewer - e.g. code/design/proposal review, coordinating on issues, etc. | ||
| * Sponsors must be from multiple member companies to demonstrate integration across community. | ||
| * One of the sponsor has to be from the same sub-project. |
MEMBERSHIP.md
Outdated
| * You have been sponsored by **two Maintainers**. **Note the following requirements for sponsors**: | ||
| * Sponsors must have close interactions with the prospective Maintainer - e.g. code/design/proposal review, coordinating on issues, etc. | ||
| * Sponsors must be from multiple member companies to demonstrate integration across community. | ||
| * One of the sponsor has to be from the same sub-project |
@jflowers For a called vote to pass, either 51% (majority vote) or 67% (super majority vote) in favor is needed. |
GOVERNANCE.md
Outdated
| Significant adopters are those projects and/or organizations that have significant usage of OSCAL Compass **core** projects and are using it for at least six months or more. They need to acitvely contribute/engage with the projects through GitHub events like creating issues, creating PRs, reviewing PRs, commenting on issues, etc. and/or other activities such as publishing joint blogs/papers, giving joint talks, demos, etc. and should also be a member of the OSCAL Compass organization. | ||
|
|
||
| The Oversight Committee functions as the organization maintainers. | ||
| An adoptor can be designated as a significant adopter with a simple majority of the oversight committee. Their name would be added to the [significant adopters list](./ADOPTERS.md). |
There was a problem hiding this comment.
@vikas-agarwal76 As discussed in the community meeting, I think it would be make sense to keep the ADOPTERS.md as a low friction option for collecting information about projects or organizations using OSCAL Compass for project visibility and growth.
There was a problem hiding this comment.
I think i'm confused with adopters vs advocates. I could be using oscal compass across every project in a fortune 100 yet not be proactive in the community.
This is almost like an 'ecosystem' rather than adopters based on the definition of significant adopters.
There was a problem hiding this comment.
I think places to capture ecosystem information makes sense. OPA has something like this where it captures things like tool integrations. The original intent of the ADOPTERS.md was just to gather information about organizations who are willing to publicly share their use and experience with OSCAL Compass.
butler54
left a comment
butler54
left a comment
There was a problem hiding this comment.
I've left a large number of comments here. The overall goal is to remove wiggle room for debate and or objections that a person is being excluded.
GOVERNANCE.md
Outdated
| Changing the status of a project from non-core to core, or core to non-core will require a 2/3 majority of the oversight committee. | ||
|
|
||
| #### Stepping Down and the Emeritus Process | ||
| ### OSCAL Compass 'lab/workgroup' projects and 'significant adopters' |
There was a problem hiding this comment.
I think this section can be separated.
There was a problem hiding this comment.
e.g. OSCAL Compass 'lab' and 'core' projects; second section 'significant adopters'
| ### OSCAL Compass 'lab/workgroup' projects and 'significant adopters' | ||
|
|
||
| It is inevitable that people's focuses will change over time. Contributors can retire and move to emeritus Maintainers. If a contributor needs to step down from their current role, they should inform the appropriate project Maintainers. No vote is required for a contributor to remove themselves, and any project Maintainer can approve the PR. Maintainers who step down become emeritus Maintainers. | ||
| New projects that are not core to the functionality of OSCAL Compass but are closely related may be incubated as a lab/workgroup project in a separate [oscal-compass-lab](https://github.com/oscal-compass-lab) Github org managed by OSCAL Compass maintainers. Existing projects closely related to OSCAL Compass, but in a separate github org can also be moved to oscal-compass-lab Github org. All the lab projects will follow a similar project maintenance structure as projects in OSCAL Compass. |
There was a problem hiding this comment.
All projects that are demostrations or templates should be in the lab?
|
|
||
| The election process is as follows: | ||
|
|
||
| 1. **Call for Nominations**: One month before the election, a call for nominations will be sent out to the OSCAL Compass community. |
There was a problem hiding this comment.
I think how should be added to point one.
| The election process is as follows: | ||
|
|
||
| 1. **Call for Nominations**: One month before the election, a call for nominations will be sent out to the OSCAL Compass community. | ||
| 2. **Nomination Period**: Community members will have one month to nominate candidates for the Oversight Committee. Self-nominations are permitted. |
| 1. **Call for Nominations**: One month before the election, a call for nominations will be sent out to the OSCAL Compass community. | ||
| 2. **Nomination Period**: Community members will have one month to nominate candidates for the Oversight Committee. Self-nominations are permitted. | ||
| 3. **Candidate Statements**: Each candidate will be asked to provide a statement of interest and qualifications. | ||
| 4. **Vetting**: There is usually a process for the existing committee or another body to review the nominations and confirm that the candidates meet the eligibility criteria. |
There was a problem hiding this comment.
This leaves room for manoeuvre. I would argue 4 needs a sub point such as:
- Negative determination of eligibility needs to be affirmed by a majority vote of the current oversight committee.
e.g. exclusion needs to be explicitly documented so that no one is excluded for invalid reasons.
GOVERNANCE.md
Outdated
|
|
||
| Oversight committee members are elected to serve a two year term. Members can serve two consecutive terms (4 years). Bootstrap and terms that result in equal to or less than one year served are exempt. | ||
|
|
||
| Election cycles are scheduled such that roughly half of the seats come up for re-election each year for purposes of continuity. The exact number of seats alternates between 3 and 4. |
There was a problem hiding this comment.
Further to the point above, I think you should specify that the election cycle should be annual. it's not explicitly spelled out.
|
|
||
| Some examples include: | ||
|
|
||
| * Carrying out [Code of Conduct](https://oscal-compass.github.io/compliance-trestle/mkdocs_code_of_conduct/) decisions requiring severe censure (supermajority of the Oversight Committee) |
There was a problem hiding this comment.
Supermajority is not defined. I believe you are saying 2/3rds but it should be explicit
MEMBERSHIP.md
Outdated
| To become a project Reviewer, you must meet the following requirements: | ||
|
|
||
| * Member for at least **3 months**. | ||
| * Primary reviewer or author for at least **5 substantial PRs** to the codebase. |
There was a problem hiding this comment.
I'm not sure we want to put numbers in here yet. It might make sense to decrease each of the numbers to one and add a note at the bottom of this section that as OSCAL compass matures we expect the PR review / author count to increase.
| * Sponsors must have close interactions with the prospective Reviewer - e.g. code/design/proposal review, coordinating on issues, etc. | ||
| * Sponsors must be from multiple member companies to demonstrate integration across community. | ||
| * One of the sponsors has to be from the same sub-project. | ||
| * With no objections from other maintainers of the same sub-project |
There was a problem hiding this comment.
No objections is potentially exclusionary. might make sense if there are objections those objections must be voted on.
MEMBERSHIP.md
Outdated
|
|
||
| ## OSCAL Compass Ecosystem | ||
|
|
||
| OSCAL Compass also has a 'lab' GitHub organization for incubating new projects and hosting closely related projects from the community. If you are an OSCAL Compass org member, you are implicitly eligible for membership in the related 'lab' Github org, and can request membership when it becomes relevant, by creating a PR directly or opening an issue against the 'lab' Github org community repo. |
There was a problem hiding this comment.
Insert lab org links here including for PR to community repo
|
@vikas-agarwal76 looking at this document along with the PR's from @jpower432 and @jflowers it looks like this is consolidating a number of request and issues into once cohesive document. Before voting occurs I believe we should add the closes: #issueorprnumber explicitly to the PR body to ensure the reviewer understand all the documents / issues this is intended to complete / supersede |
Clarified terms for oversight committee service and election cycles.
|
@butler54 As discussed, I have incorporated your suggestions. Please see. |
|
/vote-super |
Vote created@vikas-agarwal76 has called for a vote on The members of the following teams have binding votes:
Non-binding votes are also appreciated as a sign of support! How to voteYou can cast your vote by reacting to
Please note that voting for multiple options is not allowed and those votes won't be counted. The vote will be open for |
Vote closedThe vote passed! 🎉
Summary
Binding votes (4)
|
butler54
left a comment
butler54
left a comment
There was a problem hiding this comment.
LGTM - approved based on gitvote
Closes Issues: #127, #136, #137
Closes PRs: #133 , #134