Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudEvents Graduation Proposal + DD #996

Merged
merged 1 commit into from
Jan 25, 2024
Merged

CloudEvents Graduation Proposal + DD #996

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
238 changes: 238 additions & 0 deletions proposals/graduation/cloudevents-dd.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,238 @@
# CloudEvents Due Diligence

## Statement of CNCF Alignment to TOC Principles
1. Project is self-governing

Yes

2. Is there a documented Code of Conduct that adheres to the CNCF guidelines?
Yes. The governance docs point to: https://github.com/cncf/foundation/blob/master/code-of-conduct.md

3. Does the project have production deployments that are high quality and high-velocity? (for incubation and graduated projects).

Yes. While CloudEvents itself, at its core, is a specification without an official implementation we have a list of known adopters of the specification on our https://cloudevents.io website and have gathered a list of companies who would be willing to discuss their usage of CloudEvents with the TOC members as part of the application for graduated status.

While not an exhaustive list, vendors such as [Google](https://cloud.google.com/functions/docs/writing/write-event-driven-functions) and [Microsoft](https://learn.microsoft.com/en-us/azure/event-grid/cloudevents-schema) have public documentation on using CloudEvents. And numerous open source projects have support for CloudEvents beyond what is listed in the [open source](https://github.com/cloudevents/spec/blob/main/docs/open-source.md) list. As examples, [dapr](https://docs.dapr.io/developing-applications/building-blocks/pubsub/pubsub-overview/),
[knative](https://knative.dev/docs/eventing/), [opentelemetry](https://opentelemetry.io/docs/reference/specification/trace/semantic_conventions/cloudevents/),
[spring](https://spring.io/blog/2020/12/10/cloud-events-and-spring-part-1).

Additionally, the CloudEvents github repo hosts community driven SDKs that support a wide range of languages (CSharp, Go, Java, Javascript, PHP, PowerShell, Python, Ruby and Rust) as well as many of the CloudEvent protocol bindings.

4. Is the project committed to achieving the CNCF principles and do they have a committed roadmap to address any areas of concern raised by the community?

Yes. Concerns raised by the community will be managed through github
issues: https://github.com/cloudevents/spec/issues. See the
[Contributing doc](https://github.com/cloudevents/spec/blob/main/docs/CONTRIBUTING.md)
for more information.

5. Document that the project has a fundamentally sound design without obvious critical compromises that will inhibit potential widespread adoption

List of adopters can be found on the "adopters" section of the
[website](https://cloudevents.io) as well as the list of OSS projects
that are using it
[here](https://github.com/cloudevents/spec/blob/main/docs/open-source.md).

6. Document that the project is useful for cloud native deployments & degree that it's architected in a cloud native style

See previous bullet.

7. Document that the project has an affinity for how CNCF operates and understand the expectation of being a CNCF project.

CloudEvents has been a CNCF project since 2018 and as such has a history of
being a good, and successful, member of the CNCF community.

### Incubating Stage Graduation (Exit Requirements)
1. Document that it is being used successfully in production by at least three independent direct adopters which with focus on adequate quality and scope defined.

Some adopters include: Adobe, Alibaba, European Commission, Google, IBM, Microsoft, Tencent, TriggerMesh and VMware. See the full list of adopters on the "adopters" section of the
[website](https://cloudevents.io) as well as the list of OSS projects

2. Have a healthy number of committers. A committer is defined as someone with the commit bit; i.e., someone who can accept contributions to some or all of the project.

CloudEvents, being a specification project, doesn't have formal committers.
Rather each change to the specifications requires approval from the entire
community. All comments on a PR must be resolved to the community's
satisfaction before it is merged. This, in essence, gives everyone veto power.

In the rare cases the community can not agree then a vote is taken by
the members of the community who have been to 3 out of the last 4 weekly
calls. This has only happened less than 5 times during the entire life of the
project. However, to gauge interest from the community, please see the
historical list of weekly call attendees
[here](https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0)
and the "voting rights" column shows about 10 different companies regularly
attend the calls and have voting rights.

3. Demonstrate a substantial ongoing flow of commits and merged contributions.

See activity over the last 2 years
[here](https://cloudevents.devstats.cncf.io/d/2/commits-repository-groups?orgId=1&var-period=w&var-repogroups=%22cloudevents%2Fspec%22&from=1606798800000&to=1672549199000)

4. Have committers from at least two organizations.

See item 2.

5. Have achieved and maintained a Core Infrastructure Initiative Best Practices Badge.

Yes, see: https://bestpractices.coreinfrastructure.org/projects/6770

6. Adopted the CNCF Code of Conduct.

Yes, see: https://github.com/cloudevents/spec#community-and-docs

7. Explicitly define a project governance and committer process. The committer process should cover the full committer lifecycle including onboarding and offboarding or emeritus criteria. This preferably is laid out in a GOVERNANCE.md file and references an OWNERS.md file showing the current and emeritus committers.

See section 2 above, and
[here](https://github.com/cloudevents/spec/blob/main/docs/CONTRIBUTING.md).

8. Explicitly define the criteria, process and offboarding or emeritus conditions for project maintainers; or those who may interact with the CNCF on behalf of the project. The list of maintainers should be preferably be stored in a MAINTAINERS.md file and audited at a minimum of an annual cadence.

See section 2 above, and
[here](https://github.com/cloudevents/spec/blob/main/docs/CONTRIBUTING.md).

9. Have a public list of project adopters for at least the primary repo (e.g., ADOPTERS.md or logos on the project website), guidelines for identifying adopters can be found in the [FAQs](https://github.com/cncf/toc/blob/main/FAQ.md#what-is-the-definition-of-an-adopter).

See list of adopters on the "adopters" section of the
[website](https://cloudevents.io) as well as the list of OSS projects

### Documentation of CNCF Alignment (if not addressed above):
* name of project (must be unique within CNCF)

CloudEvents

* project description (what it does, why it is valuable, origin and history)

CloudEvents is a specification for describing common event data in popular
formats and transports to provide interoperability across services, platforms
and systems.

* statement on alignment with CNCF charter mission

See intro here: https://github.com/cloudevents/spec#readme

* sponsor from TOC (sponsor helps mentor projects)

Originally it was:
- Ken Owens <ken.owens @ mastercard.com>
- Brian Grant <briangrant @ google.com>

* license (charter dictates Apache 2 by default)

Yes, see https://github.com/cloudevents/spec/blob/main/LICENSE

* source control (GitHub by default)

Yes, see https://github.com/cloudevents/spec

* external dependencies (including licenses)

None

* release methodology and mechanics

See https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#release-process-and-versioning

* community size and any existing sponsorship

See weekly call attendee list: https://docs.google.com/spreadsheets/d/1bw5s9sC2ggYyAiGJHEk7xm-q2KG6jyrfBy69ifkdmt0/edit?pli=1#gid=0
They regularly have about 10 different companies represented on each weekly
call.

## Technical
* An architectural, design and feature overview should be available. (add link)

See the
[Primer](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/primer.md).

* What are the primary target cloud-native use cases? Which of those:
* Can be accomplished now.
* Can be accomplished with reasonable additional effort (and are ideally already on the project roadmap).
* Are in-scope but beyond the current roadmap.
* Are out of scope.

See https://github.com/cloudevents/spec/blob/main/docs/ROADMAP.md for the
historical roadmap. Right now CloudEvents is at version 1.0 and they are
addressing any questions from the community as they arise. The project is
now focusing on other eventing lifecycle pain-points which are being
addressed by the creation of a Discovery specification, a Subscription
Manager specification and a Schema Registry specification. These new specs
are still under active development.

* What are the current performance, scalability and resource consumption bounds of the software? Have these been explicitly tested? Are they appropriate given the intended usage (e.g. agent-per-node or agent-per-container need to be lightweight, etc)?

Not applicable.

* What exactly are the failure modes? Are they well understood? Have they been tested? Do they form part of continuous integration testing? Are they appropriate given the intended usage (e.g. cluster-wide shared services need to fail gracefully etc)?

Not applicable.

* What trade-offs have been made regarding performance, scalability, complexity, reliability, security etc? Are these trade-offs explicit or implicit? Why? Are they appropriate given the intended usage? Are they user-tunable?

Not applicable.

* What are the most important holes? No HA? No flow control? Inadequate integration points?

Not applicable.

* Code quality. Does it look good, bad or mediocre to you (based on a spot review). How thorough are the code reviews? Substance over form. Are there explicit coding guidelines for the project?

Not applicable for the spec itself, but we do host some community driven
SDKs that are at varying degrees of maturity. The most popular ones
(e.g. golang) are being used in other OSS projects (such as Knative).

* Dependencies. What external dependencies exist, do they seem justified?

None

* What is the release model? Versioning scheme? Evidence of stability or otherwise of past stable released versions?

See https://github.com/cloudevents/spec/blob/main/docs/GOVERNANCE.md#release-process-and-versioning
and https://github.com/cloudevents/spec/blob/main/docs/RELEASES.md

* What is the CI/CD status? Do explicit code coverage metrics exist? If not, what is the subjective adequacy of automated testing? Do different levels of tests exist (e.g. unit, integration, interface, end-to-end), or is there only partial coverage in this regard? Why?

Not applicable.

* What licensing restrictions apply? Again, CNCF staff will handle the full legal due diligence.

Not applicable.

* What are the recommended operational models? Specifically, how is it operated in a cloud-native environment, such as on Kubernetes?

Not applicable.

## Project
* Do we believe this is a growing, thriving project with committed contributors?
* Is it aligned with CNCF's values and mission?
* Do we believe it could eventually meet the graduation criteria?
* Should it start at the sandbox level or incubation level?
* Does the project have a sound, documented process for source control, issue tracking, release management etc.
* Does it have a documented process for adding committers?
* Does it have a documented governance model of any kind?
* Does it have committers from multiple organizations?
* Does it have a code of conduct?
* Does it have a license? Which one? Does it have a CLA or DCO? Are the licenses of its dependencies compatible with their usage and CNCF policies? CNCF staff will handle the full legal due diligence.
* What is the general quality of informal communication around the project (slack, github issues, PR reviews, technical blog posts, etc)?
* How much time does the core team commit to the project?
* How big is the team? Who funds them? Why? How much? For how long?
* Who are the clear leaders? Are there any areas lacking clear leadership? Testing? Release? Documentation? These roles sometimes go unfilled.
* Besides the core team, how active is the surrounding community? Bug reports? Assistance to newcomers? Blog posts etc.
* Do they make it easy to contribute to the project? If not, what are the main obstacles?
* Are there any especially difficult personalities to deal with? How is this done? Is it a problem?
* What is the rate of ongoing contributions to the project (typically in the form of merged commits).

## Users
* Who uses the project? Get a few in-depth references from 2-4 of them who actually know and understand it.
* What do real users consider to be its strengths and weaknesses? Any concrete examples of these?
* Perception vs Reality: Is there lots of buzz, but the software is flaky/untested/unused? Does it have a bad reputation for some flaw that has already been addressed?

## Context
* What is the origin and history of the project?

See https://github.com/cncf/toc/blob/main/proposals/sandbox/cloudevents.md

* Where does it fit in the market and technical ecosystem?
* Is it growing or shrinking in that space? Is that space growing or shrinking?
* How necessary is it? What do people who don't use this project do? Why exactly is that not adequate, and in what situations?
* Clearly compare and contrast with peers in this space. A summary matrix often helps. Beware of comparisons that are too superficial to be useful, or might have been manipulated so as to favor some projects over others. Most balanced comparisons will include both strengths and weaknesses, require significant detailed research, and usually there is no hands-down winner. Be suspicious if there appears to be one.

Loading