Skip to content

CNCF Sandbox requirements#7440

Merged
carlesarnal merged 6 commits intoApicurio:mainfrom
carlesarnal:cncf-sandbox-application
Mar 24, 2026
Merged

CNCF Sandbox requirements#7440
carlesarnal merged 6 commits intoApicurio:mainfrom
carlesarnal:cncf-sandbox-application

Conversation

@carlesarnal
Copy link
Copy Markdown
Member

@carlesarnal carlesarnal commented Feb 26, 2026
edited
Loading

Summary

Adds the files required for the CNCF Sandbox application (cncf/sandbox#461), addressing feedback from the CNCF review.

Files Added

  • SECURITY.md — Vulnerability reporting process, supported versions table, response timeline, and security best practices for deployers
  • ADOPTERS.md — Adopter listing (KubeVirt-style format) with PR-based contribution instructions, seeded with IBM and Red Hat as known vendors
  • GENERAL_TECHNICAL_REVIEW.md — Completed Day 0 (Planning Phase) portion of the CNCF General Technical Review questionnaire, covering Scope, Usability, Design, Installation, and Security

CNCF Sandbox Application Checklist

Required files (this PR)

  • SECURITY.md — Vulnerability reporting process and supported versions
  • ADOPTERS.md — Adopter listing with PR contribution instructions
  • GENERAL_TECHNICAL_REVIEW.md — Day 0 questions answered (living document)

Application fields to address

  • Security policy file link updated in sandbox issue
  • Adopters link updated in sandbox issue
  • Domain Technical Review updated to reference General Technical Review (replaces old TAG presentation approach — TAGs have been restructured)
  • Maintainers file — Currently pointing to pom.xml#L27-L69. Consider creating a standalone MAINTAINERS.md
  • Contribution Agreement signatory — Signatory name and title still TODO in the application

Community & governance actions

  • Populate ADOPTERS.md — Outreach email drafted (ADOPTERS_OUTREACH_EMAIL.md). Potential adopters identified from last year's contributors: Bloomberg, Axual, Libon, Castor EDC, Mollie, INNOQ, Generali Italia, Heetch, Ledger, Solace, Farfetch, Tietoevry, and others
  • GOVERNANCE.md — Recommended (not strictly required for Sandbox) but strengthens the application
  • CNCF contacts — Identify TOC or TAG members familiar with the project (besides @angellk)
  • Neutral GitHub organization — CNCF onboarding requires moving to a separate neutral org (post-acceptance)

Future work (not blocking Sandbox)

  • CNCF Security Self-Assessment — Plan to complete during Sandbox onboarding
  • General Technical Review Day 1 & Day 2 — Extend for future Incubation application
  • OpenSSF Best Practices Badge — Recommended to start working on

Context

These files address specific feedback received on the CNCF Sandbox application:

  1. Security policy was missing — now provided with vulnerability reporting process
  2. Domain Technical Review referenced TAG presentations that no longer exist (TAGs restructured) — replaced with the General Technical Review questionnaire as recommended
  3. Adopters file was empty — now created with structure and contribution instructions, following KubeVirt/Harbor patterns

Test plan

  • Verify SECURITY.md renders correctly on GitHub
  • Verify ADOPTERS.md renders correctly on GitHub
  • Verify GENERAL_TECHNICAL_REVIEW.md renders correctly on GitHub
  • Verify links from sandbox application issue #461 resolve to these files

@carlesarnal
Add SECURITY.md, ADOPTERS.md, and General Technical Review for CNCF S…
f80d0c9 
…andbox application

These files are required for the CNCF Sandbox application (cncf/sandbox#461):

- SECURITY.md: Vulnerability reporting process, supported versions, and
  response timeline
- ADOPTERS.md: Adopter listing with contribution instructions, seeded with
  IBM and Red Hat as known vendors
- GENERAL_TECHNICAL_REVIEW.md: Day 0 (Planning Phase) answers covering
  scope, usability, design, installation, and security as required by the
  CNCF General Technical Review questionnaire
@carlesarnal carlesarnal marked this pull request as draft February 26, 2026 14:54
@carlesarnal
fix: correct inaccuracies in General Technical Review
068be66 
- Fix roadmap URL (projects/6 → projects/22/views/1)
- Fix maintainers link (MAINTAINERS.md doesn't exist, link to pom.xml)
- Remove Gradle plugin claim (only Maven plugin exists)
- Soften CloudEvents claim to match actual implementation
- Remove Dependabot claim (only Renovate is used)
@carlesarnal carlesarnal changed the title Add SECURITY.md, ADOPTERS.md, and General Technical Review for CNCF Sandbox CNCF Sandbox requirements Feb 26, 2026
carlesarnal and others added 4 commits February 26, 2026 17:05
@carlesarnal
fix: correct security email and remaining Gradle reference
1f5acc4 
- SECURITY.md: use actual email apicurio.registry@redhat.com
- GENERAL_TECHNICAL_REVIEW.md: fix second Maven/Gradle reference (line 95)
@carlesarnal
fix: replace CRD-based content sync with KubernetesOps approach
374fe83 
The content-sync-operator was abandoned. Replace references to
"CRD-based content synchronization" with the actual KubernetesOps
storage variant (Apicurio#7400), which uses a read-only polling model to
manage artifacts as Kubernetes ConfigMaps.
@carlesarnal
Merge branch 'main' into cncf-sandbox-application
4d28caa
@carlesarnal @claude
fix: simplify SECURITY.md following Strimzi style
deb8b10 
Remove hardcoded version table, specific timelines, and extra sections.
Keep it concise with just vulnerability reporting, supported versions
policy, and security advisories link.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@carlesarnal carlesarnal marked this pull request as ready for review March 24, 2026 11:13
@carlesarnal carlesarnal merged commit f1b37ac into Apicurio:main Mar 24, 2026
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlesarnal