Due dilligence for application process, contribuitors and security

Katie Gamanji · Katie Gamanji · commit c6bafb440cc5 · 2025-08-11T17:07:50.000+03:00
Signed-off-by: Katie Gamanji &lt;kgamanji@192.168.1.86&gt;
diff --git a/projects/fluid/fluid-incubation-proposal.md b/projects/fluid/fluid-incubation-proposal.md
@@ -1,22 +1,40 @@
 # Fluid Incubation Due Diligence
 
-- Link to [Incubation application issue]()
+- [Fluid Incubation application issue](https://github.com/cncf/toc/issues/1317)
 
 <!-- This template provides the TOC with the outline for completing due diligence of a project to move levels. This universal template is designed to capture all criteria so the TOC may ensure prior level criteria do not regress. As part of completing the due diligence, the TOC member should update the template to convey the level the project applied for the criteria by bolding the level indicated where the criteria is relevant. -->
 
 ## Incubation Evaluation Summary for Fluid
 
 ### Criteria Evaluation
 
-_$TOCMEMBER conducted the due diligence of Fluid who applied for $LEVEL. The project [has/has not] completed the criteria that show its maturity at $LEVEL. The following criteria implementations are noteworthy to call out... $NOTABLES. The following actions were provided to the project that were considered blocking but since resolved... $BLOCKERS. The following recommendations were provided to the project that are non-blocking in the TOC's assessment but should be completed by the project to ensure continued viability of the project... $RECOMMENDATIONS._
+Katie Gamanji (@kgamanji) and Alex Chircop (@chira001) conducted the due diligence of Fluid who applied for Incubation. The project has completed the criteria that show its maturity at Incubation. The following criteria implementations are noteworthy to call out:
+- TODO ... $NOTABLES. 
+
+The following actions were provided to the project that were considered blocking but since resolved:
+- the project presented to TAG Storage over 1y ago. Considering the ongoing TAG Reboot initiative, maintainers were advised to complete the General Technical Review for the project
+- the security contact page was returning a 404 error in [Reporting a Vulnerability](https://github.com/fluid-cloudnative/fluid/blob/master/SECURITY.md#private-disclosure-processes) and should be fixed
+- provide a  community meeting calendar to simplify the path for contributors and adopters to join future calls. It is specified that the calls are on a bi-weekly cadence, but the date of the next meeting date is unknown
+- fix the inconsistency in community meeting times. The agenda to propose topics specifies a Zoom link as opposed to DingTalk Group where the calls are actually taking place. Consolidation and removal of references to unused resources is required. 
+- the link to CoC in Join Our [Community as a Member](https://github.com/fluid-cloudnative/fluid/blob/a6c6343a0ee448f1498aafcdfecada55d5fa283b/CONTRIBUTING.md#join-our-community-as-a-member) returns a 404 error and should be fixed. 
+
+The following recommendations were provided to the project that are non-blocking in the TOC's assessment but should be completed by the project to ensure continued viability of the project:
+
+- Consider renaming the development branch from master -> main e.g. [Kubernetes Default Branch Migration](https://www.kubernetes.dev/resources/rename/). Also, note that renaming the branch would require an update for the contributor and release process guidelines
+- Community meetings are taking place regularly and are held in Mandarin. No blockers here, however, would suggest working with CNCF staff to use an automated transcript tool if possible.
+- take action on the outstanding items that lower the [OpenSSF scorecard score](https://scorecard.dev/viewer/?uri=github.com/fluid-cloudnative/fluid)
+- for the listed [Fluid Adopters](https://github.com/fluid-cloudnative/fluid/blob/master/ADOPTERS.md) all GitHub handles for "contact" are 404ing and pointing to email addresses of adopters. Email addresses could represent a privacy risk, and we would recommend pointing to GitHub handlers instead.
 
 ### Adoption Evaluation
 
-_The adopter interviews reflect a project [in use/too early] for the level which the project applied. They show ... $INTERVIEWSUMMARY._
+The adopter interviews reflect the project use for the Incubation level to which the project has applied.
+
+TODO
 
 ### Final Assessment
 
-_[The TOC has found the project to have satisfied the criteria for $LEVEL/ The TOC's evaluation of the project shows a needed focus to complete the outstanding blockers and reapply when the following conditions are met ... $CONDITIONS]._
+The TOC has found the project to have satisfied the criteria for Incubation.
+
 
 ## Application Process Principles
 
@@ -26,32 +44,47 @@ N/A
 
 ### Required
 
-- [ ] **Give a presentation and engage with the domain specific TAG(s) to increase awareness**
-  - This was completed and occurred on DD-MMM-YYYY, and can be discovered at $LINK.
+- [x] **Give a presentation and engage with the domain specific TAG(s) to increase awareness**
+  - The project presented to TAG Storage on 10-07-2024, and can be discovered at [here](https://www.youtube.com/watch?v=kBZNRbP4nOU).
 
 <!-- (TOC Evaluation goes here) --> 
 
-- [ ] **TAG provides insight/recommendation of the project in the context of the landscape**
+- [x] **TAG provides insight/recommendation of the project in the context of the landscape**
 
 <!-- (TOC Evaluation goes here) --> 
 
-- [ ] **All project metadata and resources are [vendor-neutral](https://contribute.cncf.io/maintainers/community/vendor-neutrality/).**
+The feedback from the TAG was positive, however it was conducted more than 1 year ago at the time of the project assessment for Incubation.  The project maintainers were asked to complete the General Technical Review for Fluid, which can be found [here](https://github.com/fluid-cloudnative/community/blob/1215ac22dc7b757cc9b63eee8660c3e15210ba8f/docs/general-technical-review-cncf-incubating.md).
+
+- [x] **All project metadata and resources are [vendor-neutral](https://contribute.cncf.io/maintainers/community/vendor-neutrality/).**
 
 <!-- (TOC Evaluation goes here) --> 
 
-- [ ] **Review and acknowledgement of expectations for [Sandbox](sandbox.cncf.io) projects and requirements for moving forward through the CNCF Maturity levels.**		
-- Met during Project's application on DD-MMM-YYYY.
+The project fulfills the vendor-neutral criteria. The main communication channel is on DingTalk and WeChat groups. Also the project uses [Slack](https://cloud-native.slack.com/archives/C02ADG209SP), on the CNCF workspace via `#fluid` channel. 
+[Community meetings](https://github.com/fluid-cloudnative/community/wiki/Meeting-Schedule) are held on DingTalk with a bi-weekly cadence. Users are also capable of finding the meeting notes on [Fluid GitHub Community Repository](https://github.com/fluid-cloudnative/community/wiki/Meeting-Schedule) and to follow up on the latest topics of discussion.
+
+
+- [x] **Review and acknowledgement of expectations for [Sandbox](sandbox.cncf.io) projects and requirements for moving forward through the CNCF Maturity levels.**		
+- Met during Project's application on 27-Apr-2021.
 
 <!-- (TOC Evaluation goes here) --> 
 
-- [ ] **Due Diligence Review.**
+Fluid Sandbox application can be found [here](https://github.com/cncf/sandbox/issues/245).
+
+The project maintainers have understood the expectations for Sandbox projects and requirements for moving forward through the CNCF incubation level.
+
+- [x] **Due Diligence Review.**
 
 Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisfies the Due Diligence Review criteria.
 
-- [ ] **Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.**
+- [x] **Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.**
 
 <!-- (TOC Evaluation goes here) --> 
 
+The project maintainers have added the following additional documentation as follows.
+- [Installation documentation](https://fluid-cloudnative.github.io/docs/next/get-started/installation)
+- [User documentation](https://fluid-cloudnative.github.io/docs/next)
+- [Architecture documentation](https://fluid-cloudnative.github.io/docs/next/core-concepts/architecture-and-concepts)
+
 ## Governance and Maintainers
 
 Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.
@@ -122,39 +155,73 @@ Note: this section may be augmented by the completion of a Governance Review fro
 
 ## Contributors and Community
 
-Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.
 
 ### Suggested
 
-- [ ] **Contributor ladder with multiple roles for contributors.**
+- [x] **Contributor ladder with multiple roles for contributors.**
 
 <!-- (TOC Evaluation goes here) --> 
+The project provides [3 levels of engagement routes](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/GOVERNANCE.md) for community members, each one building on the previous responsibilities:
+- Contributors - base level interaction on the project through comments on issues or pull request 
+- Committers - community members who have shown that they are committed to the continued development of the project through ongoing engagement 
+- Maintainers - lead the development of the project, through contributions to increasingly complicated PRs/designs and review PRs/designs, under the guidance of the existing maintainers
 
 ### Required
 
-- [ ] **Clearly defined and discoverable process to submit issues or changes.**
+- [x] **Clearly defined and discoverable process to submit issues or changes.**
 
 <!-- (TOC Evaluation goes here) --> 
+Fluid makes use of GitHub issues and PRs. The following guidelines are available:
+- [Filling an issue](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/CONTRIBUTING.md#filing-issues), including templates for:
+  - [Report a bug](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/.github/ISSUE_TEMPLATE/bug-report.md)
+  - [Document improvements](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/.github/ISSUE_TEMPLATE/docs-defect.md)
+  - [Feature Request](https://github.com/fluid-cloudnative/fluid/blob/master/.github/ISSUE_TEMPLATE/feature-request.md)
+- with a list of examples for [code contributions](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/CONTRIBUTING.md#code-contributions)
+
+The project also provides a guide on how to set up a [development workspace
+](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/CONTRIBUTING.md#setting-up-development-workspace) and submit a PR through available [template](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/.github/PULL_REQUEST_TEMPLATE.md).
+
 
-- [ ] **Project must have, and document, at least one public communications channel for users and/or contributors.**
+- [x] **Project must have, and document, at least one public communications channel for users and/or contributors.**
 
 <!-- (TOC Evaluation goes here) --> 
 
-- [ ] **List and document all project communication channels, including subprojects (mail list/slack/etc.).  List any non-public communications channels and what their special purpose is.**
+Public communication channels for Fluid are listed [here](https://github.com/fluid-cloudnative/fluid?tab=readme-ov-file#community), including a DingTalk and WeChat groups, and Slack. 
+
+- [x] **List and document all project communication channels, including subprojects (mail list/slack/etc.).  List any non-public communications channels and what their special purpose is.**
 
 <!-- (TOC Evaluation goes here) --> 
+The main channel of communication are listed below: 
+- CNCF Slack channel: [#fluid](https://cloud-native.slack.com/archives/C02ADG209SP)
+- WeChat Group: Fluid Open Source Group
+- DingTalk Group: Fluid Open Source Group
+
+[Community meetings](https://github.com/fluid-cloudnative/community/wiki/Meeting-Schedule) are held on [DingTalk Group](https://qr.dingtalk.com/action/joingroup) with a bi-weekly cadence. 
 
-- [ ] **Up-to-date public meeting schedulers and/or integration with CNCF calendar.**
+- [x] **Up-to-date public meeting schedulers and/or integration with CNCF calendar.**
 
 <!-- (TOC Evaluation goes here) --> 
+Community members are able to join community meetings on a bi-weekly basis. The meeting notes can be found on [Fluid GitHub Community Repository](https://github.com/fluid-cloudnative/community/wiki/Meeting-Schedule) and to follow up on the latest topics of discussion.
+
+Community meetings are held in Mandarin, and are a great way to engage with the maintainers and get involved in project development. 
 
-- [ ] **Documentation of how to contribute, with increasing detail as the project matures.**
+TODO: calendar for meetings
+
+
+- [x] **Documentation of how to contribute, with increasing detail as the project matures.**
 
 <!-- (TOC Evaluation goes here) --> 
 
-- [ ] **Demonstrate contributor activity and recruitment.**
+Details on how to contribute and engage with the project are listed on the [Contributing Guidelines](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/CONTRIBUTING.md), including a path to [join the community as a member](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/CONTRIBUTING.md#join-our-community-as-a-member). The contributing members are also encouraged to follow the [Code of Conduct](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/CODE_OF_CONDUCT.md) as part of getting involved. 
+
+
+- [x] **Demonstrate contributor activity and recruitment.**
 
 <!-- (TOC Evaluation goes here) --> 
+The project has a good history of adding new contributors e.g. [listing 10 new contributors](https://github.com/fluid-cloudnative/fluid/commit/37ddcf63e88303578fee99e3970465fbddc404e3) in addition to existing maintainers. Also, there is a good distribution of involved organizations, ensuring the continuity of the vendor-neutral development of Fluid.  
+
+Also, over the last 2 years the project has a consistent ratio of contribution vs involved contributors, that can observed in the [DevStats contribution distribution](https://fluid.devstats.cncf.io/d/74/contributions-chart?orgId=1&var-period=m&var-metric=contributions&var-repogroup_name=All&var-country_name=All&var-company_name=All&var-company=all&from=now-2y&to=now). 
+
 
 ## Engineering Principles
 
@@ -200,25 +267,53 @@ N/A
 
 ### Required
 
-- [ ] **Clearly defined and discoverable process to report security issues.**
+- [x] **Clearly defined and discoverable process to report security issues.**
 
 <!-- (TOC Evaluation goes here) --> 
+The [SECURITY.md](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/SECURITY.md#reporting-a-vulnerability) file outlines the vulnerability reporting process, including a mailing list (fluid.opensource.project@gmail.com) monitored by the maintainers that can be used for private disclosures.
+
+Community members have the option to reach out to [security contacts](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/SECURITY_CONTACTS) to kickstart any private or public disclosure processes. 
+
+Successful examples of fixed reported security issues, can be found below:
+- [On a compromised node, the fluid-csi service account can be used to modify node specs](https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-93xx-cvmc-9w3v)
+- [OS Command Injection for Fluid Users with JuicefsRuntime](https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g)
 
-- [ ] **Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)**
+
+- [x] **Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)**
 
 <!-- (TOC Evaluation goes here) --> 
 
-- [ ] **Document assignment of security response roles and how reports are handled.**
+2FA required for org members; branch protections enabled.
+
+To be added as a GitHub member within the Fluid organization, each member should enable two-factor authentication (2FA). Also, the repository has branch protection rules enabled, which enforce certain workflows or requirements before a collaborator can push changes to a branch in the repository.
+
+- [x] **Document assignment of security response roles and how reports are handled.**
 
 <!-- (TOC Evaluation goes here) --> 
+One of the core responsibility for maintainers is to respond to time-sensitive security release processes. Although this should be a rare occurrence, if a serious vulnerability is found the maintainers are expected to dedicate time to the fix, which is a process that might take up to several full days of work to implement.
 
-- [ ] **Document Security Self-Assessment.**
+[GitHub Security Advisor](https://github.com/fluid-cloudnative/fluid/security/advisories) is used as the communication channel during the process of identifying, fixing & shipping the mitigation of the reported vulnerability.
+
+The advisory will only be made public when the patched version is released to inform the community of the breach and its potential security impact.
+
+Additionally, security scanning is enabled for the  Fluid project and the[security contacts](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/SECURITY_CONTACTS) are responsible for assessing and providing a fix for the reported vulnerability.
+
+
+- [x] **Document Security Self-Assessment.**
 
 <!-- (TOC Evaluation goes here) --> 
 
-- [ ] **Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.**
+The completed security self-assessment can be found [here](https://github.com/fluid-cloudnative/fluid/blob/3c08916896125990963b34d0b7fb6caae2c78bda/security/self-assessment.md).
+
+
+- [x] **Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.**
 
 <!-- (TOC Evaluation goes here) --> 
+The project has a passing [OpenSSF Best Practices](https://www.bestpractices.dev/en/projects/4886) badge, with a 100% completion level, which is linked in [Fluid](https://github.com/fluid-cloudnative/fluid/tree/master) repository.
+
+In addition, Fluid has [OpenSSF Scorecard report](https://scorecard.dev/viewer/?uri=github.com/fluid-cloudnative/fluid) via a score of 9.1 at the time of due diligence assessment. 
+
+
 
 ## Ecosystem
 
@@ -250,15 +345,6 @@ Refer to the Adoption portion of this document.
 
 #### Adoption
 
-##### Adopter 1 - $COMPANY/$INDUSTRY
-
-_If the Adopting organization needs to remain anonymous, stating the industry vertical is sufficient._
-MONTH YEAR
-
-##### Adopter 2 - $COMPANY/$INDUSTRY
-
-_If the Adopting organization needs to remain anonymous, stating the industry vertical is sufficient._
-MONTH YEAR
 
 ##### Adopter 3 - $COMPANY/$INDUSTRY
 
