Merge pull request #3505 from embik/governance-improvements

kcp-ci-bot · web-flow · commit 79715d6e8ff2 · 2025-08-04T09:27:10.000+02:00
Add list of maintainers and add new roles to governance document
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
@@ -70,7 +70,7 @@ is the governing body for the project.
 a Maintainer or Owner, then this section should instead be a reference to that
 documentation -->
 
-To become a Maintainer you need to demonstrate the following:
+To become a [Maintainer](./MAINTAINERS.md) you need to demonstrate the following:
 
   * commitment to the project:
     * participate in discussions, contributions, code and documentation reviews
@@ -119,10 +119,8 @@ and can be rapidly returned to Maintainer status if their availability changes.
 
 Time zones permitting, Maintainers are expected to participate in the public
 community call meeting. Maintainers will also have closed meetings in order to
-discuss security reports or Code of Conduct violations. Such meetings should be
-scheduled by any Maintainer on receipt of a security issue or CoC report.
-All current Maintainers must be invited to such closed meetings, except for any
-Maintainer who is accused of a CoC violation.
+discuss security reports. Such meetings should be scheduled by any Maintainer on
+receipt of a security issue. All current Maintainers must be invited to such closed meetings.
 
 ## Code of Conduct
 
@@ -146,19 +144,52 @@ at least once a year.
 The Security Response Team is responsible for handling all reports of security
 holes and breaches according to the [security policy](./SECURITY.md).
 
+The members of the Security Response Team are documented in [MAINTAINERS.md](./MAINTAINERS.md).
+
 ## Voting
 
 While most business in kcp is conducted by "lazy consensus", periodically
 the Maintainers may need to vote on specific actions or changes.
 A vote can be taken on [the developer mailing list](https://groups.google.com/g/kcp-dev) or
 [the private Maintainer mailing list](https://groups.google.com/g/kcp-dev-private)
-for security or conduct matters.  Votes may also be taken at the community call
+for security issues.  Votes may also be taken at the community call
 meeting. Any Maintainer may demand a vote be taken.
 
 Most votes require a simple majority of all Maintainers to succeed. Maintainers
 can be removed by a 2/3 majority vote of all Maintainers, and changes to this
 Governance require a 2/3 vote of all Maintainers.
 
+Pull requests that make changes requiring Maintainer consensus may also be
+understood as a vote. They require the stated majority to be granted via
+LGTMs on the pull request. Such a pull request shall be announced to the developer
+mailing list and put on hold until the necessary majority has been reached.
+
+## Subprojects
+
+Any Maintainer may submit a [vote](#voting) to create a new subproject under the
+kcp-dev GitHub organization. Subprojects are governed by all Maintainers, but may
+take on additional Subproject Maintainers that are only responsible for the 
+specific subproject.
+
+It is the combined responsibility of Maintainers and Subproject Maintainers
+to review contributions to subprojects and make project goal decisions.
+Subproject Maintainers are not part of the private Maintainer mailing list and
+are involved in security responses on a need-to-know basis if the reported security
+issue concerns their respective subproject.
+
+Subproject Maintainers are elected by the Maintainers. Subproject Maintainers are
+allowed to participate in votes concerning their respective subprojects.
+
+## Approvers
+
+The Maintainers and Subproject Maintainers may elect trusted contributors to
+assist them in the review process for specific parts of the code. Those Approvers
+are allowed to approve and merge code contributions for certain subsets of the code
+(not a whole project), e.g. areas of the code that they have proven themselves
+to be very familiar with.
+
+Approvers do not have voting rights.
+
 ## Modifying this Charter
 
 Changes to this Governance and its supporting documents may be approved by a
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -0,0 +1,25 @@
+# Maintainers
+
+The table below lists all current maintainers for the kcp project as defined by our [project governance](./GOVERNANCE.md).
+
+| Name                  | GitHub Handle                                    | Domains of reponsibility                                       | Affiliation                 |
+| --------------------- | ------------------------------------------------ | -------------------------------------------------------------- | --------------------------- |
+| Andy Anderson         | [@clubanderson](https://github.com/clubanderson) | Governance                                                     | IBM                         |
+| Sebastian Scheele     | [@scheeles](https://github.com/scheeles)         | Governance                                                     | Kubermatic                  |
+| Dr. Stefan Schimanski | [@sttts](https://github.com/sttts)               | Governance, kcp core                                           | NVIDIA                      |
+| Christoph Mewes       | [@xrstf](https://github.com/xrstf)               | kcp core, API Syncagent kcp-operator, infrastructure           | Kubermatic                  |
+| Mangirdas Judeikis    | [@mjudeikis](https://github.com/mjudeikis)       | kcp core                                                       | Upbound                     |
+| Marvin Beckers        | [@embik](https://github.com/embik)               | kcp core, kcp-operator, multicluster-provider, infrastructure  | Kubermatic                  |
+
+## Emeritus Maintainers
+
+No emeritus maintainers currently exist. We would like to highlight that this project does have prior maintainers and core contributors
+that, if they so wished, could (and should) be granted the status of emeritus maintainers.
+
+## Security Response Team
+
+The following maintainers are members of the security response team and enact the [security process](./SECURITY.md):
+
+- Dr. Stefan Schimanski
+- Mangirdas Judeikis
+- Marvin Beckers
diff --git a/SECURITY.md b/SECURITY.md
@@ -4,12 +4,22 @@ The kcp maintainers take security for kcp very seriously, especially given kcp's
 
 ## Reporting a Vulnerability
 
-kcp uses GitHub to allow submission of private security reports. Please report any security finding via [this link](https://github.com/kcp-dev/kcp/security/advisories/new) or send a direct email to [kcp-dev-private@googlegroups.com](mailto:kcp-dev-private@googlegroups.com). Maintainers will triage your report as soon as possible and get in touch with you via your report or via email in case they have more questions.
+kcp uses GitHub to allow submission of private security reports. Please report any security finding via
+[this link](https://github.com/kcp-dev/kcp/security/advisories/new) or send a direct email to [kcp-dev-private@googlegroups.com](mailto:kcp-dev-private@googlegroups.com).
+Maintainers will triage your report as soon as possible and get in touch with you via your report or via email in case they have more questions.
 
-As a security researcher, please report vulnerabilities to kcp in a [coordinated vulnerability disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html) fashion. In return, maintainers pledge to engage in good faith and collaborate with security researchers to address and publish vulnerabilities found in kcp as soon as possible.
+As a security researcher, please report vulnerabilities to kcp in a [coordinated vulnerability disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html)
+fashion. In return, maintainers pledge to engage in good faith and collaborate with security researchers to address and publish vulnerabilities found in kcp as soon as possible.
 
 Please understand that the maintainers also do not accept results of dependency scanners without proof that the detected CVE / vulnerability can be used against kcp.
 
 ## Security Advisories
 
-Advisories are managed through GitHub. Public disclosure of vulnerabilities happens through GitHub and the kcp-users mailing list. Please visit [Security Advisories](https://github.com/kcp-dev/kcp/security/advisories) to review security bulletins published by the maintainers.
+Advisories are managed through GitHub. Public disclosure of vulnerabilities happens through GitHub and the kcp-users mailing list.
+Please visit [Security Advisories](https://github.com/kcp-dev/kcp/security/advisories) to review security bulletins published by the maintainers.
+
+## Security Response Committee
+
+kcp maintainers have formed a security response committee to ensure that security reports get addressed in a timely manner.
+You can find the list of members in [MAINTAINERS.md](./MAINTAINERS.md). Please do not contact them directly but follow the
+vulnerability reporting process as described abvove.
diff --git a/docs/content/contributing/.pages b/docs/content/contributing/.pages
@@ -0,0 +1,6 @@
+nav:
+    - index.md
+    - getting-started.md
+    - coding.md
+    - continuous-integration
+    - guides
diff --git a/docs/content/contributing/getting-started.md b/docs/content/contributing/getting-started.md
@@ -2,29 +2,16 @@
 
 ## Prerequisites
 
-1. Clone this repository.
+1. Clone the [kcp-dev/kcp](https://github.com/kcp-dev/kcp) repository.
 2. [Install Go](https://golang.org/doc/install) (currently 1.23.10).
 3. Install [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl).
 
-Please note that the go language version numbers in these files must exactly agree: go/go.mod file, kcp/Dockerfile, and in all the kcp/.github/workflows yaml files that specify go-version. In kcp/Dockerfile it is indicated by the "golang" attribute. In go.mod it is indicated by the "go" directive." In the .github/workflows yaml files it is indicated by "go-version"
+Please note that the go language version numbers in these files must exactly agree: go/go.mod file, kcp/Dockerfile, and in all the kcp/.github/workflows yaml files that specify go-version. In kcp/Dockerfile it is indicated by the "golang" attribute. In go.mod it is indicated by the "go" directive." In the .github/workflows yaml files it is indicated by "go-version".
 
-## Build & Verify
-
-1. In one terminal, build and start `kcp`:
-```
-go run ./cmd/kcp start
-```
-
-2. In another terminal, tell `kubectl` where to find the kubeconfig:
-
-```
-export KUBECONFIG=.kcp/admin.kubeconfig
-```
+If you wish to use a newer Go version (with the risk that your changes might not successfully pass CI when submitted as pull request), you can set an environment variable to ignore the Go version requirement.
 
-3. Confirm you can connect to `kcp`:
-
-```
-kubectl api-resources
+```sh
+export IGNORE_GO_VERSION=1
 ```
 
 ## Developer Certificate of Origin (DCO)
@@ -45,6 +32,28 @@ Signed-off-by: Your Name <mail@example.com>
 
 Please be aware that we cannot accept pull requests in which commits are missing the sign-off.
 
+
+## Build & Verify
+
+1. In one terminal, build and start `kcp`:
+
+```sh
+go run ./cmd/kcp start
+```
+
+2. In another terminal, tell `kubectl` where to find the kubeconfig:
+
+```sh
+export KUBECONFIG=.kcp/admin.kubeconfig
+```
+
+3. Confirm you can connect to `kcp`:
+
+```sh
+kubectl api-resources
+```
+
+
 ## Finding Areas to Contribute
 
 Starting to participate in a new project can sometimes be overwhelming, and you may not know where to begin. Fortunately, we are here to help! We track all of our tasks here in GitHub, and we label our issues to categorize them. Here are a couple of handy links to check out:
diff --git a/docs/content/contributing/index.md b/docs/content/contributing/index.md
@@ -18,41 +18,58 @@ Origin (DCO). This document was created by the Linux Kernel community and is a
 simple statement that you, as a contributor, have the legal right to make the
 contribution. See the [DCO](https://github.com/kcp-dev/kcp/tree/main/DCO) file for details.
 
+For how to correctly set this on your commits, check out the [Getting Started](./getting-started.md#developer-certificate-of-origin-dco) guide.
+
 ## Community Roles
 
 ### Maintainers
 
 The project maintainers are the central [gonvernance entity](https://github.com/kcp-dev/kcp/blob/main/GOVERNANCE.md) of
 kcp. They review and approve PRs into all projects in the kcp-dev GitHub organization and decide on project direction
-and other decisions.
+and other governance matters.
+
+### Subproject Maintainers
+
+The kcp-dev GitHub organization hosts several subprojects that utilize or extend kcp in some form. These subprojects
+might take on additional subproject maintainers that participate in code review and project goal decisions to steer
+their respective subprojects.
+
+### Approvers
+
+Consistent contributors with a specific area of expertise in the code base might be chosen to be approvers by the
+(subproject) maintainers. Approvers are allowed to approve (and subsequently, merge) code for parts of a specific project.
+Approvers are generally not allowed to have full approval rights for a (sub)project but only specific folders within it.
 
 ### Contributors
 
 People that are consistently contributing to the project (through code, documentation or other means) are considered
 project contributors. They are invited by maintainers to join the kcp-dev GitHub organization, which allows them
 to submit PRs that do not need approval to run CI jobs in Prow.
 
+Contributors are able to LGTM pull requests in the kcp-dev GitHub organization, but they cannot merge them.
+
 ## Project Management
 
 ### Priorities & Milestones
 
 We prioritize issues and features both synchronously (during community meetings) and asynchronously (Slack/GitHub conversations).
 
-We group issues together into milestones. Each milestone represents a set of new features and bug fixes that we want users to try out. We aim for each milestone to take about a month from start to finish.
+We group issues together into milestones. Each milestone represents a planned kcp release and subsequently can be open for a period of 3-5 months.
 
 You can see the [current list of milestones](https://github.com/kcp-dev/kcp/milestones?direction=asc&sort=due_date&state=open) in GitHub.
 
 For a given issue or pull request, its milestone may be:
 
 - **unset/unassigned**: we haven't looked at this yet, or if we have, we aren't sure if we want to do it and it needs more community discussion
-- **assigned to a named milestone**
+- **assigned to a version milestone**
 - **assigned to `TBD`** - we have looked at this, decided that it is important and we eventually would like to do it, but we aren't sure exactly when
 
 If you are confident about the target milestone for your issue or PR, please set it. If you don’t have permissions, please ask & we’ll set it for you.
 
 ### Epics
 
-We use the [epic label](https://github.com/kcp-dev/kcp/issues?q=is%3Aopen+is%3Aissue+label%3Aepic+) to track large features that typically involve multiple stories. When creating a new epic, please use the [epic issue template](https://github.com/kcp-dev/kcp/issues/new?assignees=&labels=epic&template=epic.md&title=).
+We sometimes use the [epic label](https://github.com/kcp-dev/kcp/issues?q=is%3Aopen+is%3Aissue+label%3Aepic+) to track large features that typically involve multiple stories.
+When creating a new epic, please use the [epic issue template](https://github.com/kcp-dev/kcp/issues/new?assignees=&labels=epic&template=epic.md&title=).
 
 Please make sure that you fill in all the sections of the template (it's ok if some of this is done later, after creating the issue). If you need help with anything, please let us know.
 
diff --git a/docs/content/index.md b/docs/content/index.md
@@ -7,7 +7,7 @@
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkcp-dev%2Fkcp.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkcp-dev%2Fkcp?ref=badge_shield)
 
 !!! tip ""
-    Looking for other project documentation? Check out: [api-syncagent](https://docs.kcp.io/api-syncagent) | [kcp-operator](https://docs.kcp.io/kcp-operator)
+    Looking for subproject documentation? Check out: [api-syncagent](https://docs.kcp.io/api-syncagent) | [kcp-operator](https://docs.kcp.io/kcp-operator)
 
 ## Overview
 
