Does CyberAgent have any plans to sandbox then donate PipeCD to CNCF?

[lloydchang]

@nghialv Does CyberAgent have any plans to sandbox then donate PipeCD to CNCF?

For example:
• https://podcasts.apple.com/ro/podcast/donating-your-open-source-project-to-cncf-with-ihor/id1514646781
• https://github.com/cncf/toc/blob/main/reviews/incubation-flux.md
• https://github.com/cncf/toc/blob/main/proposals/incubation/argo.adoc

Thank you.

---

The Why: The idea is that the process from sandboxing to donation to CNCF might mitigate security risks and liabilities, if given enough funding and support.

---

For a simple example in a different open source project that was not sandboxed with CNCF...

• I reported an error at box/ClusterRunner#457 with a simple fix — Prepend an URL with www. to match an SSL certificate, but no one responded yet

• Furthermore, another person reported the same (?) issue 3 years ago at box/ClusterRunner#447

In my humble opinion, when a company or its open source program office cannot perform good stewardship of an open source project... to even reply to simple inquiries, then what seems like a simple fix — Prepend an URL with www. to match an SSL certificate — may never happen. At that point, I believe there seems to be something wrong with a company's open source program office for unknown reasons.

Hypothetically, there could be various reasons, such as:
• Perhaps the open source project has been abandoned without a formal public notice?
• Perhaps the people who had worked on the open source project already left the company?

There are security risks and liabilities in using open source that aren't supported nor maintained.

---

The idea is that the process from sandboxing to donation to CNCF might mitigate those security risks and liabilities, if given enough funding and support.

For example, in a different open source project that was sandboxed with CNCF...

As Flux is an Incubation project within the Cloud Native Computing Foundation, we were graciously granted a sponsored audit. The primary aim was to assess Flux’s fundamental security posture and to identify next steps in its security story. The audit was commissioned by the CNCF, and facilitated by OSTIF (the Open Source Technology Improvement Fund). ADA Logics was quickly brought into the picture, and spent a month on the audit.
https://www.cncf.io/blog/2021/11/11/flux-security-audit-has-concluded/

---

For what it is worth as a reference, I asked the similar question "sandbox then donate" in a different open source project at lyft/clutch#2556

---

Thank you.

[khanhtc1202]

Hi @lloydchang, thanks for the question.

In fact, the PipeCD team had already submitted our application for joining the CNCF sandbox program (cncf/sandbox#12). We're still waiting for the TOC review meeting, but we can say that being a CNCF sandbox is part of our plan. We are doing our best to make it.

By submitting the CNCF sandbox application, the PipeCD team (thus CyberAgent, Inc) understands that we're donating the project to the community, and we're sure to keep supporting/maintaining the project with good stewardship. Not because of the community interest but because PipeCD is being our company de facto that is used widely by our company.

[lloydchang]

Thanks @khanhtc1202, as I didn't realize cncf/sandbox#12 already exists. Thank you!

[khanhtc1202]

Thanks for questioning 😄