You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Relax Sandbox entry requirements and clarify WG sponsorship
This change is a draft proposal for discussion, addressing feedback
from the TAC meeting on 2026-04-14 around PR #421 (OpenSSF Labs).
Rather than introducing a new pre-Sandbox maturity level, the TAC
discussed whether the Sandbox stage itself could be updated to better
support early-stage and single-maintainer projects.
Key changes:
- Lower the Sandbox maintainer minimum from three (from two orgs) to
one, with two strongly encouraged. Projects entering with fewer than
two maintainers must reach that threshold by their first bi-annual
TAC update (~6 months), or face archival review.
- Move multi-organizational maintainer diversity (3+ maintainers, 2+
orgs) from a Sandbox entry gate to an Incubating entry requirement,
where demonstrated community health is more meaningful.
- Add an explicit Sandbox responsibility to actively grow the
maintainer base and organizational diversity toward Incubating.
- Clarify that all projects must report to a WG sponsor. Projects that
cannot identify a suitable WG should submit their proposal and
request that the TAC help identify an appropriate WG home. TAC
sponsorship is not a path forward for new projects.
- Clarify that project repositories must be hosted under the OpenSSF
GitHub Enterprise Cloud instance; they are not required to use the
ossf GitHub organization specifically.
- Shorten the Sandbox archival dormancy trigger from 9 months to 6
months; Incubating and Graduated projects retain the 9-month trigger.
- Add a note that Best Practices badge requirements will be revisited
once OSPS Baseline conformance integration in the badge program is
finalized.
- Fix a pre-existing inconsistency in building-an-open-source-
community.md, which stated "two maintainers" while project-
lifecycle.md required three; update to reflect the new framing
(multi-org diversity as an Incubating gate, not Sandbox entry gate).
- Add a "Community growth plan" field to the Sandbox application
template for projects entering below the full maintainer threshold.
Co-Authored-By: Marcela Melara <marcela.melara@intel.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Stephen Augustus <foo@auggie.dev>
Copy file name to clipboardExpand all lines: process/building-an-open-source-community.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ In open source software the sustainability and growth of projects significantly
5
5
6
6
## Importance of Maintainers from Multiple Organizations
7
7
8
-
The OpenSSF sandbox requirement, **Projects must have a minimum of two maintainers with different organization affiliations**, was adopted for the following reasons:
8
+
Multi-organizational maintainership is a requirement for projects to advance to the Incubating stage. Projects may enter the Sandbox with as few as one maintainer, but are expected to actively work toward building a diverse maintainer base. This expectation exists for the following reasons:
Copy file name to clipboardExpand all lines: process/project-lifecycle.md
+17-14Lines changed: 17 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ New [Projects](../organizational-structure-overview.md#definitions) to the OpenS
8
8
9
9
## Project Oversight
10
10
11
-
Projects report either directly to the Technical Advisory Council (TAC) or to a specific Working Group (WG). When a Project reports into a specific WG, that WG can support the Project's progression and provide recommendations to the TAC. The overseeing group provides Projects advice on technical direction, and is a point of escalation or dispute resolution in technical disagreements. The overseeing group does not set the charter or operations for Projects, but ensures Projects operate in line with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/).
11
+
Projects report to a specific Working Group (WG), which supports the Project's progression and provides recommendations to the TAC. Projects that cannot identify a suitable WG should submit their proposal and request that the TAC help identify an appropriate WG home. The overseeing WG provides Projects advice on technical direction, and is a point of escalation or dispute resolution in technical disagreements. The overseeing WG does not set the charter or operations for Projects, but ensures Projects operate in line with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/).
12
12
13
13
<!-- TOC -->
14
14
@@ -39,13 +39,14 @@ The OpenSSF Sandbox is the entry point for early stage Projects and has four goa
39
39
40
40
#### Project Responsibilities
41
41
* Provides bi-annual updates to the TAC on technical vision and progress on vision.
42
+
* Actively works to grow the maintainer base and organizational diversity. Projects entering Sandbox with fewer than three maintainers from two or more organizations are expected to demonstrate progress toward this goal at each bi-annual TAC update, as multi-organizational representation is required for Incubating entry.
42
43
* Maintains a diversified contributor base (i.e. not a single-vendor project).
43
-
* For code development, follows security best practices (as recommended by the OpenSSF and others), including passing the [OpenSSF Best Practices criteria](https://bestpractices.coreinfrastructure.org/en/criteria/0).
44
+
* For code development, follows security best practices (as recommended by the OpenSSF and others), including passing the [OpenSSF Best Practices criteria](https://bestpractices.coreinfrastructure.org/en/criteria/0). Note: badge requirements will be revisited once OSPS Baseline conformance integration in the badge program is finalized.
44
45
* Provides project updates to OpenSSF Marketing Committee as requested.
45
46
* Meet the "[Security Baseline - Once Sandbox](https://github.com/ossf/tac/blob/308c777124a05f1903301400653f1a7a944bd7be/process/security_baseline.md#baseline---once-sandbox)" requirements.
46
47
47
48
#### Project Support
48
-
* Receives a TAC or WG sponsor for guidance on technical direction. The sponsor also ensures the Project operates within the scope of the OpenSSF, adheres to the OpenSSF code of conduct, legal and IP policies, and reserves the right to consult with the TAC to raise any related concerns. Projects can reach out to the TAC if concerns about sponsor involvement arise.
49
+
* Receives a WG sponsor for guidance on technical direction. The sponsor also ensures the Project operates within the scope of the OpenSSF, adheres to the OpenSSF code of conduct, legal and IP policies, and reserves the right to consult with the TAC to raise any related concerns. Projects can reach out to the TAC if concerns about sponsor involvement arise.
49
50
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
50
51
* Receives OpenSSF Code of Conduct Committee support.
51
52
* Reserved space for project updates in OpenSSF newsletters.
@@ -54,12 +55,14 @@ The OpenSSF Sandbox is the entry point for early stage Projects and has four goa
54
55
55
56
#### Sandbox Entry Requirements and Considerations
56
57
57
-
* Projects must have a minimum of three maintainers with a minimum of two different organization affiliations.
58
+
* Projects must have a minimum of one maintainer; two or more maintainers is strongly encouraged. Projects with fewer than two maintainers at entry must reach a minimum of two maintainers by their first bi-annual TAC update (approximately six months); failure to demonstrate progress toward this goal is grounds for archival review. See [Building an Open Source Community](building-an-open-source-community.md) for guidance on growing a maintainer base.
58
59
* Projects must be aligned with the OpenSSF mission _and_ either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code or specification developed by an OpenSSF WG be kept within their repository and will not function as a Project in its own right. Should the initial WG code or specification grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of an existing OpenSSF project collaborate with the existing project rather than seek a new project.
59
-
* Projects must seek one TAC sponsor or one WG sponsor (if reporting to a WG)
60
-
* TAC or WG sponsor agrees to attend Project meetings regularly
61
-
* TAC or WG sponsor does not need to have a formal role in Project, e.g., maintainer
62
-
* TAC or WG sponsor requests TAC approval
60
+
* Projects must seek a WG sponsor. Projects that cannot identify a suitable WG should reach out to the TAC for assistance in identifying one before submitting a proposal.
61
+
* The sponsor must be a member or lead of the sponsoring WG
62
+
* The sponsor governs the project as a Technical Initiative within the WG and ensures regular readouts of project progress to the overseeing group
63
+
* The sponsor does not need to have a formal role in the Project, e.g., maintainer
64
+
* The sponsor requests TAC approval on behalf of the project
65
+
* Projects must host their repository under the [OpenSSF GitHub Enterprise Cloud instance](https://github.com/enterprises/openssf/organizations). Projects are not required to use the `ossf` GitHub organization specifically; existing organizations may be moved under the OpenSSF Enterprise account.
63
66
* If contributing an existing project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).
64
67
65
68
See [Submission Process](#submission-process) below and [Sandbox application](templates/PROJECT_NAME_sandbox_stage.md).
@@ -79,7 +82,7 @@ Incubating projects represent maturing but not fully realized projects. Incubati
79
82
* Meets the "[Security Baseline - Once Incubating](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---once-incubating)" requirements.
80
83
81
84
#### Project Support
82
-
* Receives guidance on technical direction from TAC and/or WG. The sponsor continues to ensure the Project operates within the scope of the OpenSSF, adheres to the OpenSSF code of conduct, legal and IP policies, and reserves the right to consult with the TAC to raise any related concerns. Projects can reach out to the TAC if concerns about sponsor involvement arise.
85
+
* Receives guidance on technical direction from the sponsoring WG. The sponsor continues to ensure the Project operates within the scope of the OpenSSF, adheres to the OpenSSF code of conduct, legal and IP policies, and reserves the right to consult with the TAC to raise any related concerns. Projects can reach out to the TAC if concerns about sponsor involvement arise.
83
86
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
84
87
* Receives OpenSSF Code of Conduct Committee support.
85
88
* Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee).
@@ -92,12 +95,12 @@ Incubating projects represent maturing but not fully realized projects. Incubati
92
95
#### Incubation Entry Requirements and Considerations
93
96
94
97
All requirements of Sandbox must be fulfilled, plus:
95
-
* Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers.
98
+
* Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers. This is where multi-organizational community health is validated; projects that entered Sandbox with fewer maintainers are expected to have grown their base to meet this requirement.
96
99
* Projects must have met at least 5 times within the last calendar quarter since becoming `Sandbox`.
97
100
* Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: [Sigstore](https://github.com/sigstore/community/blob/main/MEMBERSHIP.md), [AllStar](https://github.com/ossf/allstar/blob/main/contributor-ladder.md))
98
101
* Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers.
99
102
* Projects must have documented, initial project governance.
100
-
* If reporting directly to the TAC, the TAC sponsor and Project should decide on continued TAC sponsor engagement going forward. Continued engagement may include, but is not limited to:
103
+
* If the project was granted an exception to report directly to the TAC, the TAC sponsor and Project should decide on continued TAC sponsor engagement going forward, or identify a WG that can take over sponsorship. Continued engagement may include, but is not limited to:
101
104
* Project may consult about Project direction with TAC sponsor as needed throughout Incubating stage.
102
105
* TAC sponsor should continue to monitor Project activities, though regular meeting attendance is optional.
103
106
* Meet the "[Security Baseline - To Become Incubating](https://github.com/ossf/tac/blob/308c777124a05f1903301400653f1a7a944bd7be/process/security_baseline.md#baseline---to-become-incubating)" requirements.
@@ -123,7 +126,7 @@ Graduated projects signal the highest level of maturity for an OpenSSF project.
123
126
* Meets the "[Security Baseline - Once Graduated](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---once-graduated)" requirements.
124
127
125
128
#### Project Support
126
-
* Receives guidance on technical direction from TAC and/or WG.
129
+
* Receives guidance on technical direction from the sponsoring WG.
127
130
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
128
131
* Receives OpenSSF Code of Conduct Committee support.
129
132
* Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee).
@@ -144,7 +147,7 @@ All requirements of Incubating must be fulfilled, plus:
144
147
* Projects must have documented project governance and be able to demonstrate that governance in action.
145
148
* When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations.
146
149
* Projects meet the "[Security Baseline - To Become Graduated](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---to-become-graduated)" requirements.
147
-
* If reporting directly to the TAC, TAC sponsor monitoring and consultation become optional.
150
+
* If the project was granted an exception to report directly to the TAC, TAC sponsor monitoring and consultation become optional at Graduation; the project is encouraged to identify a WG home if one has since become appropriate.
148
151
149
152
#### Project Graduation Process: Incubating to Graduation
150
153
@@ -154,7 +157,7 @@ See [Submission Process](#submission-process) below and [Graduation application]
154
157
155
158
### Archived
156
159
157
-
Open source projects have a lifecycle and there are times when projects become inactive due to a variety of reasons. There are also cases where a project may no longer want to be supported by the OpenSSF, the given effort no longer has broad community interest and participation, or the OpenSSF TAC may no longer wish to recommend the use of a project. Archiving happens through a vote of the TAC, and can be requested by the corresponding project's lead(s) or a TAC member. TI's that are dormant, with no activity for 9 months (meetings, mailing lists, or other publicly viewable channels) in a row should be considered good candidates for Archiving.
160
+
Open source projects have a lifecycle and there are times when projects become inactive due to a variety of reasons. There are also cases where a project may no longer want to be supported by the OpenSSF, the given effort no longer has broad community interest and participation, or the OpenSSF TAC may no longer wish to recommend the use of a project. Archiving happens through a vote of the TAC, and can be requested by the corresponding project's lead(s) or a TAC member. Sandbox projects that are dormant with no activity for 6 months (meetings, mailing lists, or other publicly viewable channels) in a row should be considered good candidates for Archiving. Projects at Incubating or Graduated stages that are dormant for 9 months should be considered good candidates for Archiving.
Copy file name to clipboardExpand all lines: process/templates/PROJECT_NAME_sandbox_stage.md
+13-3Lines changed: 13 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,22 @@
1
1
## Application for creating a new project at Sandbox stage
2
2
3
3
### List of project maintainers
4
-
The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.
4
+
The project must have a minimum of one maintainer; two or more is strongly encouraged. Projects entering with fewer than two maintainers must reach a minimum of two by their first bi-annual TAC update. Projects must have a minimum of three maintainers from two or more organizations to be eligible for Incubating.
5
5
* "name, affiliation, GitHub ID"
6
6
7
+
### Community growth plan
8
+
If the project is entering Sandbox with fewer than three maintainers from two or more organizations, describe how the project intends to grow its maintainer base and organizational diversity during the Sandbox phase. See [Building an Open Source Community](../building-an-open-source-community.md) for guidance.
9
+
* "description of planned outreach, collaboration, or other steps to grow the maintainer base"
10
+
7
11
### Sponsor
8
-
Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to.
9
-
* "name of the group the project reports to: either a Working Group or the TAC"
12
+
Projects must report to an existing OpenSSF Working Group. Projects that cannot identify a suitable WG should submit their proposal and request that the TAC help identify an appropriate WG home. The sponsor governs the project as a Technical Initiative within the WG and ensures regular readouts of project progress. The project commits to providing bi-annual updates on progress to the sponsoring WG.
13
+
* "name of the sponsoring Working Group"
14
+
* "name and GitHub ID of the sponsor (must be a member or lead of the sponsoring WG)"
15
+
16
+
### GitHub organization
17
+
The project's repository must be hosted under the [OpenSSF GitHub Enterprise Cloud instance](https://github.com/enterprises/openssf/organizations). Projects are not required to use the `ossf` GitHub organization; existing organizations may be moved under the OpenSSF Enterprise account.
18
+
* "link to project repository"
19
+
* "confirm the repository is, or will be, hosted under the OpenSSF GitHub Enterprise Cloud instance"
10
20
11
21
### Mission of the project
12
22
The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.
0 commit comments