Skip to content

Commit 5f8ed1c

Browse files
justaugustusmarcelamelaraclaude
committed
Relax Sandbox entry requirements and clarify WG sponsorship
This change is a draft proposal for discussion, addressing feedback from the TAC meeting on 2026-04-14 around PR #421 (OpenSSF Labs). Rather than introducing a new pre-Sandbox maturity level, the TAC discussed whether the Sandbox stage itself could be updated to better support early-stage and single-maintainer projects. Key changes: - Lower the Sandbox maintainer minimum from three (from two orgs) to one, with two strongly encouraged. Projects entering with fewer than two maintainers must reach that threshold by their first bi-annual TAC update (~6 months), or face archival review. - Move multi-organizational maintainer diversity (3+ maintainers, 2+ orgs) from a Sandbox entry gate to an Incubating entry requirement, where demonstrated community health is more meaningful. - Add an explicit Sandbox responsibility to actively grow the maintainer base and organizational diversity toward Incubating. - Clarify that all projects must report to a WG sponsor. Projects that cannot identify a suitable WG should submit their proposal and request that the TAC help identify an appropriate WG home. TAC sponsorship is not a path forward for new projects. - Clarify that project repositories must be hosted under the OpenSSF GitHub Enterprise Cloud instance; they are not required to use the ossf GitHub organization specifically. - Shorten the Sandbox archival dormancy trigger from 9 months to 6 months; Incubating and Graduated projects retain the 9-month trigger. - Add a note that Best Practices badge requirements will be revisited once OSPS Baseline conformance integration in the badge program is finalized. - Fix a pre-existing inconsistency in building-an-open-source- community.md, which stated "two maintainers" while project- lifecycle.md required three; update to reflect the new framing (multi-org diversity as an Incubating gate, not Sandbox entry gate). - Add a "Community growth plan" field to the Sandbox application template for projects entering below the full maintainer threshold. Co-Authored-By: Marcela Melara <marcela.melara@intel.com> Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
1 parent 599a748 commit 5f8ed1c

3 files changed

Lines changed: 31 additions & 18 deletions

File tree

process/building-an-open-source-community.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ In open source software the sustainability and growth of projects significantly
55

66
## Importance of Maintainers from Multiple Organizations
77

8-
The OpenSSF sandbox requirement, **Projects must have a minimum of two maintainers with different organization affiliations**, was adopted for the following reasons:
8+
Multi-organizational maintainership is a requirement for projects to advance to the Incubating stage. Projects may enter the Sandbox with as few as one maintainer, but are expected to actively work toward building a diverse maintainer base. This expectation exists for the following reasons:
99

1010

1111
### Project resilience

process/project-lifecycle.md

Lines changed: 17 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ New [Projects](../organizational-structure-overview.md#definitions) to the OpenS
88

99
## Project Oversight
1010

11-
Projects report either directly to the Technical Advisory Council (TAC) or to a specific Working Group (WG). When a Project reports into a specific WG, that WG can support the Project's progression and provide recommendations to the TAC. The overseeing group provides Projects advice on technical direction, and is a point of escalation or dispute resolution in technical disagreements. The overseeing group does not set the charter or operations for Projects, but ensures Projects operate in line with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/).
11+
Projects report to a specific Working Group (WG), which supports the Project's progression and provides recommendations to the TAC. Projects that cannot identify a suitable WG should submit their proposal and request that the TAC help identify an appropriate WG home. The overseeing WG provides Projects advice on technical direction, and is a point of escalation or dispute resolution in technical disagreements. The overseeing WG does not set the charter or operations for Projects, but ensures Projects operate in line with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/).
1212

1313
<!-- TOC -->
1414

@@ -39,13 +39,14 @@ The OpenSSF Sandbox is the entry point for early stage Projects and has four goa
3939

4040
#### Project Responsibilities
4141
* Provides bi-annual updates to the TAC on technical vision and progress on vision.
42+
* Actively works to grow the maintainer base and organizational diversity. Projects entering Sandbox with fewer than three maintainers from two or more organizations are expected to demonstrate progress toward this goal at each bi-annual TAC update, as multi-organizational representation is required for Incubating entry.
4243
* Maintains a diversified contributor base (i.e. not a single-vendor project).
43-
* For code development, follows security best practices (as recommended by the OpenSSF and others), including passing the [OpenSSF Best Practices criteria](https://bestpractices.coreinfrastructure.org/en/criteria/0).
44+
* For code development, follows security best practices (as recommended by the OpenSSF and others), including passing the [OpenSSF Best Practices criteria](https://bestpractices.coreinfrastructure.org/en/criteria/0). Note: badge requirements will be revisited once OSPS Baseline conformance integration in the badge program is finalized.
4445
* Provides project updates to OpenSSF Marketing Committee as requested.
4546
* Meet the "[Security Baseline - Once Sandbox](https://github.com/ossf/tac/blob/308c777124a05f1903301400653f1a7a944bd7be/process/security_baseline.md#baseline---once-sandbox)" requirements.
4647

4748
#### Project Support
48-
* Receives a TAC or WG sponsor for guidance on technical direction. The sponsor also ensures the Project operates within the scope of the OpenSSF, adheres to the OpenSSF code of conduct, legal and IP policies, and reserves the right to consult with the TAC to raise any related concerns. Projects can reach out to the TAC if concerns about sponsor involvement arise.
49+
* Receives a WG sponsor for guidance on technical direction. The sponsor also ensures the Project operates within the scope of the OpenSSF, adheres to the OpenSSF code of conduct, legal and IP policies, and reserves the right to consult with the TAC to raise any related concerns. Projects can reach out to the TAC if concerns about sponsor involvement arise.
4950
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
5051
* Receives OpenSSF Code of Conduct Committee support.
5152
* Reserved space for project updates in OpenSSF newsletters.
@@ -54,12 +55,14 @@ The OpenSSF Sandbox is the entry point for early stage Projects and has four goa
5455

5556
#### Sandbox Entry Requirements and Considerations
5657

57-
* Projects must have a minimum of three maintainers with a minimum of two different organization affiliations.
58+
* Projects must have a minimum of one maintainer; two or more maintainers is strongly encouraged. Projects with fewer than two maintainers at entry must reach a minimum of two maintainers by their first bi-annual TAC update (approximately six months); failure to demonstrate progress toward this goal is grounds for archival review. See [Building an Open Source Community](building-an-open-source-community.md) for guidance on growing a maintainer base.
5859
* Projects must be aligned with the OpenSSF mission _and_ either be a novel approach for existing areas or address an unfulfilled need. It is expected that the initial code or specification developed by an OpenSSF WG be kept within their repository and will not function as a Project in its own right. Should the initial WG code or specification grow and mature that it warrants its own Project status, then it is subject to Sandbox entry requirements. It is preferred that extensions of an existing OpenSSF project collaborate with the existing project rather than seek a new project.
59-
* Projects must seek one TAC sponsor or one WG sponsor (if reporting to a WG)
60-
* TAC or WG sponsor agrees to attend Project meetings regularly
61-
* TAC or WG sponsor does not need to have a formal role in Project, e.g., maintainer
62-
* TAC or WG sponsor requests TAC approval
60+
* Projects must seek a WG sponsor. Projects that cannot identify a suitable WG should reach out to the TAC for assistance in identifying one before submitting a proposal.
61+
* The sponsor must be a member or lead of the sponsoring WG
62+
* The sponsor governs the project as a Technical Initiative within the WG and ensures regular readouts of project progress to the overseeing group
63+
* The sponsor does not need to have a formal role in the Project, e.g., maintainer
64+
* The sponsor requests TAC approval on behalf of the project
65+
* Projects must host their repository under the [OpenSSF GitHub Enterprise Cloud instance](https://github.com/enterprises/openssf/organizations). Projects are not required to use the `ossf` GitHub organization specifically; existing organizations may be moved under the OpenSSF Enterprise account.
6366
* If contributing an existing project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).
6467

6568
See [Submission Process](#submission-process) below and [Sandbox application](templates/PROJECT_NAME_sandbox_stage.md).
@@ -79,7 +82,7 @@ Incubating projects represent maturing but not fully realized projects. Incubati
7982
* Meets the "[Security Baseline - Once Incubating](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---once-incubating)" requirements.
8083

8184
#### Project Support
82-
* Receives guidance on technical direction from TAC and/or WG. The sponsor continues to ensure the Project operates within the scope of the OpenSSF, adheres to the OpenSSF code of conduct, legal and IP policies, and reserves the right to consult with the TAC to raise any related concerns. Projects can reach out to the TAC if concerns about sponsor involvement arise.
85+
* Receives guidance on technical direction from the sponsoring WG. The sponsor continues to ensure the Project operates within the scope of the OpenSSF, adheres to the OpenSSF code of conduct, legal and IP policies, and reserves the right to consult with the TAC to raise any related concerns. Projects can reach out to the TAC if concerns about sponsor involvement arise.
8386
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
8487
* Receives OpenSSF Code of Conduct Committee support.
8588
* Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee).
@@ -92,12 +95,12 @@ Incubating projects represent maturing but not fully realized projects. Incubati
9295
#### Incubation Entry Requirements and Considerations
9396

9497
All requirements of Sandbox must be fulfilled, plus:
95-
* Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers.
98+
* Projects must have a minimum of three maintainers with a minimum of two different organization affiliations, and document the current list of maintainers. This is where multi-organizational community health is validated; projects that entered Sandbox with fewer maintainers are expected to have grown their base to meet this requirement.
9699
* Projects must have met at least 5 times within the last calendar quarter since becoming `Sandbox`.
97100
* Projects must have defined a contributor guide, which makes it clear how and when contributors should be given increasing responsibilities towards maintainership of the project. (Example guides: [Sigstore](https://github.com/sigstore/community/blob/main/MEMBERSHIP.md), [AllStar](https://github.com/ossf/allstar/blob/main/contributor-ladder.md))
98101
* Projects should be able to show adoption by multiple parties and adoption's value to the open source community and/or end users (may include adoption of beta/early versions) with the intent to showcase wide adoption by the project's consumers.
99102
* Projects must have documented, initial project governance.
100-
* If reporting directly to the TAC, the TAC sponsor and Project should decide on continued TAC sponsor engagement going forward. Continued engagement may include, but is not limited to:
103+
* If the project was granted an exception to report directly to the TAC, the TAC sponsor and Project should decide on continued TAC sponsor engagement going forward, or identify a WG that can take over sponsorship. Continued engagement may include, but is not limited to:
101104
* Project may consult about Project direction with TAC sponsor as needed throughout Incubating stage.
102105
* TAC sponsor should continue to monitor Project activities, though regular meeting attendance is optional.
103106
* Meet the "[Security Baseline - To Become Incubating](https://github.com/ossf/tac/blob/308c777124a05f1903301400653f1a7a944bd7be/process/security_baseline.md#baseline---to-become-incubating)" requirements.
@@ -123,7 +126,7 @@ Graduated projects signal the highest level of maturity for an OpenSSF project.
123126
* Meets the "[Security Baseline - Once Graduated](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---once-graduated)" requirements.
124127

125128
#### Project Support
126-
* Receives guidance on technical direction from TAC and/or WG.
129+
* Receives guidance on technical direction from the sponsoring WG.
127130
* Receives consideration as in-scope for any submission to an OpenSSF-managed conference or event.
128131
* Receives OpenSSF Code of Conduct Committee support.
129132
* Receives infrastructure support (details determined by project leads and OpenSSF Budget Committee).
@@ -144,7 +147,7 @@ All requirements of Incubating must be fulfilled, plus:
144147
* Projects must have documented project governance and be able to demonstrate that governance in action.
145148
* When applicable, projects must have completed a security audit through a third party and addressed audit findings and recommendations.
146149
* Projects meet the "[Security Baseline - To Become Graduated](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---to-become-graduated)" requirements.
147-
* If reporting directly to the TAC, TAC sponsor monitoring and consultation become optional.
150+
* If the project was granted an exception to report directly to the TAC, TAC sponsor monitoring and consultation become optional at Graduation; the project is encouraged to identify a WG home if one has since become appropriate.
148151

149152
#### Project Graduation Process: Incubating to Graduation
150153

@@ -154,7 +157,7 @@ See [Submission Process](#submission-process) below and [Graduation application]
154157

155158
### Archived
156159

157-
Open source projects have a lifecycle and there are times when projects become inactive due to a variety of reasons. There are also cases where a project may no longer want to be supported by the OpenSSF, the given effort no longer has broad community interest and participation, or the OpenSSF TAC may no longer wish to recommend the use of a project. Archiving happens through a vote of the TAC, and can be requested by the corresponding project's lead(s) or a TAC member. TI's that are dormant, with no activity for 9 months (meetings, mailing lists, or other publicly viewable channels) in a row should be considered good candidates for Archiving.
160+
Open source projects have a lifecycle and there are times when projects become inactive due to a variety of reasons. There are also cases where a project may no longer want to be supported by the OpenSSF, the given effort no longer has broad community interest and participation, or the OpenSSF TAC may no longer wish to recommend the use of a project. Archiving happens through a vote of the TAC, and can be requested by the corresponding project's lead(s) or a TAC member. Sandbox projects that are dormant with no activity for 6 months (meetings, mailing lists, or other publicly viewable channels) in a row should be considered good candidates for Archiving. Projects at Incubating or Graduated stages that are dormant for 9 months should be considered good candidates for Archiving.
158161

159162
#### Archiving Considerations
160163

process/templates/PROJECT_NAME_sandbox_stage.md

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,22 @@
11
## Application for creating a new project at Sandbox stage
22

33
### List of project maintainers
4-
The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.
4+
The project must have a minimum of one maintainer; two or more is strongly encouraged. Projects entering with fewer than two maintainers must reach a minimum of two by their first bi-annual TAC update. Projects must have a minimum of three maintainers from two or more organizations to be eligible for Incubating.
55
* "name, affiliation, GitHub ID"
66

7+
### Community growth plan
8+
If the project is entering Sandbox with fewer than three maintainers from two or more organizations, describe how the project intends to grow its maintainer base and organizational diversity during the Sandbox phase. See [Building an Open Source Community](../building-an-open-source-community.md) for guidance.
9+
* "description of planned outreach, collaboration, or other steps to grow the maintainer base"
10+
711
### Sponsor
8-
Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to.
9-
* "name of the group the project reports to: either a Working Group or the TAC"
12+
Projects must report to an existing OpenSSF Working Group. Projects that cannot identify a suitable WG should submit their proposal and request that the TAC help identify an appropriate WG home. The sponsor governs the project as a Technical Initiative within the WG and ensures regular readouts of project progress. The project commits to providing bi-annual updates on progress to the sponsoring WG.
13+
* "name of the sponsoring Working Group"
14+
* "name and GitHub ID of the sponsor (must be a member or lead of the sponsoring WG)"
15+
16+
### GitHub organization
17+
The project's repository must be hosted under the [OpenSSF GitHub Enterprise Cloud instance](https://github.com/enterprises/openssf/organizations). Projects are not required to use the `ossf` GitHub organization; existing organizations may be moved under the OpenSSF Enterprise account.
18+
* "link to project repository"
19+
* "confirm the repository is, or will be, hosted under the OpenSSF GitHub Enterprise Cloud instance"
1020

1121
### Mission of the project
1222
The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.

0 commit comments

Comments
 (0)