Does Lyft have any plans to sandbox then donate Clutch to CNCF?

[lloydchang]

Does Lyft have any plans to sandbox then donate Clutch to CNCF?

For example:
• https://podcasts.apple.com/ro/podcast/donating-your-open-source-project-to-cncf-with-ihor/id1514646781
• https://github.com/cncf/toc/blob/main/proposals/incubation/envoy.adoc
• https://github.com/cncf/toc/blob/main/reviews/graduation-envoy.md
• https://github.com/cncf/toc/blob/main/proposals/sandbox/backstage.md
• https://github.com/cncf/toc/blob/main/proposals/incubation/backstage.md
• https://github.com/cncf/toc/blob/main/reviews/2021-backstage-annual.md

Thank you.

[danielhochman]

Hi @lloydchang it's something we have talked about and considered. If it would make a difference to any community stakeholders we would be happy to restart that conversation. Ensuring that Clutch is supported and maintained long-term is definitely a goal of ours.

[lloydchang]

@danielhochman wrote:

Ensuring that Clutch is supported and maintained long-term is definitely a goal of ours.

---

Thanks @danielhochman

Ultimately, it depends on community interest, as I believe that is important (conceptually-speaking).

This is a good start to having a community discussion.

---

For a simple example in a different open source project that was not sandboxed with CNCF...

• I reported an error at box/ClusterRunner#457 with a simple fix — Prepend www. to match an SSL certificate, but no one responded yet

• Furthermore, another person reported the same (?) issue 3 years ago at box/ClusterRunner#447

In my humble opinion, when a company or its open source program office cannot perform good stewardship of an open source project... to even reply to simple inquiries, then what seems like a simple fix — Prepend an URL with www. to match an SSL certificate — may never happen. At that point, I believe there seems to be something wrong with a company's open source program office for unknown reasons.

Hypothetically, there could be various reasons, such as:
• Perhaps the open source project has been abandoned without a formal public notice?
• Perhaps the people who had worked on the open source project already left the company?

There are security risks and liabilities in using open source that aren't supported nor maintained.

---

The idea is that the process from sandboxing to donation to CNCF might mitigate those security risks and liabilities, if given enough funding and support.

For example, in a different open source project that was sandboxed with CNCF...

As Flux is an Incubation project within the Cloud Native Computing Foundation, we were graciously granted a sponsored audit. The primary aim was to assess Flux’s fundamental security posture and to identify next steps in its security story. The audit was commissioned by the CNCF, and facilitated by OSTIF (the Open Source Technology Improvement Fund). ADA Logics was quickly brought into the picture, and spent a month on the audit.
https://www.cncf.io/blog/2021/11/11/flux-security-audit-has-concluded/

---

Thank you.