gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/GOVERNANCE.md (about) 1 # Governance 2 3 ## Projects 4 5 A *project* is the primary unit of collaboration. Each project may have its own 6 repository and contribution process. 7 8 All projects are covered by the [Code of Conduct](CODE_OF_CONDUCT.md), and 9 should include an up-to-date copy in the project repository or a link here. 10 11 ## Contributors 12 13 Anyone can be a *contributor* to a project, provided they have signed relevant 14 Contributor License Agreements (CLAs) and follow the project's contribution 15 guidelines. Contributions will be reviewed by a maintainer, and must pass all 16 applicable tests. 17 18 Reviews check for code quality and style, including documentation, and enforce 19 other policies. Contributions may be rejected for reasons unrelated to the code 20 in question. For example, a change may be too complex to maintain or duplicate 21 existing functionality. 22 23 Note that contributions are not limited to code alone. Bugs, documentation, 24 experience reports or public advocacy are all valuable ways to contribute to a 25 project and build trust in the community. 26 27 ## Maintainers 28 29 Each project has one or more *maintainers*. Maintainers set technical direction, 30 facilitate contributions and exercise overall stewardship. 31 32 Maintainers have write access to the project repository. Maintainers review and 33 approve changes. They can also assign issues and add additional reviewers. 34 35 Note that some repositories may not allow direct commit access, which is 36 reserved for administrators or automated processes. In this case, maintainers 37 have approval rights, and a separate process exists for merging a change. 38 39 Maintainers are responsible for upholding the code of conduct in interactions 40 via project communication channels. If comments or exchanges are in violation, 41 they may remove them at their discretion. 42 43 ### Repositories requiring synchronization 44 45 For some projects initiated by Google, the infrastructure which synchronizes and 46 merges internal and external changes requires that merges are performed by a 47 Google employee. In such cases, Google will initiate a rotation to merge changes 48 once they pass tests and are approved by a maintainer. This does not preclude 49 non-Google contributors from becoming maintainers, in which case the maintainer 50 holds approval rights and the merge is an automated process. In some cases, 51 Google-internal tests may fail and have to be fixed: the Google employee will 52 work with the submitter to achieve this. 53 54 ### Becoming a maintainer 55 56 The list of maintainers is defined by the list of people with commit access or 57 approval authority on a repository, typically via a Gerrit group or a GitHub 58 team. 59 60 Existing maintainers may elevate a contributor to maintainer status on evidence 61 of previous contributions and established trust. This decision is based on lazy 62 consensus from existing maintainers. While contributors may ask maintainers to 63 make this decision, existing maintainers will also pro-actively identify 64 contributors who have demonstrated a sustained track record of technical 65 leadership and direct contributions. 66 67 ## Special Interest Groups (SIGs) 68 69 From time-to-time, a SIG may be formed in order to solve larger, more complex 70 problems across one or more projects. There are many avenues for collaboration 71 outside a SIG, but a SIG can provide structure for collaboration on a single 72 topic. 73 74 Each group will be established by a charter, and governed by the Code of 75 Conduct. Some resources may be provided to the group, such as mailing lists or 76 meeting space, and archives will be public. 77 78 ## Security disclosure 79 80 Projects may maintain security mailing lists for vulnerability reports and 81 internal project audits may occasionally reveal security issues. Access to these 82 lists and audits will be limited to project *maintainers*; individual 83 maintainers should opt to participate in these lists based on need and 84 expertise. Once maintainers become aware of a potential security issue, they 85 will assess the scope and potential impact. If reported externally, maintainers 86 will determine a reasonable embargo period with the reporter. 87 88 During the embargo period, the maintainers will prioritize a fix for the 89 security issue. They may choose to disclose the issue to additional trusted 90 contributors in order to facilitate a fix, subjecting them to the embargo, or 91 notify affected users in order to give them an advanced opportunity to mitigate 92 the issue. The inclusion of specific users in this disclosure is left to the 93 discretion of the maintainers and contributors involved, and depends on the 94 scale of known project use and exposure. 95 96 Once a fix is widely available or the embargo period ends, the maintainers will 97 make technical details about the vulnerability and associated fixes available. 98 99 ## Mailing lists 100 101 There are four key mailing lists that span projects. 102 103 * [gvisor-users](mailto:gvisor-users@googlegroups.com): general purpose user 104 list. 105 * [gvisor-dev](mailto:gvisor-dev@googlegroups.com): general purpose 106 development list. 107 * [gvisor-security](mailto:gvisor-security@googlegroups.com): private security 108 list. Access to this list is restricted to maintainers of the core gVisor 109 project, subject to the security disclosure policy described above. 110 * [gvisor-syzkaller](mailto:gvisor-syzkaller@googlegroups.com): private 111 syzkaller bug tracking list. Access to this list is not limited to 112 maintainers, but will be granted to those who can credibly contribute to 113 fixes.