REQUEST: Migrate aquasecurity/vuln-list-k8s

[PushkarJ]

New repo, staging repo, or migrate existing

migrate existing: aquasecurity/vuln-list-k8s

Is it a staging repo?

no

Requested name for new repository

cve-feed-osv

Which Organization should it reside

kubernetes-sigs

Who should have admin access?

chen-keinan,itaysk, knqyf263, tabbysable, iancoldwater, pushkarj

Who should have write access?

pushkarj, ericsmalling

Who should be listed as approvers in OWNERS?

chen-keinan, itaysk, knqyf263, tabbysable, iancoldwater, pushkarj

Who should be listed in SECURITY_CONTACTS?

itaysk, knqyf263, tabbysable, iancoldwater, pushkarj

What should the repo description be?

OSV JSON format file generator for official Kubernetes CVE Feed

What SIG and subproject does this fall under?

sig-security

Please provide references to appropriate approval for this new repo

Meeting minutes: https://docs.google.com/document/d/1GgmmNYN88IZ2v2NBiO3gdU8Riomm0upge_XNVxEYXp0/edit#bookmark=id.kywwheybam91

Lazy Consensus announcement: https://groups.google.com/g/kubernetes-sig-security/c/FxXegIeO198

Additional context for request

We will be creating a separate branch where code from here: https://github.com/aquasecurity/vuln-list-update/tree/main/k8s will be migrated to https://github.com/aquasecurity/vuln-list-k8s

[PushkarJ]

/sig security

[mrbobbytables]

if its just a subdir of the repo, I would opt to create a new repo and move the code over - there are only 5 commits that touch that dir.

[itaysk]

the primary contributor is going to be @chen-keinan, so please add him too. I (@itaysk) won't be contributing actively, so feel free to remove me, unless I'm needed for redundency.

[PushkarJ]

Thanks @itaysk I have updated the description now to include @chen-keinan

@mrbobbytables we actually worked together to move all the code that we need to migrate into the new branch on this repo: https://github.com/aquasecurity/vuln-list-k8s/tree/migrate-k8s-org So this branch if made as main branch for the new repo with all the other kubernetes repo skeleton (license, etc), we would be golden! Let us know how I can help you and GitHub admin team to make this happen :)

[mrbobbytables]

@PushkarJ if you can, stage all the things needed to be a k8s project first - https://github.com/kubernetes/community/blob/master/github-management/kubernetes-repositories.md#rules-for-donated-repositories

the license headers etc (the stuff in the repo skeleton part you mentioned)

[PushkarJ]

@mrbobbytables Branch is now updated with template files and headers. Please let me know if we missed nothing :) 🙏

[itaysk]

Hi there, is there anything else required to proceed?

[MadhavJivrajani]

/assign

[MadhavJivrajani]

@PushkarJ / @itaysk a couple of items for the first step of migration:

• I will need to invite an admin of the https://github.com/aquasecurity/vuln-list-k8s repo to one of our temporary orgs through which we can migrate the repository, please lmk whom I can invite for that.
• We have the following folks listed with admin and write privileges, but they are not part of the kubernetes-sigs GitHub org:
  • @chen-keinan
  • @knqyf263
  • @ericsmalling

They will need to apply for membership before they can be given admin access to the migrated repo: https://github.com/kubernetes/community/blob/master/community-membership.md#requirements

@ericsmalling since you're already part of the Kubernetes org, I can PR you in to the kubernetes-sigs org, you do not need to apply for membership anew. 🙂

However, this should be non-blocking for the migration itself, they can always be added in as and when the org membership requirements are met.

Couple more things:

• [Blocking] We need to ensure that all existing committers to the code of vuln-list-k8s have signed the CLA: https://github.com/kubernetes/community/tree/master/contributors/guide#sign-the-cla
  • This is especially true for folks that will be given admin/write access.
  • This means, for the migrate-k8s-org branch, we have 2 non-bot users who have committed to this branch: @chen-keinan and @knqyf263. Could you both confirm if you have signed the CLA? If you have not, please do so and we can proceed with the migration. If you have concerns with signing the CLA and you do not wish to, please lmk in that case as well, we have a process of documenting exceptions, but please note that this will prohibit you from making contributions once the repo is migrated.
• Let's also merge the migrate-k8s-org branch into main pre-migration.

[chen-keinan]

@MadhavJivrajani thank you for the info, I have signed the CLA. please do let me know if anything else is required