Prepare for the donation

[FeynmanZhou]

We discussed and aligned in the community meeting that we are going to donate Ratify to a open-source foundation. CNCF would be a potential home for our donation.

This issue provides a checklist and recommended actionable items before donating Ratify to CNCF based on the CNCF Sandbox submission form.

The next CNCF Sandbox project review meeting is April 9, 2024. We need to make sure all required information and process are completed by that date.

• Application contact emails

• Project Summary

• Org repo URL (provide if all repos under the org are in scope of the application): we will need to create a new organization for Ratify and migrate two repos to the new org

• Project repo URL in scope of application: https://github.com/deislabs/ratify

• Website URL: https://ratify.dev/

• Roadmap: it would be better to create a document to clarify the short-term and long-term plans for the roadmap. Make others quickly understand the vision and goalds of the project

• Contributing Guide: https://github.com/deislabs/ratify/blob/main/CONTRIBUTING.md

• Code of Conduct (CoC): Changed from Microsoft Open Source Code of Conduct to CNCF CoC**

• Adopters: added Adopters.md in docs: update COC and add adopters.md #1360

• Contributing or Sponsoring Org: Microsoft. Maybe we can ask whether AWS has any interest in joining the project as the contributing org

• Maintainers file: Ratify has a MAINTAINERS file but need to update the maintainer seats based on contributor metrics

• IP Policy

• Trademark and accounts

• Why CNCF: Ratify is an extensible verification framework for container images and other artifacts that can examine and use custom policies that you create to approve deployments in Kubernetes. This aligns seamlessly with CNCF's mission to foster and sustain an ecosystem of open source and vendor-neutral projects. We believe CNCF is a neutral home for Ratify because it has a flourish and active community can help the future success of Ratify through the development of third party integrations.

• Benefit to the Landscape: Ratify's mission is to safeguard the container supply chain by ratifying trustworthy and compliant container images and other software artifacts. As a open framework in CNCF security & compliance area, Ratify is designed with different interface models to allow for its integration at different stages of the containers secure supply chain. Ratify has already collaborated and integrated with some CNCF projects and provide joint solutions to CNCF ecosystem users.

• Cloud Native 'Integration': Notary Project, OPA Gatekeeper, Trivy (non-CNCF), ORAS, Sigstore Cosign (OpenSSF)

• Cloud Native 'Fit': Ratify enables Kubernetes clusters to verify artifact security metadata (signatures and attestations including vulnerability reports, SBOM, provenance data, and VEX documents) prior to deployment and admit for deployment only those that comply with an admission policy that you create. With Ratify, cloud-native workloads can be verifiable on deployment, eventually increase the security posture of cloud-native ecosystem users.

• Cloud Native Overlap: To our knowledge, there isn't any direct overlap with other CNCF projects today.

• Similar projects: Kyverno

• Product or Service to Project separation: Azure Kubernetes Service has developed a managed addon based on the Ratify project for customer clusters. The development and roadmap of the open source project and the managed addon have always remained entirely separate, and that will continue to be true going forward. In addition, Venafi CodeSigning and AWS Signer have related managed services that support Ratify.

• Project presentations: Suggest presenting the project in CNCF Security TAG and collect their feedback from TAG chairs. Need to create an issue on Security-TAG to request a presentation in their community meeting.

• Project champions: @lachie83