Capturing guidelines for OpenSSF project governance

[annabellegoth2boss]

At the June 3 Governance Tiger Team meeting, one of the questions that came up was how prescriptive the OpenSSF should be about a project's governance. In the Project Lifecycle, Incubating projects need to show the start of having governance, and Graduated projects are expected to have an operating governance structure.

There was consensus that we should not dictate one single governance structure for all projects. There was also consensus that we have some basic, shared ideas of what "good governance" looks like. The proposal was not to prescribe specific governance, but to document these qualities and minimal requirements and projects submitting for the different stages can demonstrate how they meet these qualities.

Proposing a draft for discussion:

• Lazy consensus is encouraged as a way of working, but disagreements are inevitable. How decisions are made in these situations must be documented, with clear rules and pathways to becoming a decision maker.
• It is recommended that there are no more than 7 decision makers (e.g. who gets a vote in a decision) at any time
• Projects with more than 7 parties interested in being a decision maker should hold elections to decide these seats
  • These elections should be open and transparent, and the electorate (who gets a vote and the pathway to earning a vote) is documented.
  • Decision making seats should have terms no shorter than one year and no longer than three.
  • Governance should specify what happens when decision makers step down mid-term or change company affiliation mid-term
• The TAC and GB should know who to contact for project updates, with a delegated secondary contact.

[SecurityCRob]

This has been documented here: https://github.com/ossf/tac/blob/main/process/project-lifecycle.md