This policy would hopefully establish standards for virtual machines donated to us. It's part of the (unofficial) TPA policies right now, but could be made a broader "TPA RFC", which are aimed at establishing organization-wide policies.
In this case, it specifically targets a set of virtual machines we're hoping to get from a provider for various projects, and which has been so far discussed privately.
But the goal is indeed to set a policy that would apply to all those projects, to various degrees. The common denominator would be the "must have" category.
This is totally up for discussion, and I'm happy to clarify why those requirements are there, as well as adding, removing, or changing requirements.