[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [iot-pmc] How we want to do things in the IoT PMC
|
Hi Jens,
thanks for starting this thread. This is already helpful to me :-)
I do have some questions which I have incuded inline below ...
Kai (II. ;-))
On Thu, 2017-03-23 at 17:31 +0100, Jens Reimann wrote:
> Hi everyone,
>
> There are some things the IoT PMC, we agree upon in the past, but we never
> wrote that down. As we now welcomed Kai (the second) to the PMC, it turns out
> he has no where to look that up. No one else has either.
>
> So I would like to start a discussion about writing things down, probably on a
> Wiki page, so that people and we ourselves find that information.
>
> In general the Eclipse Foundation already has a set of rules and policies on
> how to do things (like the voting). So writing this down again doesn't make any
> sense to me, if not stated otherwise, we follow these rules!
>
> ---
>
> The following is just a braindump and please correct me if I am wrong or
> suggest any changes, because now would be the right time. If something is
> unclear, please let me know and I will explain:
>
> * We simply vote for 3rd party works-with/pre-requisite requests
I assume when we refer to "vote" we mean "voting as already defined by the
Eclipse rules", e.g. after 7 days the vote concludes with simple majority etc.
> * Transition to GitHub always gets at +1
> * We don't put any limitations on dependencies or tools project use
This means we ALWAYS approve of CQs for pre-reqs?
> * The PMC +1 for a release will be concluded by a vote
Again, following the standard rules set by Eclipse, I assume.
> * For CQs, the person giving the first comment finally closes up with a +1/-1,
> of course anyone else can comment
"Closing up" here means setting the +1/-1 flag in IPZilla, right?
> * We don't vote on projects we (PMC) are involved ourselves
But we can still process CQs filed by people from our own organization, can't we?
>
> ---
>
> I would also like to suggest a new addition for releases:
>
> * Projects should provide a dependency report for every release
> When a projects want to do a release, we should require them to provide a
> dependency report, like [1], scanning for vulnerabilities in dependencies. The
> report must be published together with the release review and all known
> security vulnerabilities in dependencies must be disclosed in the section
> "Security Issues".
> * All fixed security issues must be disclosed in the section "Security Issues"
> as well
> * If there are none the section should contain a sentence like "No security
> issues are known in required dependencies" and "No security issues had to be
> fixed".
>
> I do think that security is important, especially for IoT. So we should put a
> focus on that. Showing that Eclipse IoT project take security serious. I also
> think that using tools for scanning dependencies is fine and recommended. But
> not required. If a projects wants to do that manually, that is fine with me as
> well.
>
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> ---
>
> Let me know what you think
>
> Cheers
>
> Jens
>
>
>
> _______________________________________________
> iot-pmc mailing list
> iot-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/iot-pmc