Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [iot-pmc] How we want to do things in the IoT PMC 
Hi Jens,

thanks for starting this thread. This is already helpful to me :-)
I do have some questions which I have incuded inline below ...

Kai (II. ;-))

On Thu, 2017-03-23 at 17:31 +0100, Jens Reimann wrote:
> Hi everyone,
> 
> There are some things the IoT PMC, we agree upon in the past, but we never
> wrote that down. As we now welcomed Kai (the second) to the PMC, it turns out
> he has no where to look that up. No one else has either.
> 
> So I would like to start a discussion about writing things down, probably on a
> Wiki page, so that people and we ourselves find that information.
> 
> In general the Eclipse Foundation already has a set of rules and policies on
> how to do things (like the voting). So writing this down again doesn't make any
> sense to me, if not stated otherwise, we follow these rules!
> 
> ---
> 
> The following is just a braindump and please correct me if I am wrong or
> suggest any changes, because now would be the right time. If something is
> unclear, please let me know and I will explain:
> 
> * We simply vote for 3rd party works-with/pre-requisite requests
I assume when we refer to "vote" we mean "voting as already defined by the
Eclipse rules", e.g. after 7 days the vote concludes with simple majority etc.

> * Transition to GitHub always gets at +1
> * We don't put any limitations on dependencies or tools project use
This means we ALWAYS approve of CQs for pre-reqs?

> * The PMC +1 for a release will be concluded by a vote
Again, following the standard rules set by Eclipse, I assume.

> * For CQs, the person giving the first comment finally closes up with a +1/-1,
> of course anyone else can comment
"Closing up" here means setting the +1/-1 flag in IPZilla, right?
 
> * We don't vote on projects we (PMC) are involved ourselves
But we can still process CQs filed by people from our own organization, can't we?

> 
> ---
> 
> I would also like to suggest a new addition for releases:
> 
> * Projects should provide a dependency report for every release
> When a projects want to do a release, we should require them to provide a
> dependency report, like [1], scanning for vulnerabilities in dependencies. The
> report must be published together with the release review and all known
> security vulnerabilities in dependencies must be disclosed in the section
> "Security Issues".
> * All fixed security issues must be disclosed in the section "Security Issues"
> as well
> * If there are none the section should contain a sentence like "No security
> issues are known in required dependencies" and "No security issues had to be
> fixed".
> 
> I do think that security is important, especially for IoT. So we should put a
> focus on that. Showing that Eclipse IoT project take security serious. I also
> think that using tools for scanning dependencies is fine and recommended. But
> not required. If a projects wants to do that manually, that is fine with me as
> well.
> 
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> ---
> 
> Let me know what you think
> 
> Cheers
> 
> Jens
> 
> 
> 
> _______________________________________________
> iot-pmc mailing list
> iot-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/iot-pmc

Back to the top