Re: [iot-pmc] How we want to do things in the IoT PMC

[Jens Reimann <jreimann@xxxxxxxxxx>]

Hi Kai II. (I hope you don't mind),

starting this was overdue!

The answers below explain it a bit, if not, let me know and I will re-try.

Cheers

Jens

On Sat, Mar 25, 2017 at 12:07 PM, Hudalla Kai (INST/ECS4) <kai.hudalla@xxxxxxxxxxxx> wrote:

Hi Jens,

thanks for starting this thread. This is already helpful to me :-)
I do have some questions which I have incuded inline below ...

Kai (II. ;-))

On Thu, 2017-03-23 at 17:31 +0100, Jens Reimann wrote:
> Hi everyone,
>
> There are some things the IoT PMC, we agree upon in the past, but we never
> wrote that down. As we now welcomed Kai (the second) to the PMC, it turns out
> he has no where to look that up. No one else has either.
>
> So I would like to start a discussion about writing things down, probably on a
> Wiki page, so that people and we ourselves find that information.
>
> In general the Eclipse Foundation already has a set of rules and policies on
> how to do things (like the voting). So writing this down again doesn't make any
> sense to me, if not stated otherwise, we follow these rules!
>
> ---
>
> The following is just a braindump and please correct me if I am wrong or
> suggest any changes, because now would be the right time. If something is
> unclear, please let me know and I will explain:
>
> * We simply vote for 3rd party works-with/pre-requisite requests
I assume when we refer to "vote" we mean "voting as already defined by the
Eclipse rules", e.g. after 7 days the vote concludes with simple majority etc.

Absolutely! Voting as per Eclipse defaults.
 

> * Transition to GitHub always gets at +1
> * We don't put any limitations on dependencies or tools project use
This means we ALWAYS approve of CQs for pre-reqs?

Ok, technical limitations. Some top level projects enforce which libraries may or may not be used for example. Could be forcing anybody to adopt SLF4J. However we thought that IoT projects are so diverse and that project leaders are smart enough to make their own decisions. So if a project thinks this is the right dependency, then we let them.

Of course we should do a pre-check for license stuff, we do have to make the vote/discussion around works-with/pre-req and we may be encouraging projects to use a newer/older, slightly different dependency if we see a benefit. But if they insist we let them make their choice.

 

> * The PMC +1 for a release will be concluded by a vote
Again, following the standard rules set by Eclipse, I assume.

Yes!

 

> * For CQs, the person giving the first comment finally closes up with a +1/-1,
> of course anyone else can comment
"Closing up" here means setting the +1/-1 flag in IPZilla, right?

Yes

 

> * We don't vote on projects we (PMC) are involved ourselves
But we can still process CQs filed by people from our own organization, can't we?

Yes, as long as you are not actively working on the project. For me, I simply don't vote when I am a comitter on the project. But that does not only cover CQ but also other votes like comitters, releases, … Of course nothing speaks against stating your opinion! Or sending the other PMCs a nagging e-mail to have a look at your stuff. The idea behind that simply is, if you +1 all your own requests, that would be odd.

 

>
> ---
>
> I would also like to suggest a new addition for releases:
>
> * Projects should provide a dependency report for every release
> When a projects want to do a release, we should require them to provide a
> dependency report, like [1], scanning for vulnerabilities in dependencies. The
> report must be published together with the release review and all known
> security vulnerabilities in dependencies must be disclosed in the section
> "Security Issues".
> * All fixed security issues must be disclosed in the section "Security Issues"
> as well
> * If there are none the section should contain a sentence like "No security
> issues are known in required dependencies" and "No security issues had to be
> fixed".
>
> I do think that security is important, especially for IoT. So we should put a
> focus on that. Showing that Eclipse IoT project take security serious. I also
> think that using tools for scanning dependencies is fine and recommended. But
> not required. If a projects wants to do that manually, that is fine with me as
> well.
>
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> ---
>
> Let me know what you think
>
> Cheers
>
> Jens
>
>
>
> _______________________________________________
> iot-pmc mailing list
> iot-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/iot-pmc
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc

--

Jens Reimann
Senior Software Engineer / EMEA ENG Middleware
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany
phone: +49 89 2050 71286
_____________________________________________________________________________

Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill