Hi Jean, hello ops4j participants.
Given recent rush hours with log4j issues I can understand some of the
concerns. However, looking at practical aspects, these issues were
handled as good as they would be at the ASF. Time it took Grzegorz to
release updated pax-logging was pretty short.
If people are concerned about maintenance or governance of ops4j
projects they can/should share their concerns. So far we have just one
statement from Matt and literally 0 of the security related comments
prior this thread. It doesn't make a very solid justification for any
moves in this area yet, especially that all known security issues seem
to be covered.
Best,
Łukasz
On 24.02.2022 16:48, Jean-Baptiste Onofré wrote:
Hi Achim
Just wanted to share concerns I received. Basically, PAX projects are
"free fields", without strong guarantee in the release (not formal
staging/vote/review).
It doesn't mean we don't do that, it's just not strongly enforced ;)
I don't mean we *have to* do it, I'm just sharing comments that I got.
Regards
JB
On Thu, Feb 24, 2022 at 4:43 PM 'Achim Nierbeck' via OPS4J
<op...@googlegroups.com> wrote:
Hi JB,
Before I come to any conclusion, I would really like to understand what kind of
issue/problem you would like to solve with this, which is easier to solve under
an apache umbrella.
thanks, Achim
Am Do., 24. Feb. 2022 um 15:04 Uhr schrieb Jean-Baptiste Onofré
<j...@nanthrax.net>:
Hi guys,
Some of you already pinged me to share concerns about PAX projects
governance. I think it's my duty to share these concerns and discuss
possible actions.
Apache Karaf is one of the biggest consumers of PAX projects.
However, PAX projects use a "self own" designed governance:
- for contribution/IP
- for release
- for CVE/Security
- ...
And it could be seen as a major concern for Apache Karaf users, as PAX
projects are not necessarily "aligned" with Apache Foundation rules.
I would like to start a discussion on both Karaf and OPS4J communities
to "move" PAX projects as Karaf subproject (like karaf-pax).
Concretely, it would mean that:
1. Karaf PAX projects would use org.apache.karaf.pax namespace
2. Karaf PAX releases will have to follow the Apache release process
(binding votes, 3 days vote period, ...)
3. Any active contributor on PAX projects would be invited as Karaf committer
Thoughts ?
Regards
JB
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
--
--
------------------
OPS4J - http://www.ops4j.org - op...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups
"OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ops4j+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ops4j/CAD0r13d2v73ipZrZOD3r9oL9wtSKZj7x2dc4%2By6sWg1rRyvWow%40mail.gmail.com.
