Tom Generally the only requirement is that you create a JIRA and report the JIRA od in the commit message. Creating a JIRA also helps the contributor to understand/classify the problem and the proposed solution.
I forgot to add that there should be some statement in the PR comments that tells that the contributor agrees to the ASLv2 terms, at least for the first pull requests. I really appreciate this work of MuseDev Let's try to make it work the best as possible Enrico Il Sab 3 Ott 2020, 07:18 Tom DuBuisson <to...@muse.dev> ha scritto: > > Perhaps Muse.dev can work with us to automate the process of creating > tickets for the issues that were raised? > > We don't have any way to automatically open matching JIRA issues but can > certainly guide the new contributors to the right steps. I'll check in > with them on their respective PRs. > > On Fri, Oct 2, 2020 at 8:34 AM Rich Bowen <rbo...@rcbowen.com> wrote: > >> I know you're not asking me, but with my Community Development hat on, I >> strenuously encourage you to view this as an opportunity to bring on new >> contributors, and couch your response accordingly. Anything that comes >> across as scolding them for Doing It Wrong is going to leave a bad taste >> and possibly lose new contributors, particularly when we invited them to >> participate in this process. We did invite them, and we did point them >> to the issues, via Muse.dev. Perhaps Muse.dev can work with us to >> automate the process of creating tickets for the issues that were raised? >> >> On 10/2/20 11:26 AM, Enrico Olivelli wrote: >> > Hey ! >> > it looks like the Bug bash has brought a few Pull Requests >> > https://github.com/apache/zookeeper/pulls >> > >> > Unfortunately they are not following the contribution guidelines (for >> > instance there is no associated JIRA) >> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToContribute - >> > >> > Most of the PR are about trivial fixes, I am not sure if a JIRA is >> deserved. >> > >> > What should we do? >> > My proposal is to ping the contributor in order to obey the guide and >> > then finally accept the patches, as Micheal Han did in this patch >> > https://github.com/apache/zookeeper/pull/1470 >> > >> > I don't want to see that patches remaining on github as low hanging >> > fruit, so it is better that we decide how to work on them, >> > another option is to close them as invalid (It would be a pity IMHO) >> > >> > Enrico >> > >> > >> > >> > Il giorno lun 28 set 2020 alle ore 15:03 Tom DuBuisson <to...@muse.dev >> > <mailto:to...@muse.dev>> ha scritto: >> > >> > Enrico, >> > That sounds great. We'll get the repo activated. >> > >> > Tom >> > >> > >> > On Sun, Sep 27, 2020, 11:11 PM Enrico Olivelli <eolive...@gmail.com >> > <mailto:eolive...@gmail.com>> wrote: >> > >> > > Tom >> > > Overall I think that we can move forward. >> > > >> > > This thread has been around for a while, there are no objections, >> > every >> > > question has been answered. >> > > >> > > Thank you very much >> > > >> > > I hope this activity will help in growing Zookeeper project both >> > in code >> > > quality and with more contributions, that is to help the >> > community to grow. >> > > >> > > Best regards >> > > >> > > Enrico >> > > >> > > Il Lun 28 Set 2020, 01:27 Tom DuBuisson <to...@muse.dev >> > <mailto:to...@muse.dev>> ha scritto: >> > > >> > > > Norbert, >> > > > >> > > > Yes, you understand that correctly. And those analyzers are >> > FindSecBugs, >> > > > Error Prone and Infer. All open source and in moderate to >> wide use >> > > > already. Only find sec bugs is security specific - Infer and >> > Error Prone >> > > > might find security bugs but they are more general purpose in >> > nature. >> > > > >> > > > -Tom >> > > > >> > > > On Sun, Sep 27, 2020 at 3:43 PM Norbert Kalmar >> > > > <nkal...@cloudera.com.invalid> >> > > > wrote: >> > > > >> > > > > Hello Tom, >> > > > > >> > > > > +1 on the initiative, thanks for bringing this to our >> attention. >> > > > > >> > > > > If I understand correctly, there will be no disclosed >> > security issues >> > > > which >> > > > > cannot be found with open source static analyzers. >> > > > > >> > > > > Regards, >> > > > > Norbert >> > > > > >> > > > > >> > > > > On Sun, Sep 27, 2020 at 8:23 AM Szalay-Bekő Máté < >> > > > > szalay.beko.m...@gmail.com <mailto: >> szalay.beko.m...@gmail.com>> >> > > > > wrote: >> > > > > >> > > > > > Hello Guys, >> > > > > > >> > > > > > In general I like the idea, but unfortunately I can not >> really >> > > > > participate >> > > > > > (either in the coding or in the review) as I have a few >> > important >> > > > > projects >> > > > > > close to deadline at the moment. >> > > > > > >> > > > > > My only concern is with the security bugs, which I don't >> > like to be >> > > > > openly >> > > > > > reported before publishing a release with the fix. But for >> > any other >> > > > kind >> > > > > > of bugfixes / improvements, I am very positive with the >> > initiative. >> > > > > > >> > > > > > >> > > > > > Best regards, >> > > > > > Mate >> > > > > > >> > > > > > On Sun, Sep 27, 2020, 07:06 Tom DuBuisson <to...@muse.dev >> > <mailto:to...@muse.dev>> wrote: >> > > > > > >> > > > > > > Enrico et al, >> > > > > > > >> > > > > > > Are there other thoughts on this? It would be great to >> > get setup >> > > > > before >> > > > > > > the bash actually begins. Enrico, lacking other voices >> > would you >> > > > like >> > > > > to >> > > > > > > make a final call? >> > > > > > > >> > > > > > > -Tom >> > > > > > > >> > > > > > > On Thu, Sep 24, 2020 at 3:30 AM Enrico Olivelli < >> > > eolive...@gmail.com <mailto:eolive...@gmail.com> >> > > > > >> > > > > > > wrote: >> > > > > > > >> > > > > > > > Tom, >> > > > > > > > Personally I am +1 with this proposal. Thanks for your >> > > > > clarifications. >> > > > > > > > >> > > > > > > > But we should ear opinions from other people in this >> list >> > > > > > > > >> > > > > > > > >> > > > > > > > Enrico >> > > > > > > > >> > > > > > > > Il giorno mer 23 set 2020 alle ore 23:51 Tom DuBuisson >> < >> > > > > to...@muse.dev <mailto:to...@muse.dev> >> > > > > > > >> > > > > > > ha >> > > > > > > > scritto: >> > > > > > > > >> > > > > > > > > Enrico, >> > > > > > > > > >> > > > > > > > > On the topic security issues and reporting: Muse's >> > default >> > > > > > > configuration >> > > > > > > > > is open source tools and here it is run on open >> source >> > > projects. >> > > > > The >> > > > > > > > > results are thus already available publicly (in this >> > case from >> > > > FSB, >> > > > > > > > Infer, >> > > > > > > > > and Error Prone). Muse doesn't post anything to >> > GitHub except >> > > in >> > > > > the >> > > > > > > > case >> > > > > > > > > of pull requests and then only if the bug is deemed >> > to have >> > > been >> > > > > > > > > "introduced" as part of the PR - meaning it shouldn't >> > be a >> > > > > > > vulnerability >> > > > > > > > in >> > > > > > > > > currently shipped software. >> > > > > > > > > >> > > > > > > > > If there are desires or proposals about more control >> > over bug >> > > > > reports >> > > > > > > in >> > > > > > > > a >> > > > > > > > > convenient, configurable, manner then we'd really >> > like to dig >> > > in >> > > > > and >> > > > > > > hear >> > > > > > > > > how to help. In case there is more discussion on >> > this point >> > > I'm >> > > > > > CCing >> > > > > > > > > Andrew who leads Muse's product design. >> > > > > > > > > >> > > > > > > > > -Tom >> > > > > > > > > >> > > > > > > > > On Wed, Sep 23, 2020 at 1:09 PM Enrico Olivelli < >> > > > > eolive...@gmail.com <mailto:eolive...@gmail.com> >> > > > > > > >> > > > > > > > > wrote: >> > > > > > > > > >> > > > > > > > > > Il Mer 23 Set 2020, 19:02 Tom DuBuisson >> > <to...@muse.dev <mailto:to...@muse.dev>> ha >> > > > > > scritto: >> > > > > > > > > > >> > > > > > > > > > > Enrico, >> > > > > > > > > > > >> > > > > > > > > > > The Muse App requires two main abilities. First >> > is events, >> > > > > such >> > > > > > as >> > > > > > > > > > > notification when pull requests are opened or >> > updated. >> > > > Second >> > > > > is >> > > > > > > > > > > permission to post comments (which is always >> > possible for >> > > > > humans >> > > > > > > but >> > > > > > > > > more >> > > > > > > > > > > tightly controlled when the poster authenticates >> as a >> > > github >> > > > > > > > > > application). >> > > > > > > > > > > The repository being public has allowed us to run >> > the app >> > > and >> > > > > > > observe >> > > > > > > > > > > ErrorProne, Infer, and FindSecBugs all run out of >> > the box >> > > and >> > > > > > > without >> > > > > > > > > > > custom configuration. >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > Makes sense. >> > > > > > > > > > >> > > > > > > > > > One last question from my side >> > > > > > > > > > What about security issues? >> > > > > > > > > > Our policy is to have them reported to >> > > > > > secur...@zookeeper.apache.org >> > <mailto:secur...@zookeeper.apache.org> >> > > > > > > > > > before >> > > > > > > > > > public disclosure >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > Enrico >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > Cheers, >> > > > > > > > > > > Tom >> > > > > > > > > > > >> > > > > > > > > > > On Wed, Sep 23, 2020 at 6:35 AM Enrico Olivelli < >> > > > > > > eolive...@gmail.com <mailto:eolive...@gmail.com> >> > > > > > > > > >> > > > > > > > > > > wrote: >> > > > > > > > > > > >> > > > > > > > > > > > Il Mer 23 Set 2020, 00:44 Tom DuBuisson >> > <to...@muse.dev <mailto:to...@muse.dev>> >> > > > ha >> > > > > > > > scritto: >> > > > > > > > > > > > >> > > > > > > > > > > > > Zookeeper Developers, >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > As part of our sponsorship of ApacheCon, our >> > company >> > > > > MuseDev >> > > > > > is >> > > > > > > > > > doing a >> > > > > > > > > > > > Bug >> > > > > > > > > > > > > Bash for select Apache projects. We'll bring >> > members of >> > > > the >> > > > > > > > > ApacheCon >> > > > > > > > > > > > > community together to find and fix a range of >> > security >> > > > and >> > > > > > > > > > performance >> > > > > > > > > > > > bugs >> > > > > > > > > > > > > during the conference, and gameify the >> > experience with >> > > > > > teams, a >> > > > > > > > > > > > > leaderboard, and prizes. The bash is open to >> > everyone >> > > > > whether >> > > > > > > > > > attending >> > > > > > > > > > > > the >> > > > > > > > > > > > > conference or not, and our whole dev team >> > will also be >> > > > > > > > > participating >> > > > > > > > > > to >> > > > > > > > > > > > > help fix as many bugs as we can. >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > We're seeding the bug list with results from >> > Muse, our >> > > > code >> > > > > > > > > analysis >> > > > > > > > > > > > > platform, which runs as a Github App and >> > comments on >> > > > > possible >> > > > > > > > bugs >> > > > > > > > > as >> > > > > > > > > > > > part >> > > > > > > > > > > > > of the pull request workflow. Here's an >> > example of >> > > what >> > > > it >> > > > > > > looks >> > > > > > > > > > like: >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > >> https://github.com/curl/curl/pull/5971#discussion_r490252196 >> > > > > > > > > > > > > <https://github.com/curl/curl/pull/5971> >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > We explored a number of Apache projects and >> are >> > > reaching >> > > > > out >> > > > > > > > > because >> > > > > > > > > > > our >> > > > > > > > > > > > > analysis through Muse found some interesting >> > bugs that >> > > > > could >> > > > > > be >> > > > > > > > > fixed >> > > > > > > > > > > > > during the Bash. >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > We're writing to see if you'd be interested >> > in having >> > > > your >> > > > > > > > project >> > > > > > > > > > > > included >> > > > > > > > > > > > > in the Bash. Everything is set up on our end, >> > and if >> > > > you're >> > > > > > > > > > interested, >> > > > > > > > > > > > we >> > > > > > > > > > > > > would need you to say yes on this listserv, >> > and we’ll >> > > > work >> > > > > > with >> > > > > > > > the >> > > > > > > > > > > > Apache >> > > > > > > > > > > > > Infrastructure team to grant Muse access to >> > your Github >> > > > > > mirror. >> > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > It is a public repo, which kind of access does >> > it need? >> > > > > > > > > > > > >> > > > > > > > > > > > Enrico >> > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > We'll then >> > > > > > > > > > > > > make sure it's all set-up and ready for the >> > Bash. And >> > > of >> > > > > > > course, >> > > > > > > > > > > everyone >> > > > > > > > > > > > > on the project is most welcome to join the >> > Bash and >> > > help >> > > > us >> > > > > > > smash >> > > > > > > > > > some >> > > > > > > > > > > > > bugs. >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > -Tom >> > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > >> >> -- >> Rich Bowen >> rbo...@rcbowen.com >> >
