Hi Łukasz- I am relaying our experience from customers, since most enterprises do not communicate directly with communities. If there was community support for a transition, then any issues would be adverted-- which is my reason for bringing it up. As a comparison, even Debian (one of the most freedom focused communities) requires contributor identity verification. (ref: https://www.debian.org/devel/join/nm-step2).
Thank you for hearing me out. Matt Pavlovich On Thursday, February 24, 2022 at 11:12:12 AM UTC-6 Łukasz Dywicki wrote: > Hi Jean, hello ops4j participants. > > Given recent rush hours with log4j issues I can understand some of the > concerns. However, looking at practical aspects, these issues were > handled as good as they would be at the ASF. Time it took Grzegorz to > release updated pax-logging was pretty short. > > If people are concerned about maintenance or governance of ops4j > projects they can/should share their concerns. So far we have just one > statement from Matt and literally 0 of the security related comments > prior this thread. It doesn't make a very solid justification for any > moves in this area yet, especially that all known security issues seem > to be covered. > > Best, > Łukasz > > On 24.02.2022 16:48, Jean-Baptiste Onofré wrote: > > Hi Achim > > > > Just wanted to share concerns I received. Basically, PAX projects are > > "free fields", without strong guarantee in the release (not formal > > staging/vote/review). > > > > It doesn't mean we don't do that, it's just not strongly enforced ;) > > > > I don't mean we *have to* do it, I'm just sharing comments that I got. > > > > Regards > > JB > > > > On Thu, Feb 24, 2022 at 4:43 PM 'Achim Nierbeck' via OPS4J > > <op...@googlegroups.com> wrote: > >> > >> Hi JB, > >> > >> Before I come to any conclusion, I would really like to understand what > kind of issue/problem you would like to solve with this, which is easier to > solve under an apache umbrella. > >> > >> thanks, Achim > >> > >> Am Do., 24. Feb. 2022 um 15:04 Uhr schrieb Jean-Baptiste Onofré < > j...@nanthrax.net>: > >>> > >>> Hi guys, > >>> > >>> Some of you already pinged me to share concerns about PAX projects > >>> governance. I think it's my duty to share these concerns and discuss > >>> possible actions. > >>> > >>> Apache Karaf is one of the biggest consumers of PAX projects. > >>> > >>> However, PAX projects use a "self own" designed governance: > >>> - for contribution/IP > >>> - for release > >>> - for CVE/Security > >>> - ... > >>> > >>> And it could be seen as a major concern for Apache Karaf users, as PAX > >>> projects are not necessarily "aligned" with Apache Foundation rules. > >>> > >>> I would like to start a discussion on both Karaf and OPS4J communities > >>> to "move" PAX projects as Karaf subproject (like karaf-pax). > >>> Concretely, it would mean that: > >>> 1. Karaf PAX projects would use org.apache.karaf.pax namespace > >>> 2. Karaf PAX releases will have to follow the Apache release process > >>> (binding votes, 3 days vote period, ...) > >>> 3. Any active contributor on PAX projects would be invited as Karaf > committer > >>> > >>> Thoughts ? > >>> > >>> Regards > >>> JB > >> > >> > >> > >> -- > >> > >> Apache Member > >> Apache Karaf <http://karaf.apache.org/> Committer & PMC > >> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> > Committer & Project Lead > >> blog <http://notizblog.nierbeck.de/> > >> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> > >> > >> -- > >> -- > >> ------------------ > >> OPS4J - http://www.ops4j.org - op...@googlegroups.com > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "OPS4J" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to ops4j+un...@googlegroups.com. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/ops4j/CAD0r13d2v73ipZrZOD3r9oL9wtSKZj7x2dc4%2By6sWg1rRyvWow%40mail.gmail.com > . > -- -- ------------------ OPS4J - http://www.ops4j.org - ops4j@googlegroups.com --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/9b86886b-b249-40cf-9c01-ed39d7dca552n%40googlegroups.com.
