Well obviously log4j being an ASF project has not protected it from
beeing affected by one of the worst bugs, neither has "solarwind" who
most probably knows all developers in person so I don't get it either,
this all for me is more a false-security feeling or just a generic "it
might be better" than any actual measure... there are enough commons-xxx
projects having nothing released for long time.
Am 30.03.22 um 08:28 schrieb 'Achim Nierbeck' via OPS4J:
Hi Matt,
Again, sorry for being PITA about it, I would really like to understand
what kind of problem should be solved?
I looked at the list of people that are able to work directly on the
ops4j projects, 110.
https://github.com/orgs/ops4j/people <https://github.com/orgs/ops4j/people>
Then I know from the past, that we had a couple of pull requests by
people not in that list.
Where would we be better with moving those projects under the ASF umbrella?
I really would like to understand the real issue.
Thanks, Achim
Am Di., 29. März 2022 um 12:19 Uhr schrieb Matt Pavlovich
<matt.pavlov...@hyte.io <mailto:matt.pavlov...@hyte.io>>:
Hello Christoph-
Again, the issue isn't a complaint. OPS4J simply does not have
verification of developer identity. More contributions or donations
won't solve that. Even the most staunch open source projects (ie
Debian) require verification of developer id.
Thank you,
Matt
On Monday, March 28, 2022 at 12:18:32 AM UTC-5 laeubi wrote:
I can only encourage everyone that get "complains" or "concerns"
of "big
bussiness" or even single users telling them to simply start
contribution or funding OS projects they depend on:
participation/review/testing (especially upcoming versions) is
the best
way to mitigate "supply-chain-attacks" instead of hoping there
is any
"governance" doing this for them for free...
Am 25.02.22 um 11:39 schrieb Jean-Baptiste Onofré:
> Thanks all for your comment.
>
> Fair discussion. I agree with you, just wanted to have this open
> discussion and share some messages I received.
>
> Let's keep PAX as it is, at OPS4J.
>
> Thanks
> Regards
> JB
>
> On Fri, Feb 25, 2022 at 11:34 AM Łukasz Dywicki
<lu...@code-house.org> wrote:
>>
>> I see problem similar to Achim. We still didn't hear
anything about
>> solving a community trouble. We definitely do not solve a
trouble of
>> ops4j community which probably do not overlap 100% with
Karaf. We may be
>> solving some trouble for Karaf community, however we
probably ask about
>> shifting even more work on already small set of people
working on it.
>> We hear concerns, which might or might not be justified. I
don't think
>> they are since there is no record of any malicious
activities made by
>> people contributing to ops4j/pax.
>> People which are mainly contributing to these project are
well known
>> (Grzegorz, JB, Achim), externals contributions are coming
over pull
>> requests, just like they would come to the ASF, so why we
should be
>> moving around sources? As far I remember ASF does not scan
IDs of their
>> contributors so it can't guarantee identity of people behind
>> contributions as well. Back at the times I was signing my
agreement I
>> was sending it by online fax service, so verification was
very mild.
>> While the GPG keys is some kind of resort, a lot of people
(including
>> myself) have self signed key which is as good as my ssh key
I use to
>> push things to git.
>>
>> The big customers can become part of community if they wish,
no matter
>> where project is hosted - at github or at ASF. So far it
seems to me
>> that they are asking for favor without giving anything back to
>> communities which will be affected.
>>
>> Best,
>> Łukasz
>>
>> On 25.02.2022 08:43, Achim Nierbeck wrote:
>>> Hi,
>>>
>>> I'm sorry to be a PITA :)
>>> What I've read so far has been feelings, one concern of
perception by "big"
>>> customers.
>>> I would really like to know, which problem we are trying to
solve by moving
>>> the pax projects under the umbrella of Karaf.
>>> Or what I personally would favor under their own tlp of the
ASF.
>>>
>>> Just to clarify, I'm trying the 5 W's here ...
>>> Why do you think it's a good idea to move the Pax Projects
under the karaf
>>> umbrella?
>>> Why do you think customers have a wrong perception of the
Pax Projects ...
>>> and so on ...
>>>
>>>
>>> What is the core issue we are trying to solve here?
>>> As long as I don't get down to the core thing that needs to
be solved I'm
>>> not in favor of moving the pax projects anywhere.
>>>
>>> Again sorry if I'm PITA.
>>>
>>> regards, Achim
>>>
>>>
>>>
>>> Am Do., 24. Feb. 2022 um 22:44 Uhr schrieb Eric Lilja
<mindc...@gmail.com
>>>> :
>>>
>>>> Personally, I would love to see this change and the other
people in my
>>>> organization liked the proposal as well.
>>>>
>>>> - Eric L
>>>>
>>>> On Thu, Feb 24, 2022 at 3:04 PM Jean-Baptiste Onofré
<j...@nanthrax.net>
>>>> wrote:
>>>>
>>>>> Hi guys,
>>>>>
>>>>> Some of you already pinged me to share concerns about PAX
projects
>>>>> governance. I think it's my duty to share these concerns
and discuss
>>>>> possible actions.
>>>>>
>>>>> Apache Karaf is one of the biggest consumers of PAX
projects.
>>>>>
>>>>> However, PAX projects use a "self own" designed governance:
>>>>> - for contribution/IP
>>>>> - for release
>>>>> - for CVE/Security
>>>>> - ...
>>>>>
>>>>> And it could be seen as a major concern for Apache Karaf
users, as PAX
>>>>> projects are not necessarily "aligned" with Apache
Foundation rules.
>>>>>
>>>>> I would like to start a discussion on both Karaf and
OPS4J communities
>>>>> to "move" PAX projects as Karaf subproject (like karaf-pax).
>>>>> Concretely, it would mean that:
>>>>> 1. Karaf PAX projects would use org.apache.karaf.pax
namespace
>>>>> 2. Karaf PAX releases will have to follow the Apache
release process
>>>>> (binding votes, 3 days vote period, ...)
>>>>> 3. Any active contributor on PAX projects would be
invited as Karaf
>>>>> committer
>>>>>
>>>>> Thoughts ?
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>
>>>
>>>
>>
>> --
>> --
>> ------------------
>> OPS4J - http://www.ops4j.org <http://www.ops4j.org> -
op...@googlegroups.com
>>
>> ---
>> You received this message because you are subscribed to the
Google Groups "OPS4J" group.
>> To unsubscribe from this group and stop receiving emails
from it, send an email to ops4j+un...@googlegroups.com.
>> To view this discussion on the web visit
https://groups.google.com/d/msgid/ops4j/5ff43da6-8d5f-43f4-e6e6-86af4fb162b9%40code-house.org
<https://groups.google.com/d/msgid/ops4j/5ff43da6-8d5f-43f4-e6e6-86af4fb162b9%40code-house.org>.
>
--
--
------------------
OPS4J - http://www.ops4j.org <http://www.ops4j.org> -
ops4j@googlegroups.com <mailto:ops4j@googlegroups.com>
---
You received this message because you are subscribed to the Google
Groups "OPS4J" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to ops4j+unsubscr...@googlegroups.com
<mailto:ops4j+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ops4j/677a4877-389d-4d3d-875b-c1009ebf7d7an%40googlegroups.com
<https://groups.google.com/d/msgid/ops4j/677a4877-389d-4d3d-875b-c1009ebf7d7an%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Apache Member
Apache Karaf <http://karaf.apache.org/ <http://karaf.apache.org/>>
Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/
<http://wiki.ops4j.org/display/paxweb/Pax+Web/>> Committer & Project Lead
blog <http://notizblog.nierbeck.de/ <http://notizblog.nierbeck.de/>>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS
<http://bit.ly/1ps9rkS>>
--
--
------------------
OPS4J - http://www.ops4j.org <http://www.ops4j.org> - ops4j@googlegroups.com
---
You received this message because you are subscribed to the Google
Groups "OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to ops4j+unsubscr...@googlegroups.com
<mailto:ops4j+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ops4j/CAD0r13fOhe0cuxNxs5CrMTHgiFTAJuM2zi%2BfcWxfP%3DpuV_tejw%40mail.gmail.com
<https://groups.google.com/d/msgid/ops4j/CAD0r13fOhe0cuxNxs5CrMTHgiFTAJuM2zi%2BfcWxfP%3DpuV_tejw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
--
------------------
OPS4J - http://www.ops4j.org - ops4j@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ops4j+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ops4j/be3b5320-b7ca-4f26-32af-2620ac1eece8%40googlemail.com.