Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Jean-Baptiste Onofré]

That's a very good point David. For instance, it's what I'm using for
ServiceMix Bundles (short vote period).
As soon as it's well defined in the vote email, it's possible.

Thanks for this reminder !

Regards
JB

On Fri, Feb 25, 2022 at 6:00 PM David Jencks  wrote:
>
> Slight nit…. ASF voting policy says “SHOULD” for 72 hr window, not “MUST”, 
> exactly so that in emergencies such as with log4j a fix can be voted on and 
> released within hours.
>
> David Jencks
>
> > On Feb 25, 2022, at 7:53 AM, Grzegorz Grzybek  wrote:
> >
> > Hello
> >
> > I don't have clear opinion about which "home" is better (ASF or
> > github.com/ops4j). I was thinking about this idea and here are my random
> > thoughts:
> > – [+1] for staying at GH: Not that long ago, I've migrated most of the
> > projects (18) from https://ops4j1.jira.com/ to
> > https://github.com/ops4j/*/issues - it required some effort, but IMO it was
> > worth it - it's really much faster and the "turnaround" is shorter. The
> > only (little) drawback is that we can't set more than one "fixed version"
> > values for an issue. So going back to Jira would be (IMO) stepping back.
> > – [+1] for ASF: at ASF we'd get nice CI infra to build the projects
> > – [+1] for staying at GH: I'm aware that Pax Logging is quite often used
> > outside of Karaf, so making it Karaf subproject could be confusing
> > – [-1] for ASF: Felix already provides OSGi Logging, OSGi Http Service and
> > OSGi Whiteboard implementations.
> > – [-1] for ASF: 3 day vote - while totally great practice, for know we
> > enjoy the flexibility to release Pax Logging the day the Log4j CVEs
> > disasters happened (10th December 2021)
> > – [+1] for ASF: as JBO said, ASF is a brand and it'd benefit OPS4J projects
> > – [+1] for staying at GH: the "spirit" of Open Participation would be
> > preserved. Mind that while I spent considerable amount of time refactoring
> > Pax Logging and Pax Web, I still didn't find a time to work on proper,
> > upgraded manual... Simply not that many people work on the projects.
> >
> > Bonus thought (but probably impossible) TLP Apache project... It'd however
> > conflict (?) too much with Felix and its reference implementations of OSGi
> > specs.
> >
> > kind regards, have a good weekend and prayers for peace
> > Grzegorz Grzybek
> >
> > pt., 25 lut 2022 o 11:39 Jean-Baptiste Onofré  
> > napisał(a):
> >
> >> Thanks all for your comment.
> >>
> >> Fair discussion. I agree with you, just wanted to have this open
> >> discussion and share some messages I received.
> >>
> >> Let's keep PAX as it is, at OPS4J.
> >>
> >> Thanks
> >> Regards
> >> JB
> >>
> >> On Fri, Feb 25, 2022 at 11:34 AM Łukasz Dywicki 
> >> wrote:
> >>>
> >>> I see problem similar to Achim. We still didn't hear anything about
> >>> solving a community trouble. We definitely do not solve a trouble of
> >>> ops4j community which probably do not overlap 100% with Karaf. We may be
> >>> solving some trouble for Karaf community, however we probably ask about
> >>> shifting even more work on already small set of people working on it.
> >>> We hear concerns, which might or might not be justified. I don't think
> >>> they are since there is no record of any malicious activities made by
> >>> people contributing to ops4j/pax.
> >>> People which are mainly contributing to these project are well known
> >>> (Grzegorz, JB, Achim), externals contributions are coming over pull
> >>> requests, just like they would come to the ASF, so why we should be
> >>> moving around sources? As far I remember ASF does not scan IDs of their
> >>> contributors so it can't guarantee identity of people behind
> >>> contributions as well. Back at the times I was signing my agreement I
> >>> was sending it by online fax service, so verification was very mild.
> >>> While the GPG keys is some kind of resort, a lot of people (including
> >>> myself) have self signed key which is as good as my ssh key I use to
> >>> push things to git.
> >>>
> >>> The big customers can become part of community if they wish, no matter
> >>> where project is hosted - at github or at ASF. So far it seems to me
> >>> that they are asking for favor without giving anything back to
> >>> communities which will be affected.
> >>>
> >>> Best,
> >>> Łukasz
> >>>
> >>> On 25.02.2022 08:43, Achim Nierbeck wrote:
>  Hi,
> 
>  I'm sorry to be a PITA :)
>  What I've read so far has been feelings, one concern of perception by
> >> "big"
>  customers.
>  I would really like to know, which problem we are trying to solve by
> >> moving
>  the pax projects under the umbrella of Karaf.
>  Or what I personally would favor under their own tlp of the ASF.
> 
>  Just to clarify, I'm trying the 5 W's here ...
>  Why do you think it's a good idea to move the Pax Projects under the
> >> karaf
>  umbrella?
>  Why do you think customers have a wrong perception of the Pax Projects
> >> ...
>  and so on ...
> 
> 
>  What

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[David Jencks]

Slight nit…. ASF voting policy says “SHOULD” for 72 hr window, not “MUST”, 
exactly so that in emergencies such as with log4j a fix can be voted on and 
released within hours.

David Jencks

> On Feb 25, 2022, at 7:53 AM, Grzegorz Grzybek  wrote:
> 
> Hello
> 
> I don't have clear opinion about which "home" is better (ASF or
> github.com/ops4j). I was thinking about this idea and here are my random
> thoughts:
> – [+1] for staying at GH: Not that long ago, I've migrated most of the
> projects (18) from https://ops4j1.jira.com/ to
> https://github.com/ops4j/*/issues - it required some effort, but IMO it was
> worth it - it's really much faster and the "turnaround" is shorter. The
> only (little) drawback is that we can't set more than one "fixed version"
> values for an issue. So going back to Jira would be (IMO) stepping back.
> – [+1] for ASF: at ASF we'd get nice CI infra to build the projects
> – [+1] for staying at GH: I'm aware that Pax Logging is quite often used
> outside of Karaf, so making it Karaf subproject could be confusing
> – [-1] for ASF: Felix already provides OSGi Logging, OSGi Http Service and
> OSGi Whiteboard implementations.
> – [-1] for ASF: 3 day vote - while totally great practice, for know we
> enjoy the flexibility to release Pax Logging the day the Log4j CVEs
> disasters happened (10th December 2021)
> – [+1] for ASF: as JBO said, ASF is a brand and it'd benefit OPS4J projects
> – [+1] for staying at GH: the "spirit" of Open Participation would be
> preserved. Mind that while I spent considerable amount of time refactoring
> Pax Logging and Pax Web, I still didn't find a time to work on proper,
> upgraded manual... Simply not that many people work on the projects.
> 
> Bonus thought (but probably impossible) TLP Apache project... It'd however
> conflict (?) too much with Felix and its reference implementations of OSGi
> specs.
> 
> kind regards, have a good weekend and prayers for peace
> Grzegorz Grzybek
> 
> pt., 25 lut 2022 o 11:39 Jean-Baptiste Onofré  napisał(a):
> 
>> Thanks all for your comment.
>> 
>> Fair discussion. I agree with you, just wanted to have this open
>> discussion and share some messages I received.
>> 
>> Let's keep PAX as it is, at OPS4J.
>> 
>> Thanks
>> Regards
>> JB
>> 
>> On Fri, Feb 25, 2022 at 11:34 AM Łukasz Dywicki 
>> wrote:
>>> 
>>> I see problem similar to Achim. We still didn't hear anything about
>>> solving a community trouble. We definitely do not solve a trouble of
>>> ops4j community which probably do not overlap 100% with Karaf. We may be
>>> solving some trouble for Karaf community, however we probably ask about
>>> shifting even more work on already small set of people working on it.
>>> We hear concerns, which might or might not be justified. I don't think
>>> they are since there is no record of any malicious activities made by
>>> people contributing to ops4j/pax.
>>> People which are mainly contributing to these project are well known
>>> (Grzegorz, JB, Achim), externals contributions are coming over pull
>>> requests, just like they would come to the ASF, so why we should be
>>> moving around sources? As far I remember ASF does not scan IDs of their
>>> contributors so it can't guarantee identity of people behind
>>> contributions as well. Back at the times I was signing my agreement I
>>> was sending it by online fax service, so verification was very mild.
>>> While the GPG keys is some kind of resort, a lot of people (including
>>> myself) have self signed key which is as good as my ssh key I use to
>>> push things to git.
>>> 
>>> The big customers can become part of community if they wish, no matter
>>> where project is hosted - at github or at ASF. So far it seems to me
>>> that they are asking for favor without giving anything back to
>>> communities which will be affected.
>>> 
>>> Best,
>>> Łukasz
>>> 
>>> On 25.02.2022 08:43, Achim Nierbeck wrote:
 Hi,
 
 I'm sorry to be a PITA :)
 What I've read so far has been feelings, one concern of perception by
>> "big"
 customers.
 I would really like to know, which problem we are trying to solve by
>> moving
 the pax projects under the umbrella of Karaf.
 Or what I personally would favor under their own tlp of the ASF.
 
 Just to clarify, I'm trying the 5 W's here ...
 Why do you think it's a good idea to move the Pax Projects under the
>> karaf
 umbrella?
 Why do you think customers have a wrong perception of the Pax Projects
>> ...
 and so on ...
 
 
 What is the core issue we are trying to solve here?
 As long as I don't get down to the core thing that needs to be solved
>> I'm
 not in favor of moving the pax projects anywhere.
 
 Again sorry if I'm PITA.
 
 regards, Achim
 
 
 
 Am Do., 24. Feb. 2022 um 22:44 Uhr schrieb Eric Lilja <
>> mindcoo...@gmail.com
> :
 
> Personally, I would love to see this change and the other people in my
> organization like

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Grzegorz Grzybek]

Hello

I don't have clear opinion about which "home" is better (ASF or
github.com/ops4j). I was thinking about this idea and here are my random
thoughts:
 – [+1] for staying at GH: Not that long ago, I've migrated most of the
projects (18) from https://ops4j1.jira.com/ to
https://github.com/ops4j/*/issues - it required some effort, but IMO it was
worth it - it's really much faster and the "turnaround" is shorter. The
only (little) drawback is that we can't set more than one "fixed version"
values for an issue. So going back to Jira would be (IMO) stepping back.
 – [+1] for ASF: at ASF we'd get nice CI infra to build the projects
 – [+1] for staying at GH: I'm aware that Pax Logging is quite often used
outside of Karaf, so making it Karaf subproject could be confusing
 – [-1] for ASF: Felix already provides OSGi Logging, OSGi Http Service and
OSGi Whiteboard implementations.
 – [-1] for ASF: 3 day vote - while totally great practice, for know we
enjoy the flexibility to release Pax Logging the day the Log4j CVEs
disasters happened (10th December 2021)
 – [+1] for ASF: as JBO said, ASF is a brand and it'd benefit OPS4J projects
 – [+1] for staying at GH: the "spirit" of Open Participation would be
preserved. Mind that while I spent considerable amount of time refactoring
Pax Logging and Pax Web, I still didn't find a time to work on proper,
upgraded manual... Simply not that many people work on the projects.

Bonus thought (but probably impossible) TLP Apache project... It'd however
conflict (?) too much with Felix and its reference implementations of OSGi
specs.

kind regards, have a good weekend and prayers for peace
Grzegorz Grzybek

pt., 25 lut 2022 o 11:39 Jean-Baptiste Onofré  napisał(a):

> Thanks all for your comment.
>
> Fair discussion. I agree with you, just wanted to have this open
> discussion and share some messages I received.
>
> Let's keep PAX as it is, at OPS4J.
>
> Thanks
> Regards
> JB
>
> On Fri, Feb 25, 2022 at 11:34 AM Łukasz Dywicki 
> wrote:
> >
> > I see problem similar to Achim. We still didn't hear anything about
> > solving a community trouble. We definitely do not solve a trouble of
> > ops4j community which probably do not overlap 100% with Karaf. We may be
> > solving some trouble for Karaf community, however we probably ask about
> > shifting even more work on already small set of people working on it.
> > We hear concerns, which might or might not be justified. I don't think
> > they are since there is no record of any malicious activities made by
> > people contributing to ops4j/pax.
> > People which are mainly contributing to these project are well known
> > (Grzegorz, JB, Achim), externals contributions are coming over pull
> > requests, just like they would come to the ASF, so why we should be
> > moving around sources? As far I remember ASF does not scan IDs of their
> > contributors so it can't guarantee identity of people behind
> > contributions as well. Back at the times I was signing my agreement I
> > was sending it by online fax service, so verification was very mild.
> > While the GPG keys is some kind of resort, a lot of people (including
> > myself) have self signed key which is as good as my ssh key I use to
> > push things to git.
> >
> > The big customers can become part of community if they wish, no matter
> > where project is hosted - at github or at ASF. So far it seems to me
> > that they are asking for favor without giving anything back to
> > communities which will be affected.
> >
> > Best,
> > Łukasz
> >
> > On 25.02.2022 08:43, Achim Nierbeck wrote:
> > > Hi,
> > >
> > > I'm sorry to be a PITA :)
> > > What I've read so far has been feelings, one concern of perception by
> "big"
> > > customers.
> > > I would really like to know, which problem we are trying to solve by
> moving
> > > the pax projects under the umbrella of Karaf.
> > > Or what I personally would favor under their own tlp of the ASF.
> > >
> > > Just to clarify, I'm trying the 5 W's here ...
> > > Why do you think it's a good idea to move the Pax Projects under the
> karaf
> > > umbrella?
> > > Why do you think customers have a wrong perception of the Pax Projects
> ...
> > > and so on ...
> > >
> > >
> > > What is the core issue we are trying to solve here?
> > > As long as I don't get down to the core thing that needs to be solved
> I'm
> > > not in favor of moving the pax projects anywhere.
> > >
> > > Again sorry if I'm PITA.
> > >
> > > regards, Achim
> > >
> > >
> > >
> > > Am Do., 24. Feb. 2022 um 22:44 Uhr schrieb Eric Lilja <
> mindcoo...@gmail.com
> > >> :
> > >
> > >> Personally, I would love to see this change and the other people in my
> > >> organization liked the proposal as well.
> > >>
> > >> - Eric L
> > >>
> > >> On Thu, Feb 24, 2022 at 3:04 PM Jean-Baptiste Onofré  >
> > >> wrote:
> > >>
> > >>> Hi guys,
> > >>>
> > >>> Some of you already pinged me to share concerns about PAX projects
> > >>> governance. I think it's my duty to share these concerns and discuss
> 

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Jean-Baptiste Onofré]

Thanks all for your comment.

Fair discussion. I agree with you, just wanted to have this open
discussion and share some messages I received.

Let's keep PAX as it is, at OPS4J.

Thanks
Regards
JB

On Fri, Feb 25, 2022 at 11:34 AM Łukasz Dywicki  wrote:
>
> I see problem similar to Achim. We still didn't hear anything about
> solving a community trouble. We definitely do not solve a trouble of
> ops4j community which probably do not overlap 100% with Karaf. We may be
> solving some trouble for Karaf community, however we probably ask about
> shifting even more work on already small set of people working on it.
> We hear concerns, which might or might not be justified. I don't think
> they are since there is no record of any malicious activities made by
> people contributing to ops4j/pax.
> People which are mainly contributing to these project are well known
> (Grzegorz, JB, Achim), externals contributions are coming over pull
> requests, just like they would come to the ASF, so why we should be
> moving around sources? As far I remember ASF does not scan IDs of their
> contributors so it can't guarantee identity of people behind
> contributions as well. Back at the times I was signing my agreement I
> was sending it by online fax service, so verification was very mild.
> While the GPG keys is some kind of resort, a lot of people (including
> myself) have self signed key which is as good as my ssh key I use to
> push things to git.
>
> The big customers can become part of community if they wish, no matter
> where project is hosted - at github or at ASF. So far it seems to me
> that they are asking for favor without giving anything back to
> communities which will be affected.
>
> Best,
> Łukasz
>
> On 25.02.2022 08:43, Achim Nierbeck wrote:
> > Hi,
> >
> > I'm sorry to be a PITA :)
> > What I've read so far has been feelings, one concern of perception by "big"
> > customers.
> > I would really like to know, which problem we are trying to solve by moving
> > the pax projects under the umbrella of Karaf.
> > Or what I personally would favor under their own tlp of the ASF.
> >
> > Just to clarify, I'm trying the 5 W's here ...
> > Why do you think it's a good idea to move the Pax Projects under the karaf
> > umbrella?
> > Why do you think customers have a wrong perception of the Pax Projects ...
> > and so on ...
> >
> >
> > What is the core issue we are trying to solve here?
> > As long as I don't get down to the core thing that needs to be solved I'm
> > not in favor of moving the pax projects anywhere.
> >
> > Again sorry if I'm PITA.
> >
> > regards, Achim
> >
> >
> >
> > Am Do., 24. Feb. 2022 um 22:44 Uhr schrieb Eric Lilja  >> :
> >
> >> Personally, I would love to see this change and the other people in my
> >> organization liked the proposal as well.
> >>
> >> - Eric L
> >>
> >> On Thu, Feb 24, 2022 at 3:04 PM Jean-Baptiste Onofré 
> >> wrote:
> >>
> >>> Hi guys,
> >>>
> >>> Some of you already pinged me to share concerns about PAX projects
> >>> governance. I think it's my duty to share these concerns and discuss
> >>> possible actions.
> >>>
> >>> Apache Karaf is one of the biggest consumers of PAX projects.
> >>>
> >>> However, PAX projects use a "self own" designed governance:
> >>> - for contribution/IP
> >>> - for release
> >>> - for CVE/Security
> >>> - ...
> >>>
> >>> And it could be seen as a major concern for Apache Karaf users, as PAX
> >>> projects are not necessarily "aligned" with Apache Foundation rules.
> >>>
> >>> I would like to start a discussion on both Karaf and OPS4J communities
> >>> to "move" PAX projects as Karaf subproject (like karaf-pax).
> >>> Concretely, it would mean that:
> >>> 1. Karaf PAX projects would use org.apache.karaf.pax namespace
> >>> 2. Karaf PAX releases will have to follow the Apache release process
> >>> (binding votes, 3 days vote period, ...)
> >>> 3. Any active contributor on PAX projects would be invited as Karaf
> >>> committer
> >>>
> >>> Thoughts ?
> >>>
> >>> Regards
> >>> JB
> >>>
> >>
> >
> >
>
> --
> --
> --
> OPS4J - http://www.ops4j.org - op...@googlegroups.com
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "OPS4J" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ops4j+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ops4j/5ff43da6-8d5f-43f4-e6e6-86af4fb162b9%40code-house.org.

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Łukasz Dywicki]

I see problem similar to Achim. We still didn't hear anything about 
solving a community trouble. We definitely do not solve a trouble of 
ops4j community which probably do not overlap 100% with Karaf. We may be 
solving some trouble for Karaf community, however we probably ask about 
shifting even more work on already small set of people working on it.
We hear concerns, which might or might not be justified. I don't think 
they are since there is no record of any malicious activities made by 
people contributing to ops4j/pax.
People which are mainly contributing to these project are well known 
(Grzegorz, JB, Achim), externals contributions are coming over pull 
requests, just like they would come to the ASF, so why we should be 
moving around sources? As far I remember ASF does not scan IDs of their 
contributors so it can't guarantee identity of people behind 
contributions as well. Back at the times I was signing my agreement I 
was sending it by online fax service, so verification was very mild. 
While the GPG keys is some kind of resort, a lot of people (including 
myself) have self signed key which is as good as my ssh key I use to 
push things to git.


The big customers can become part of community if they wish, no matter 
where project is hosted - at github or at ASF. So far it seems to me 
that they are asking for favor without giving anything back to 
communities which will be affected.


Best,
Łukasz

On 25.02.2022 08:43, Achim Nierbeck wrote:

Hi,

I'm sorry to be a PITA :)
What I've read so far has been feelings, one concern of perception by "big"
customers.
I would really like to know, which problem we are trying to solve by moving
the pax projects under the umbrella of Karaf.
Or what I personally would favor under their own tlp of the ASF.

Just to clarify, I'm trying the 5 W's here ...
Why do you think it's a good idea to move the Pax Projects under the karaf
umbrella?
Why do you think customers have a wrong perception of the Pax Projects ...
and so on ...


What is the core issue we are trying to solve here?
As long as I don't get down to the core thing that needs to be solved I'm
not in favor of moving the pax projects anywhere.

Again sorry if I'm PITA.

regards, Achim



Am Do., 24. Feb. 2022 um 22:44 Uhr schrieb Eric Lilja 
:



Personally, I would love to see this change and the other people in my
organization liked the proposal as well.

- Eric L

On Thu, Feb 24, 2022 at 3:04 PM Jean-Baptiste Onofré 
wrote:


Hi guys,

Some of you already pinged me to share concerns about PAX projects
governance. I think it's my duty to share these concerns and discuss
possible actions.

Apache Karaf is one of the biggest consumers of PAX projects.

However, PAX projects use a "self own" designed governance:
- for contribution/IP
- for release
- for CVE/Security
- ...

And it could be seen as a major concern for Apache Karaf users, as PAX
projects are not necessarily "aligned" with Apache Foundation rules.

I would like to start a discussion on both Karaf and OPS4J communities
to "move" PAX projects as Karaf subproject (like karaf-pax).
Concretely, it would mean that:
1. Karaf PAX projects would use org.apache.karaf.pax namespace
2. Karaf PAX releases will have to follow the Apache release process
(binding votes, 3 days vote period, ...)
3. Any active contributor on PAX projects would be invited as Karaf
committer

Thoughts ?

Regards
JB

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Achim Nierbeck]

Hi,

I'm sorry to be a PITA :)
What I've read so far has been feelings, one concern of perception by "big"
customers.
I would really like to know, which problem we are trying to solve by moving
the pax projects under the umbrella of Karaf.
Or what I personally would favor under their own tlp of the ASF.

Just to clarify, I'm trying the 5 W's here ...
Why do you think it's a good idea to move the Pax Projects under the karaf
umbrella?
Why do you think customers have a wrong perception of the Pax Projects ...
and so on ...


What is the core issue we are trying to solve here?
As long as I don't get down to the core thing that needs to be solved I'm
not in favor of moving the pax projects anywhere.

Again sorry if I'm PITA.

regards, Achim



Am Do., 24. Feb. 2022 um 22:44 Uhr schrieb Eric Lilja :

> Personally, I would love to see this change and the other people in my
> organization liked the proposal as well.
>
> - Eric L
>
> On Thu, Feb 24, 2022 at 3:04 PM Jean-Baptiste Onofré 
> wrote:
>
> > Hi guys,
> >
> > Some of you already pinged me to share concerns about PAX projects
> > governance. I think it's my duty to share these concerns and discuss
> > possible actions.
> >
> > Apache Karaf is one of the biggest consumers of PAX projects.
> >
> > However, PAX projects use a "self own" designed governance:
> > - for contribution/IP
> > - for release
> > - for CVE/Security
> > - ...
> >
> > And it could be seen as a major concern for Apache Karaf users, as PAX
> > projects are not necessarily "aligned" with Apache Foundation rules.
> >
> > I would like to start a discussion on both Karaf and OPS4J communities
> > to "move" PAX projects as Karaf subproject (like karaf-pax).
> > Concretely, it would mean that:
> > 1. Karaf PAX projects would use org.apache.karaf.pax namespace
> > 2. Karaf PAX releases will have to follow the Apache release process
> > (binding votes, 3 days vote period, ...)
> > 3. Any active contributor on PAX projects would be invited as Karaf
> > committer
> >
> > Thoughts ?
> >
> > Regards
> > JB
> >
>


-- 

Apache Member
Apache Karaf  Committer & PMC
OPS4J Pax Web  Committer &
Project Lead
blog 
Co-Author of Apache Karaf Cookbook 

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Eric Lilja]

Personally, I would love to see this change and the other people in my
organization liked the proposal as well.

- Eric L

On Thu, Feb 24, 2022 at 3:04 PM Jean-Baptiste Onofré 
wrote:

> Hi guys,
>
> Some of you already pinged me to share concerns about PAX projects
> governance. I think it's my duty to share these concerns and discuss
> possible actions.
>
> Apache Karaf is one of the biggest consumers of PAX projects.
>
> However, PAX projects use a "self own" designed governance:
> - for contribution/IP
> - for release
> - for CVE/Security
> - ...
>
> And it could be seen as a major concern for Apache Karaf users, as PAX
> projects are not necessarily "aligned" with Apache Foundation rules.
>
> I would like to start a discussion on both Karaf and OPS4J communities
> to "move" PAX projects as Karaf subproject (like karaf-pax).
> Concretely, it would mean that:
> 1. Karaf PAX projects would use org.apache.karaf.pax namespace
> 2. Karaf PAX releases will have to follow the Apache release process
> (binding votes, 3 days vote period, ...)
> 3. Any active contributor on PAX projects would be invited as Karaf
> committer
>
> Thoughts ?
>
> Regards
> JB
>

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Robert Varga]

On 24/02/2022 16:48, Jean-Baptiste Onofré wrote:

Hi Achim

Just wanted to share concerns I received. Basically, PAX projects are
"free fields", without strong guarantee in the release (not formal
staging/vote/review).

It doesn't mean we don't do that, it's just not strongly enforced;)


Hello,

I think this is a matter of perception and communication.

As a downstream of a number of ASF projects as well being a committer of 
a number under-staffed FOSS project myself, I can see only one benefit 
here -- which is migration of issues to ASF JIRA.


None of the technical details will change, nor will responsiveness, nor 
the release cadence/quality, really -- unless Karaf committers actually 
take interest in that codebase. Those aspects are driven by community 
participants and not by the umbrella under which the project operates.


I have two examples for ASF projects:

1. https://issues.apache.org/jira/browse/ARIES-1826 has been sitting 
there for better part of three years without a release


2. SSHD is very responsive, with people rotating, but it is at ~6 months 
release cadence and those releases have caused regressions in the past 
-- i.e. as a downstream we had to hold back and/or apply workarounds 
like 
https://github.com/opendaylight/netconf/commit/f25f45ff27c8a7c7df780df609ec33f6662ea61e#diff-15197c97491b43d179750a5b8ea9ab1f141373544171185da9170a773faee414R21


So, with due respect to whoever has that concerns, my message is clear: 
changing governance and/or the umbrella will not address them. Boots on 
the ground will.


Regards,
Robert


OpenPGP_signature
Description: OpenPGP digital signature

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Łukasz Dywicki]

Hi Jean, hello ops4j participants.

Given recent rush hours with log4j issues I can understand some of the 
concerns. However, looking at practical aspects, these issues were 
handled as good as they would be at the ASF. Time it took Grzegorz to 
release updated pax-logging was pretty short.


If people are concerned about maintenance or governance of ops4j 
projects they can/should share their concerns. So far we have just one 
statement from Matt and literally 0 of the security related comments 
prior this thread. It doesn't make a very solid justification for any 
moves in this area yet, especially that all known security issues seem 
to be covered.


Best,
Łukasz

On 24.02.2022 16:48, Jean-Baptiste Onofré wrote:

Hi Achim

Just wanted to share concerns I received. Basically, PAX projects are
"free fields", without strong guarantee in the release (not formal
staging/vote/review).

It doesn't mean we don't do that, it's just not strongly enforced ;)

I don't mean we *have to* do it, I'm just sharing comments that I got.

Regards
JB

On Thu, Feb 24, 2022 at 4:43 PM 'Achim Nierbeck' via OPS4J
 wrote:


Hi JB,

Before I come to any conclusion, I would really like to understand what kind of 
issue/problem you would like to solve with this, which is easier to solve under 
an apache umbrella.

thanks, Achim

Am Do., 24. Feb. 2022 um 15:04 Uhr schrieb Jean-Baptiste Onofré 
:


Hi guys,

Some of you already pinged me to share concerns about PAX projects
governance. I think it's my duty to share these concerns and discuss
possible actions.

Apache Karaf is one of the biggest consumers of PAX projects.

However, PAX projects use a "self own" designed governance:
- for contribution/IP
- for release
- for CVE/Security
- ...

And it could be seen as a major concern for Apache Karaf users, as PAX
projects are not necessarily "aligned" with Apache Foundation rules.

I would like to start a discussion on both Karaf and OPS4J communities
to "move" PAX projects as Karaf subproject (like karaf-pax).
Concretely, it would mean that:
1. Karaf PAX projects would use org.apache.karaf.pax namespace
2. Karaf PAX releases will have to follow the Apache release process
(binding votes, 3 days vote period, ...)
3. Any active contributor on PAX projects would be invited as Karaf committer

Thoughts ?

Regards
JB




--

Apache Member
Apache Karaf  Committer & PMC
OPS4J Pax Web  Committer & 
Project Lead
blog 
Co-Author of Apache Karaf Cookbook 

--
--
--
OPS4J - http://www.ops4j.org - op...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups 
"OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ops4j+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ops4j/CAD0r13d2v73ipZrZOD3r9oL9wtSKZj7x2dc4%2By6sWg1rRyvWow%40mail.gmail.com.

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Jean-Baptiste Onofré]

Hi Achim

Just wanted to share concerns I received. Basically, PAX projects are
"free fields", without strong guarantee in the release (not formal
staging/vote/review).

It doesn't mean we don't do that, it's just not strongly enforced ;)

I don't mean we *have to* do it, I'm just sharing comments that I got.

Regards
JB

On Thu, Feb 24, 2022 at 4:43 PM 'Achim Nierbeck' via OPS4J
 wrote:
>
> Hi JB,
>
> Before I come to any conclusion, I would really like to understand what kind 
> of issue/problem you would like to solve with this, which is easier to solve 
> under an apache umbrella.
>
> thanks, Achim
>
> Am Do., 24. Feb. 2022 um 15:04 Uhr schrieb Jean-Baptiste Onofré 
> :
>>
>> Hi guys,
>>
>> Some of you already pinged me to share concerns about PAX projects
>> governance. I think it's my duty to share these concerns and discuss
>> possible actions.
>>
>> Apache Karaf is one of the biggest consumers of PAX projects.
>>
>> However, PAX projects use a "self own" designed governance:
>> - for contribution/IP
>> - for release
>> - for CVE/Security
>> - ...
>>
>> And it could be seen as a major concern for Apache Karaf users, as PAX
>> projects are not necessarily "aligned" with Apache Foundation rules.
>>
>> I would like to start a discussion on both Karaf and OPS4J communities
>> to "move" PAX projects as Karaf subproject (like karaf-pax).
>> Concretely, it would mean that:
>> 1. Karaf PAX projects would use org.apache.karaf.pax namespace
>> 2. Karaf PAX releases will have to follow the Apache release process
>> (binding votes, 3 days vote period, ...)
>> 3. Any active contributor on PAX projects would be invited as Karaf committer
>>
>> Thoughts ?
>>
>> Regards
>> JB
>
>
>
> --
>
> Apache Member
> Apache Karaf  Committer & PMC
> OPS4J Pax Web  Committer & 
> Project Lead
> blog 
> Co-Author of Apache Karaf Cookbook 
>
> --
> --
> --
> OPS4J - http://www.ops4j.org - op...@googlegroups.com
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "OPS4J" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ops4j+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ops4j/CAD0r13d2v73ipZrZOD3r9oL9wtSKZj7x2dc4%2By6sWg1rRyvWow%40mail.gmail.com.

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Achim Nierbeck]

Hi JB,

Before I come to any conclusion, I would really like to understand what
kind of issue/problem you would like to solve with this, which is easier to
solve under an apache umbrella.

thanks, Achim

Am Do., 24. Feb. 2022 um 15:04 Uhr schrieb Jean-Baptiste Onofré <
j...@nanthrax.net>:

> Hi guys,
>
> Some of you already pinged me to share concerns about PAX projects
> governance. I think it's my duty to share these concerns and discuss
> possible actions.
>
> Apache Karaf is one of the biggest consumers of PAX projects.
>
> However, PAX projects use a "self own" designed governance:
> - for contribution/IP
> - for release
> - for CVE/Security
> - ...
>
> And it could be seen as a major concern for Apache Karaf users, as PAX
> projects are not necessarily "aligned" with Apache Foundation rules.
>
> I would like to start a discussion on both Karaf and OPS4J communities
> to "move" PAX projects as Karaf subproject (like karaf-pax).
> Concretely, it would mean that:
> 1. Karaf PAX projects would use org.apache.karaf.pax namespace
> 2. Karaf PAX releases will have to follow the Apache release process
> (binding votes, 3 days vote period, ...)
> 3. Any active contributor on PAX projects would be invited as Karaf
> committer
>
> Thoughts ?
>
> Regards
> JB
>


-- 

Apache Member
Apache Karaf  Committer & PMC
OPS4J Pax Web  Committer &
Project Lead
blog 
Co-Author of Apache Karaf Cookbook 

Re: [DISCUSSION] Move PAX projects to Apache Karaf ?

[Łukasz Dywicki]

I am not sure if concerns about PAX projects are fully justified, simply 
because they are being released and still worked on. While team of 
people working on it have shrunk over time, I haven't had any troubles 
with them for long time.
The contribution regulation is not an issue. It does work as for every 
other small project hosted at github, license is ASLv2 so each pull 
request (in theory) is inline with it.


I agree that our dependency chain strongly rely on PAX releases and 
there were parts which had to be first released in PAX in order to get 
next major release of Karaf. I think we need to answer ourselves a basic 
question - does moving PAX into ASF will:

a) ease already easy contribution path for it
b) increase pool of people working on it
c) speed up already fast release cycle of it?
I don't think that any of above points will change since contributing to 
non-apache projects was in the past easier. Not sure for nowadays as we 
got git and can have pull requests accepted directly at github, but 
still - what is an advantage for the community here?


From legal perspective I think moving these components a a whole into 
Karaf will not fly without making some IP clearance first. Even if PAX 
projects are libraries/components they have a whole bunch of code which 
can't be copied just because we like to host it at ASF, isn't it?
Another point is that Karaf itself become pretty fat so I'd rather think 
of chunking Karaf into smaller parts than pushing more stuff into it. 
Looking at Karaf source tree it looks as big as servicemix 4 at its 
early days; difference is - we have less people working on Karaf than on 
servicemix before. At least according to own observations.


Best,
Łukasz

On 24.02.2022 15:03, Jean-Baptiste Onofré wrote:

Hi guys,

Some of you already pinged me to share concerns about PAX projects
governance. I think it's my duty to share these concerns and discuss
possible actions.

Apache Karaf is one of the biggest consumers of PAX projects.

However, PAX projects use a "self own" designed governance:
- for contribution/IP
- for release
- for CVE/Security
- ...

And it could be seen as a major concern for Apache Karaf users, as PAX
projects are not necessarily "aligned" with Apache Foundation rules.

I would like to start a discussion on both Karaf and OPS4J communities
to "move" PAX projects as Karaf subproject (like karaf-pax).
Concretely, it would mean that:
1. Karaf PAX projects would use org.apache.karaf.pax namespace
2. Karaf PAX releases will have to follow the Apache release process
(binding votes, 3 days vote period, ...)
3. Any active contributor on PAX projects would be invited as Karaf committer

Thoughts ?

Regards
JB

[DISCUSSION] Move PAX projects to Apache Karaf ?

[Jean-Baptiste Onofré]

Hi guys,

Some of you already pinged me to share concerns about PAX projects
governance. I think it's my duty to share these concerns and discuss
possible actions.

Apache Karaf is one of the biggest consumers of PAX projects.

However, PAX projects use a "self own" designed governance:
- for contribution/IP
- for release
- for CVE/Security
- ...

And it could be seen as a major concern for Apache Karaf users, as PAX
projects are not necessarily "aligned" with Apache Foundation rules.

I would like to start a discussion on both Karaf and OPS4J communities
to "move" PAX projects as Karaf subproject (like karaf-pax).
Concretely, it would mean that:
1. Karaf PAX projects would use org.apache.karaf.pax namespace
2. Karaf PAX releases will have to follow the Apache release process
(binding votes, 3 days vote period, ...)
3. Any active contributor on PAX projects would be invited as Karaf committer

Thoughts ?

Regards
JB