Project/icla

[Craig Russell <ap...@gmail.com>]

I'd like to continue the discussion on the project/icla topic.

I've been thinking about the entire process of committer invitations and the project/icla just handles the last bit. I'd like to include the whole process from discussion to vote to invite.

Discussion:

Whimsy allows a PMC/PPMC member to kick off a discussion of a potential committer/pmc member. The form has a drop down for committee and entry fields for email address and GivenName(s) FamilyName, and text. Clicking (submit) sends email to private@pmc.apache.org subject: [DISCUSS] Committer status for GivenName FamilyName and includes the email address and text that the pmc member entered and a link to whimsy.apache.org/project/discuss?token=458974235879543789. 

Pmc members can add comments from a text box that will be stored and shown to others who click the link.

Voting:

Once discussion has died down, the original pmc member can call for a vote by filling a vote text box and clicking (vote). This will send email to the pmc private list with a link to the discussion (lists.apache.org/xxx) and whimsy.apache.org/project/vote?token=458974235879543789. 

The first pmc member who clicks the link will see the vote text box and a form with:

(0) +1
(0) -1
(0) +0
(0) -0
<text box for comments>

Other pmc members who click the link will see all other votes and comments and can vote as above.

Clicking (submit) will send email to the pmc private list with all of the comments and a link to the same page.

Anyone on the pmc can close the vote by clicking (close vote). This will send email with subject [RESULT][VOTE] and an email to board with [NOTICE] GivenName FamilyName for <pmc> PMC.

After 72 hours, the pmc member can visit the whimsy.apache.org/project/vote?token=458974235879543789 link and click (invite). This will then bring up the project/icla form if the candidate does not already have an icla on file. If the candidate does already have an icla but does not have an apache id, it will bring up the account request form. Finally, if the candidate has an apache id, it will bring up the "add to project" form.

Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org http://db.apache.org/jdo

Re: Project/icla

[Craig Russell <ap...@gmail.com>]

> On Dec 14, 2017, at 4:45 AM, sebb <se...@gmail.com> wrote:
> 
> On 13 December 2017 at 13:42, Sam Ruby <ru...@intertwingly.net> wrote:
>> On Tue, Dec 12, 2017 at 11:39 AM, sebb <se...@gmail.com> wrote:
>>> On 12 December 2017 at 13:51, Craig Russell <ap...@gmail.com>
>>> wrote> I'd like to continue the discussion on the project/icla topic.
>>>> 
>>>> I've been thinking about the entire process of committer invitations and the project/icla just handles the last bit. I'd like to include the whole process from discussion to vote to invite.
>>>> 
>>>> Discussion:
>>> 
>>> There are some occasions where the formal discussion is not really necessary.
>>> e.g. an informal discussion thread arises out of another thread.
>>> It's sometimes really obvious that all that's needed is the vote.
>>> 
>>> So I think there needs to be a way to bypass that.
>>> 
>>> I suspect there will be pushback if (P)PMCs are forced to have
>>> discussions by Whimsy (unless they become policy).
>> 
>> None of the Whimsy tools started out as the only way to do things;
>> they merely aspired to be the easiest way to correctly do things.
> 
> But if people would like to use the tool, they can only do so if they
> follow the process it entails.

Every time I've seen a PMC with a non-standard way to invite committers, it includes someone with a interest in inviting a candidate sending a message to the PMC. 

I specifically did not include programmed rules on what constitutes consensus or +1 x 3 voting. What I envision is at least one [DISCUSS] Charles Dickens for Netsuke committer" message, followed by at least one [VOTE] Charles Dickens for Netsuke committer" message followed by an invitation and possibly a message to board (PMC candidate) or IPMC (PPMC candidate).

So this is not intended to be restrictive but helpful. 

And if a PMC really doesn't want to have anything documented about how they implement "formal process to invite new" PMC members and committers, IDC.

And I'm happy that this is the most serious objection to my proposal.

Craig
> 
>> - Sam Ruby
>> 
>>>> Whimsy allows a PMC/PPMC member to kick off a discussion of a potential committer/pmc member. The form has a drop down for committee and entry fields for email address and GivenName(s) FamilyName, and text. Clicking (submit) sends email to private@pmc.apache.org subject: [DISCUSS] Committer status for GivenName FamilyName and includes the email address and text that the pmc member entered and a link to whimsy.apache.org/project/discuss?token=458974235879543789.
>>>> 
>>>> Pmc members can add comments from a text box that will be stored and shown to others who click the link.
>>>> 
>>>> Voting:
>>>> 
>>>> Once discussion has died down, the original pmc member can call for a vote by filling a vote text box and clicking (vote). This will send email to the pmc private list with a link to the discussion (lists.apache.org/xxx) and whimsy.apache.org/project/vote?token=458974235879543789.
>>>> 
>>>> The first pmc member who clicks the link will see the vote text box and a form with:
>>>> 
>>>> (0) +1
>>>> (0) -1
>>>> (0) +0
>>>> (0) -0
>>>> <text box for comments>
>>>> 
>>>> Other pmc members who click the link will see all other votes and comments and can vote as above.
>>>> 
>>>> Clicking (submit) will send email to the pmc private list with all of the comments and a link to the same page.
>>>> 
>>>> Anyone on the pmc can close the vote by clicking (close vote). This will send email with subject [RESULT][VOTE] and an email to board with [NOTICE] GivenName FamilyName for <pmc> PMC.
>>>> 
>>>> After 72 hours, the pmc member can visit the whimsy.apache.org/project/vote?token=458974235879543789 link and click (invite). This will then bring up the project/icla form if the candidate does not already have an icla on file. If the candidate does already have an icla but does not have an apache id, it will bring up the account request form. Finally, if the candidate has an apache id, it will bring up the "add to project" form.
>>> 
>>>> Craig L Russell
>>>> Secretary, Apache Software Foundation
>>>> clr@apache.org http://db.apache.org/jdo
>>>> 

Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org http://db.apache.org/jdo

Re: Project/icla

[sebb <se...@gmail.com>]

On 13 December 2017 at 13:42, Sam Ruby <ru...@intertwingly.net> wrote:
> On Tue, Dec 12, 2017 at 11:39 AM, sebb <se...@gmail.com> wrote:
>> On 12 December 2017 at 13:51, Craig Russell <ap...@gmail.com>
>> wrote> I'd like to continue the discussion on the project/icla topic.
>>>
>>> I've been thinking about the entire process of committer invitations and the project/icla just handles the last bit. I'd like to include the whole process from discussion to vote to invite.
>>>
>>> Discussion:
>>
>> There are some occasions where the formal discussion is not really necessary.
>> e.g. an informal discussion thread arises out of another thread.
>> It's sometimes really obvious that all that's needed is the vote.
>>
>> So I think there needs to be a way to bypass that.
>>
>> I suspect there will be pushback if (P)PMCs are forced to have
>> discussions by Whimsy (unless they become policy).
>
> None of the Whimsy tools started out as the only way to do things;
> they merely aspired to be the easiest way to correctly do things.

But if people would like to use the tool, they can only do so if they
follow the process it entails.

> - Sam Ruby
>
>>> Whimsy allows a PMC/PPMC member to kick off a discussion of a potential committer/pmc member. The form has a drop down for committee and entry fields for email address and GivenName(s) FamilyName, and text. Clicking (submit) sends email to private@pmc.apache.org subject: [DISCUSS] Committer status for GivenName FamilyName and includes the email address and text that the pmc member entered and a link to whimsy.apache.org/project/discuss?token=458974235879543789.
>>>
>>> Pmc members can add comments from a text box that will be stored and shown to others who click the link.
>>>
>>> Voting:
>>>
>>> Once discussion has died down, the original pmc member can call for a vote by filling a vote text box and clicking (vote). This will send email to the pmc private list with a link to the discussion (lists.apache.org/xxx) and whimsy.apache.org/project/vote?token=458974235879543789.
>>>
>>> The first pmc member who clicks the link will see the vote text box and a form with:
>>>
>>> (0) +1
>>> (0) -1
>>> (0) +0
>>> (0) -0
>>> <text box for comments>
>>>
>>> Other pmc members who click the link will see all other votes and comments and can vote as above.
>>>
>>> Clicking (submit) will send email to the pmc private list with all of the comments and a link to the same page.
>>>
>>> Anyone on the pmc can close the vote by clicking (close vote). This will send email with subject [RESULT][VOTE] and an email to board with [NOTICE] GivenName FamilyName for <pmc> PMC.
>>>
>>> After 72 hours, the pmc member can visit the whimsy.apache.org/project/vote?token=458974235879543789 link and click (invite). This will then bring up the project/icla form if the candidate does not already have an icla on file. If the candidate does already have an icla but does not have an apache id, it will bring up the account request form. Finally, if the candidate has an apache id, it will bring up the "add to project" form.
>>
>>> Craig L Russell
>>> Secretary, Apache Software Foundation
>>> clr@apache.org http://db.apache.org/jdo
>>>

Re: Project/icla

[Sam Ruby <ru...@intertwingly.net>]

On Tue, Dec 12, 2017 at 11:39 AM, sebb <se...@gmail.com> wrote:
> On 12 December 2017 at 13:51, Craig Russell <ap...@gmail.com>
> wrote> I'd like to continue the discussion on the project/icla topic.
>>
>> I've been thinking about the entire process of committer invitations and the project/icla just handles the last bit. I'd like to include the whole process from discussion to vote to invite.
>>
>> Discussion:
>
> There are some occasions where the formal discussion is not really necessary.
> e.g. an informal discussion thread arises out of another thread.
> It's sometimes really obvious that all that's needed is the vote.
>
> So I think there needs to be a way to bypass that.
>
> I suspect there will be pushback if (P)PMCs are forced to have
> discussions by Whimsy (unless they become policy).

None of the Whimsy tools started out as the only way to do things;
they merely aspired to be the easiest way to correctly do things.

- Sam Ruby

>> Whimsy allows a PMC/PPMC member to kick off a discussion of a potential committer/pmc member. The form has a drop down for committee and entry fields for email address and GivenName(s) FamilyName, and text. Clicking (submit) sends email to private@pmc.apache.org subject: [DISCUSS] Committer status for GivenName FamilyName and includes the email address and text that the pmc member entered and a link to whimsy.apache.org/project/discuss?token=458974235879543789.
>>
>> Pmc members can add comments from a text box that will be stored and shown to others who click the link.
>>
>> Voting:
>>
>> Once discussion has died down, the original pmc member can call for a vote by filling a vote text box and clicking (vote). This will send email to the pmc private list with a link to the discussion (lists.apache.org/xxx) and whimsy.apache.org/project/vote?token=458974235879543789.
>>
>> The first pmc member who clicks the link will see the vote text box and a form with:
>>
>> (0) +1
>> (0) -1
>> (0) +0
>> (0) -0
>> <text box for comments>
>>
>> Other pmc members who click the link will see all other votes and comments and can vote as above.
>>
>> Clicking (submit) will send email to the pmc private list with all of the comments and a link to the same page.
>>
>> Anyone on the pmc can close the vote by clicking (close vote). This will send email with subject [RESULT][VOTE] and an email to board with [NOTICE] GivenName FamilyName for <pmc> PMC.
>>
>> After 72 hours, the pmc member can visit the whimsy.apache.org/project/vote?token=458974235879543789 link and click (invite). This will then bring up the project/icla form if the candidate does not already have an icla on file. If the candidate does already have an icla but does not have an apache id, it will bring up the account request form. Finally, if the candidate has an apache id, it will bring up the "add to project" form.
>
>> Craig L Russell
>> Secretary, Apache Software Foundation
>> clr@apache.org http://db.apache.org/jdo
>>

Re: Project/icla

[sebb <se...@gmail.com>]

On 12 December 2017 at 13:51, Craig Russell <ap...@gmail.com>
wrote> I'd like to continue the discussion on the project/icla topic.
>
> I've been thinking about the entire process of committer invitations and the project/icla just handles the last bit. I'd like to include the whole process from discussion to vote to invite.
>
> Discussion:

There are some occasions where the formal discussion is not really necessary.
e.g. an informal discussion thread arises out of another thread.
It's sometimes really obvious that all that's needed is the vote.

So I think there needs to be a way to bypass that.

I suspect there will be pushback if (P)PMCs are forced to have
discussions by Whimsy (unless they become policy).

> Whimsy allows a PMC/PPMC member to kick off a discussion of a potential committer/pmc member. The form has a drop down for committee and entry fields for email address and GivenName(s) FamilyName, and text. Clicking (submit) sends email to private@pmc.apache.org subject: [DISCUSS] Committer status for GivenName FamilyName and includes the email address and text that the pmc member entered and a link to whimsy.apache.org/project/discuss?token=458974235879543789.
>
> Pmc members can add comments from a text box that will be stored and shown to others who click the link.
>
> Voting:
>
> Once discussion has died down, the original pmc member can call for a vote by filling a vote text box and clicking (vote). This will send email to the pmc private list with a link to the discussion (lists.apache.org/xxx) and whimsy.apache.org/project/vote?token=458974235879543789.
>
> The first pmc member who clicks the link will see the vote text box and a form with:
>
> (0) +1
> (0) -1
> (0) +0
> (0) -0
> <text box for comments>
>
> Other pmc members who click the link will see all other votes and comments and can vote as above.
>
> Clicking (submit) will send email to the pmc private list with all of the comments and a link to the same page.
>
> Anyone on the pmc can close the vote by clicking (close vote). This will send email with subject [RESULT][VOTE] and an email to board with [NOTICE] GivenName FamilyName for <pmc> PMC.
>
> After 72 hours, the pmc member can visit the whimsy.apache.org/project/vote?token=458974235879543789 link and click (invite). This will then bring up the project/icla form if the candidate does not already have an icla on file. If the candidate does already have an icla but does not have an apache id, it will bring up the account request form. Finally, if the candidate has an apache id, it will bring up the "add to project" form.

> Craig L Russell
> Secretary, Apache Software Foundation
> clr@apache.org http://db.apache.org/jdo
>

Re: Project/icla design discussion

[Sam Ruby <ru...@intertwingly.net>]

On Tue, Dec 12, 2017 at 9:00 AM, Craig Russell <ap...@gmail.com> wrote:
> One design issue is how to store the information associated with token=458974235879543789.
>
> This could be a single file in json format, with key/value pairs that we decide. In order to support multiple simultaneous updates from different pmc members, we would need to read the file for exclusive use, update the information, and write it back. I expect that this can be done.

https://ruby-doc.org/core-2.4.2/File.html#method-i-flock

> The location of the file is the biggest issue. Users of the tool will sign in with their apache credentials. Where should be file be stored? What access controls are needed? What kind of attacks are possible if the file name is known?

A subdirectory of /srv on whimsy-vm4 would be fine.  Those with shell
access to that machine would be able to read those file.  Those with
sudo access on that machine could change those files.  All other
access would be limited to the user id that runs the web server.

> Another issue is permissions to access private information. We need to look up the email address of the candidate and find out whether the candidate already has an icla on file and whether they are already a committer. The user might just be a PPMC member with no credentials other than an apache id and "incubator" project. Can the tool use this user credentials to access LDAP to obtain the information? Or is the tool running in super-user mode and validates the user id?

There are up to date checkouts of the relevant SVN repositories, and
the LDAP cert is on that machine.  So pretty much any read-only
operation is covered.  Generally, there will already be an API to get
the information you are looking for:
https://whimsy.apache.org/docs/api/

> Craig

- Sam Ruby

>> On Dec 12, 2017, at 5:51 AM, Craig Russell <ap...@gmail.com> wrote:
>>
>> I'd like to continue the discussion on the project/icla topic.
>>
>> I've been thinking about the entire process of committer invitations and the project/icla just handles the last bit. I'd like to include the whole process from discussion to vote to invite.
>>
>> Discussion:
>>
>> Whimsy allows a PMC/PPMC member to kick off a discussion of a potential committer/pmc member. The form has a drop down for committee and entry fields for email address and GivenName(s) FamilyName, and text. Clicking (submit) sends email to private@pmc.apache.org subject: [DISCUSS] Committer status for GivenName FamilyName and includes the email address and text that the pmc member entered and a link to whimsy.apache.org/project/discuss?token=458974235879543789.
>>
>> Pmc members can add comments from a text box that will be stored and shown to others who click the link.
>>
>> Voting:
>>
>> Once discussion has died down, the original pmc member can call for a vote by filling a vote text box and clicking (vote). This will send email to the pmc private list with a link to the discussion (lists.apache.org/xxx) and whimsy.apache.org/project/vote?token=458974235879543789.
>>
>> The first pmc member who clicks the link will see the vote text box and a form with:
>>
>> (0) +1
>> (0) -1
>> (0) +0
>> (0) -0
>> <text box for comments>
>>
>> Other pmc members who click the link will see all other votes and comments and can vote as above.
>>
>> Clicking (submit) will send email to the pmc private list with all of the comments and a link to the same page.
>>
>> Anyone on the pmc can close the vote by clicking (close vote). This will send email with subject [RESULT][VOTE] and an email to board with [NOTICE] GivenName FamilyName for <pmc> PMC.
>>
>> After 72 hours, the pmc member can visit the whimsy.apache.org/project/vote?token=458974235879543789 link and click (invite). This will then bring up the project/icla form if the candidate does not already have an icla on file. If the candidate does already have an icla but does not have an apache id, it will bring up the account request form. Finally, if the candidate has an apache id, it will bring up the "add to project" form.
>>
>> Craig L Russell
>> Secretary, Apache Software Foundation
>> clr@apache.org http://db.apache.org/jdo
>>
>
> Craig L Russell
> Secretary, Apache Software Foundation
> clr@apache.org http://db.apache.org/jdo
>

Re: Project/icla design discussion

[Craig Russell <ap...@gmail.com>]

One design issue is how to store the information associated with token=458974235879543789.

This could be a single file in json format, with key/value pairs that we decide. In order to support multiple simultaneous updates from different pmc members, we would need to read the file for exclusive use, update the information, and write it back. I expect that this can be done.

The location of the file is the biggest issue. Users of the tool will sign in with their apache credentials. Where should be file be stored? What access controls are needed? What kind of attacks are possible if the file name is known? 

Another issue is permissions to access private information. We need to look up the email address of the candidate and find out whether the candidate already has an icla on file and whether they are already a committer. The user might just be a PPMC member with no credentials other than an apache id and "incubator" project. Can the tool use this user credentials to access LDAP to obtain the information? Or is the tool running in super-user mode and validates the user id?

Craig

> On Dec 12, 2017, at 5:51 AM, Craig Russell <ap...@gmail.com> wrote:
> 
> I'd like to continue the discussion on the project/icla topic.
> 
> I've been thinking about the entire process of committer invitations and the project/icla just handles the last bit. I'd like to include the whole process from discussion to vote to invite.
> 
> Discussion:
> 
> Whimsy allows a PMC/PPMC member to kick off a discussion of a potential committer/pmc member. The form has a drop down for committee and entry fields for email address and GivenName(s) FamilyName, and text. Clicking (submit) sends email to private@pmc.apache.org subject: [DISCUSS] Committer status for GivenName FamilyName and includes the email address and text that the pmc member entered and a link to whimsy.apache.org/project/discuss?token=458974235879543789. 
> 
> Pmc members can add comments from a text box that will be stored and shown to others who click the link.
> 
> Voting:
> 
> Once discussion has died down, the original pmc member can call for a vote by filling a vote text box and clicking (vote). This will send email to the pmc private list with a link to the discussion (lists.apache.org/xxx) and whimsy.apache.org/project/vote?token=458974235879543789. 
> 
> The first pmc member who clicks the link will see the vote text box and a form with:
> 
> (0) +1
> (0) -1
> (0) +0
> (0) -0
> <text box for comments>
> 
> Other pmc members who click the link will see all other votes and comments and can vote as above.
> 
> Clicking (submit) will send email to the pmc private list with all of the comments and a link to the same page.
> 
> Anyone on the pmc can close the vote by clicking (close vote). This will send email with subject [RESULT][VOTE] and an email to board with [NOTICE] GivenName FamilyName for <pmc> PMC.
> 
> After 72 hours, the pmc member can visit the whimsy.apache.org/project/vote?token=458974235879543789 link and click (invite). This will then bring up the project/icla form if the candidate does not already have an icla on file. If the candidate does already have an icla but does not have an apache id, it will bring up the account request form. Finally, if the candidate has an apache id, it will bring up the "add to project" form.
> 
> Craig L Russell
> Secretary, Apache Software Foundation
> clr@apache.org http://db.apache.org/jdo
> 

Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org http://db.apache.org/jdo