Some maturity model comments

[Benson Margulies <bi...@gmail.com>]

CD40: perhaps change 'previous version' to 'released version'

CD50: the committer is not necessarily the author; someone might read
this and not understand what it implies for committers committing
contributions via all of the channels allowed for by the AL. One patch
would be 'immediate provenance', another would be some more lengthier
language about the process.

LC20: do we need to explain what we mean by 'dependencies'? This has
been a point of friction. Expand or footnote to the distinctions
between essential and optional?

LC50: the footnote seems wrong; the ASF does not own copyright,
rather, the author retains, and grants the license.

RE40: do you want to add an explicit statement that legal
responsibility falls upon the head of the person who happened to run
the build?

QU20: Maybe we need to expands on 'secure'? Maybe this is too strong?
What's wrong with building a product that is explicitly not intended
for use attack-prone environments.

QU40: Not all communities might agree. Some communities might see
themselves as building fast-moving products. Some communities may lack
the level of volunteer effort required to satisfy this. Does this make
them immature, or just a group of volunteers with different
priorities?

IN10: I fear that a more detailed definition of independence is going
to be called for here to avoid controversy.

Re: Some maturity model comments

[Rob Vesse <rv...@dotnetrdf.org>]

On 15/01/2015 11:33, "Bertrand Delacretaz" <bd...@apache.org> wrote:

>On Wed, Jan 14, 2015 at 5:46 PM, Rob Vesse <rv...@dotnetrdf.org> wrote:
>...
>> I think the LC50 is actually correct but could perhaps be phrased
>>better...
>
>I've used your suggestion, thanks!

Great 

>
>> QU30:
>> Agreed, some projects may not do anything that is attack prone...
>
>Added a footnote
>
>> ...Should there be a CS60 about the rare need for private discussions...
>
>I have added a mention of that in CS50 with a footnote, does that work
>for you?

Yes I think that is much nicer wording and I agree that it best belongs in
a footnote

Rob

>
>-Bertrand

Re: Some maturity model comments

[Bertrand Delacretaz <bd...@apache.org>]

On Wed, Jan 14, 2015 at 5:46 PM, Rob Vesse <rv...@dotnetrdf.org> wrote:
...
> I think the LC50 is actually correct but could perhaps be phrased better...

I've used your suggestion, thanks!

> QU30:
> Agreed, some projects may not do anything that is attack prone...

Added a footnote

> ...Should there be a CS60 about the rare need for private discussions...

I have added a mention of that in CS50 with a footnote, does that work for you?

-Bertrand

Re: Some maturity model comments

[Bertrand Delacretaz <bd...@apache.org>]

On Thu, Jan 15, 2015 at 12:05 PM, Lefty Leverenz
<le...@gmail.com> wrote:
> Oh, duh, it's the maturity model.  Well, in context I found it confusing....

Indeed - I have changed CO10 to read "...according to this maturity model".

Thanks!
-Bertrand

Re: Some maturity model comments

[Lefty Leverenz <le...@gmail.com>]

Oh, duh, it's the maturity model.  Well, in context I found it confusing.

-- Lefty

On Thu, Jan 15, 2015 at 2:22 AM, Lefty Leverenz <le...@gmail.com>
wrote:

> In CO10, what does "according to this model" mean?
>
> *CO10*
>
> The project has a well-known homepage that points to all the information
>> required to operate according to this model.
>>
>
> If it means the Apache model, do most project home pages currently point
> to information about Apache operations?
>
> -- Lefty Leverenz
>
>
> On Wed, Jan 14, 2015 at 8:51 AM, Benson Margulies <bi...@gmail.com>
> wrote:
>
>> On Wed, Jan 14, 2015 at 11:46 AM, Rob Vesse <rv...@dotnetrdf.org> wrote:
>> > LC50:
>> >
>> > I think the LC50 is actually correct but could perhaps be phrased better
>> >
>> > My understanding was that the ASF owns the copyright for the collective
>> > work of the project I.e. releases.  As Benson notes contributors retain
>> > copyright on their contributions but grant the ASF a perpetual license
>> to
>> > their contributions
>>
>> I think that the wording should be expanded to mention both aspects.
>>
>> >
>> > QU30:
>> >
>> > Agreed, some projects may not do anything that is attack prone or are
>> > likely only to be run such that any "security" is provided by whatever
>> > runtime they use and the security of that runtime is well beyond the
>> > purview of the project.
>> >
>> > Consensus building:
>> >
>> > Should there be a CS60 about the rare need for private discussions
>> >
>> > CS60:
>> >
>> > In rare situations (typically security, brand enforcement, legal and
>> > personnel discussions) the project may need to first reach consensus in
>> > private in which case the project should use their official private
>> > communications channel such that these rare private discussions are
>> > privately archived.  The outcomes of such consensus should where
>> possible
>> > be discussed in public as soon as it is appropriate to do so.
>> >
>> > That isn't great wording but hopefully you get what I am trying to
>> convey
>> > - projects should rarely discuss in private and any discussions should
>> > become public as soon as it is possible to do so
>> >
>> > Rob
>> >
>> > On 14/01/2015 15:33, "Benson Margulies" <bi...@gmail.com> wrote:
>> >
>> >>CD40: perhaps change 'previous version' to 'released version'
>> >>
>> >>CD50: the committer is not necessarily the author; someone might read
>> >>this and not understand what it implies for committers committing
>> >>contributions via all of the channels allowed for by the AL. One patch
>> >>would be 'immediate provenance', another would be some more lengthier
>> >>language about the process.
>> >>
>> >>LC20: do we need to explain what we mean by 'dependencies'? This has
>> >>been a point of friction. Expand or footnote to the distinctions
>> >>between essential and optional?
>> >>
>> >>LC50: the footnote seems wrong; the ASF does not own copyright,
>> >>rather, the author retains, and grants the license.
>> >>
>> >>RE40: do you want to add an explicit statement that legal
>> >>responsibility falls upon the head of the person who happened to run
>> >>the build?
>> >>
>> >>QU20: Maybe we need to expands on 'secure'? Maybe this is too strong?
>> >>What's wrong with building a product that is explicitly not intended
>> >>for use attack-prone environments.
>> >>
>> >>QU40: Not all communities might agree. Some communities might see
>> >>themselves as building fast-moving products. Some communities may lack
>> >>the level of volunteer effort required to satisfy this. Does this make
>> >>them immature, or just a group of volunteers with different
>> >>priorities?
>> >>
>> >>IN10: I fear that a more detailed definition of independence is going
>> >>to be called for here to avoid controversy.
>> >
>> >
>> >
>> >
>>
>
>

Re: Some maturity model comments

[Lefty Leverenz <le...@gmail.com>]

In CO10, what does "according to this model" mean?

*CO10*

The project has a well-known homepage that points to all the information
> required to operate according to this model.
>

If it means the Apache model, do most project home pages currently point to
information about Apache operations?

-- Lefty Leverenz


On Wed, Jan 14, 2015 at 8:51 AM, Benson Margulies <bi...@gmail.com>
wrote:

> On Wed, Jan 14, 2015 at 11:46 AM, Rob Vesse <rv...@dotnetrdf.org> wrote:
> > LC50:
> >
> > I think the LC50 is actually correct but could perhaps be phrased better
> >
> > My understanding was that the ASF owns the copyright for the collective
> > work of the project I.e. releases.  As Benson notes contributors retain
> > copyright on their contributions but grant the ASF a perpetual license to
> > their contributions
>
> I think that the wording should be expanded to mention both aspects.
>
> >
> > QU30:
> >
> > Agreed, some projects may not do anything that is attack prone or are
> > likely only to be run such that any "security" is provided by whatever
> > runtime they use and the security of that runtime is well beyond the
> > purview of the project.
> >
> > Consensus building:
> >
> > Should there be a CS60 about the rare need for private discussions
> >
> > CS60:
> >
> > In rare situations (typically security, brand enforcement, legal and
> > personnel discussions) the project may need to first reach consensus in
> > private in which case the project should use their official private
> > communications channel such that these rare private discussions are
> > privately archived.  The outcomes of such consensus should where possible
> > be discussed in public as soon as it is appropriate to do so.
> >
> > That isn't great wording but hopefully you get what I am trying to convey
> > - projects should rarely discuss in private and any discussions should
> > become public as soon as it is possible to do so
> >
> > Rob
> >
> > On 14/01/2015 15:33, "Benson Margulies" <bi...@gmail.com> wrote:
> >
> >>CD40: perhaps change 'previous version' to 'released version'
> >>
> >>CD50: the committer is not necessarily the author; someone might read
> >>this and not understand what it implies for committers committing
> >>contributions via all of the channels allowed for by the AL. One patch
> >>would be 'immediate provenance', another would be some more lengthier
> >>language about the process.
> >>
> >>LC20: do we need to explain what we mean by 'dependencies'? This has
> >>been a point of friction. Expand or footnote to the distinctions
> >>between essential and optional?
> >>
> >>LC50: the footnote seems wrong; the ASF does not own copyright,
> >>rather, the author retains, and grants the license.
> >>
> >>RE40: do you want to add an explicit statement that legal
> >>responsibility falls upon the head of the person who happened to run
> >>the build?
> >>
> >>QU20: Maybe we need to expands on 'secure'? Maybe this is too strong?
> >>What's wrong with building a product that is explicitly not intended
> >>for use attack-prone environments.
> >>
> >>QU40: Not all communities might agree. Some communities might see
> >>themselves as building fast-moving products. Some communities may lack
> >>the level of volunteer effort required to satisfy this. Does this make
> >>them immature, or just a group of volunteers with different
> >>priorities?
> >>
> >>IN10: I fear that a more detailed definition of independence is going
> >>to be called for here to avoid controversy.
> >
> >
> >
> >
>

Re: Some maturity model comments

[Benson Margulies <bi...@gmail.com>]

On Wed, Jan 14, 2015 at 11:46 AM, Rob Vesse <rv...@dotnetrdf.org> wrote:
> LC50:
>
> I think the LC50 is actually correct but could perhaps be phrased better
>
> My understanding was that the ASF owns the copyright for the collective
> work of the project I.e. releases.  As Benson notes contributors retain
> copyright on their contributions but grant the ASF a perpetual license to
> their contributions

I think that the wording should be expanded to mention both aspects.

>
> QU30:
>
> Agreed, some projects may not do anything that is attack prone or are
> likely only to be run such that any "security" is provided by whatever
> runtime they use and the security of that runtime is well beyond the
> purview of the project.
>
> Consensus building:
>
> Should there be a CS60 about the rare need for private discussions
>
> CS60:
>
> In rare situations (typically security, brand enforcement, legal and
> personnel discussions) the project may need to first reach consensus in
> private in which case the project should use their official private
> communications channel such that these rare private discussions are
> privately archived.  The outcomes of such consensus should where possible
> be discussed in public as soon as it is appropriate to do so.
>
> That isn't great wording but hopefully you get what I am trying to convey
> - projects should rarely discuss in private and any discussions should
> become public as soon as it is possible to do so
>
> Rob
>
> On 14/01/2015 15:33, "Benson Margulies" <bi...@gmail.com> wrote:
>
>>CD40: perhaps change 'previous version' to 'released version'
>>
>>CD50: the committer is not necessarily the author; someone might read
>>this and not understand what it implies for committers committing
>>contributions via all of the channels allowed for by the AL. One patch
>>would be 'immediate provenance', another would be some more lengthier
>>language about the process.
>>
>>LC20: do we need to explain what we mean by 'dependencies'? This has
>>been a point of friction. Expand or footnote to the distinctions
>>between essential and optional?
>>
>>LC50: the footnote seems wrong; the ASF does not own copyright,
>>rather, the author retains, and grants the license.
>>
>>RE40: do you want to add an explicit statement that legal
>>responsibility falls upon the head of the person who happened to run
>>the build?
>>
>>QU20: Maybe we need to expands on 'secure'? Maybe this is too strong?
>>What's wrong with building a product that is explicitly not intended
>>for use attack-prone environments.
>>
>>QU40: Not all communities might agree. Some communities might see
>>themselves as building fast-moving products. Some communities may lack
>>the level of volunteer effort required to satisfy this. Does this make
>>them immature, or just a group of volunteers with different
>>priorities?
>>
>>IN10: I fear that a more detailed definition of independence is going
>>to be called for here to avoid controversy.
>
>
>
>

Re: Some maturity model comments

[Rob Vesse <rv...@dotnetrdf.org>]

LC50:

I think the LC50 is actually correct but could perhaps be phrased better

My understanding was that the ASF owns the copyright for the collective
work of the project I.e. releases.  As Benson notes contributors retain
copyright on their contributions but grant the ASF a perpetual license to
their contributions

QU30:

Agreed, some projects may not do anything that is attack prone or are
likely only to be run such that any "security" is provided by whatever
runtime they use and the security of that runtime is well beyond the
purview of the project.

Consensus building:

Should there be a CS60 about the rare need for private discussions

CS60:

In rare situations (typically security, brand enforcement, legal and
personnel discussions) the project may need to first reach consensus in
private in which case the project should use their official private
communications channel such that these rare private discussions are
privately archived.  The outcomes of such consensus should where possible
be discussed in public as soon as it is appropriate to do so.

That isn't great wording but hopefully you get what I am trying to convey
- projects should rarely discuss in private and any discussions should
become public as soon as it is possible to do so

Rob

On 14/01/2015 15:33, "Benson Margulies" <bi...@gmail.com> wrote:

>CD40: perhaps change 'previous version' to 'released version'
>
>CD50: the committer is not necessarily the author; someone might read
>this and not understand what it implies for committers committing
>contributions via all of the channels allowed for by the AL. One patch
>would be 'immediate provenance', another would be some more lengthier
>language about the process.
>
>LC20: do we need to explain what we mean by 'dependencies'? This has
>been a point of friction. Expand or footnote to the distinctions
>between essential and optional?
>
>LC50: the footnote seems wrong; the ASF does not own copyright,
>rather, the author retains, and grants the license.
>
>RE40: do you want to add an explicit statement that legal
>responsibility falls upon the head of the person who happened to run
>the build?
>
>QU20: Maybe we need to expands on 'secure'? Maybe this is too strong?
>What's wrong with building a product that is explicitly not intended
>for use attack-prone environments.
>
>QU40: Not all communities might agree. Some communities might see
>themselves as building fast-moving products. Some communities may lack
>the level of volunteer effort required to satisfy this. Does this make
>them immature, or just a group of volunteers with different
>priorities?
>
>IN10: I fear that a more detailed definition of independence is going
>to be called for here to avoid controversy.

Re: Some maturity model comments

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

Thanks for the comments in this thread, I (think I) have incorporated
them in revision 14 of
https://wiki.apache.org/incubator/ApacheProjectMaturityModel

On Wed, Jan 14, 2015 at 4:33 PM, Benson Margulies <bi...@gmail.com> wrote:
> CD40: perhaps change 'previous version' to 'released version'

done

>
> CD50: the committer is not necessarily the author;...

Added something about thirdy-party contributions

> LC20: do we need to explain what we mean by 'dependencies'?...

Left that as a TODO for now, it might be good but I don't know what to write :-/

>
> LC50: the footnote seems wrong; the ASF does not own copyright,
> rather, the author retains, and grants the license.

Fixed as per Rob's suggestion

> ...RE40: do you want to add an explicit statement that legal
> responsibility falls upon the head of the person who happened to run
> the build?...

Chickened out on that one for now - do we have that info somewhere
else that I could point to?

> QU20: Maybe we need to expands on 'secure'?...

Added a footnote

> QU40: Not all communities might agree....

Let's discuss in a separate thread

> ...IN10: I fear that a more detailed definition of independence is going
> to be called for here to avoid controversy....

Added a footnote.

Thanks for the comments, do those changes work for you guys?

-Bertrand