Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "IoT/PMC"
(→Reviewing CQs) |
(→Reviewing CQs) |
||
| Line 23: | Line 23: | ||
== Reviewing CQs == | == Reviewing CQs == | ||
| − | + | First of all, the IoT PMC does not put any constraints on dependencies that projects can use in addition to the ones outlined in the [https://www.eclipse.org/legal/EclipseLegalProcessPoster.pdf Eclipse Legal Process]. This mainly affects license compatibility and requirements regarding code provenance etc. | |
| − | + | ||
| − | '' | + | The IoT PMC needs to review newly filed CQs on [https://dev.eclipse.org/ipzilla/ IPzilla] based on the Eclipse Foundation's [https://www.eclipse.org/org/documents/Eclipse_Policy_and_Procedure_for_3rd_Party_Dependencies_Final.pdf Guidelines for the Review of Third Party Dependencies]. |
| − | + | ||
| + | When a committer creates a CQ in IPzilla he indicates a preference for the CQ's ''designation'' as a ''pre-req'' or a ''works-with'' dependency. | ||
| + | Any IoT PMC member may immediately approve a CQ with a designation of ''pre-req'' which ''piggy-backs'' another ''pre-req'' CQ that has already been approved. | ||
| + | |||
| + | In all other cases the first (and most important) task of the IoT PMC is therefore to determine whether the author's preference is appropriate or not. In order to do so, the PMC members interact with the project members via IPzilla's ''comment'' functionality (i.e. in the context of the CQ) in order to get all information relevant for determining the CQ's appropriate designation. Based on the outcome, the IoT PMC approves or rejects the CQ based on the following table: | ||
| + | |||
| + | {| class="wikitable" | ||
| + | ! Designation | ||
| + | ! License | ||
| + | ! Distribution | ||
| + | ! Resolution | ||
| + | |- | ||
| + | | ''pre-req'' | ||
| + | | compatible | ||
| + | | any | ||
| + | | approve | ||
| + | |- | ||
| + | | ''pre-req'' | ||
| + | | incompatible | ||
| + | | Eclipse | ||
| + | | reject | ||
| + | |- | ||
| + | | ''pre-req'' | ||
| + | | incompatible | ||
| + | | Other | ||
| + | | discuss and vote | ||
| + | |- | ||
| + | | ''works-with'' | ||
| + | | any | ||
| + | | any | ||
| + | | discuss and vote | ||
| + | |} | ||
| + | |||
| + | The process for ''discuss and vote'' is as follows: | ||
| + | |||
| + | # The PMC members first try to reach consensus by means of a quick vote on the PMC mailing list (NB: this will probably be changed to take place in IPzilla as well as discussed [https://bugs.eclipse.org/bugs/show_bug.cgi?id=508160 in this issue]). | ||
| + | # If the vote is not unanimous then the PMC discusses until a consensus is found and established by a vote with simple majority (KH: IS A SIMPLE MAJORITY SUFFICIENT?). | ||
| + | # The CQ's designation is adjusted according to the result of the discussion in IPzilla and the PMC's approval or disapproval of the CQ is recorded in IPzilla by the PMC member that initiated the discussion on the CQ. | ||
== Releases == | == Releases == | ||
Revision as of 05:45, 30 March 2017
This is the page of the IoT toplevel project PMC.
There is also the page of the Eclipse IoT working group.
Every now and then the following sections will refer to "voting", unless noted otherwise this refers to the Eclipse voting process for committers: Development_Resources/HOWTO/Nominating_and_Electing_a_New_Committer#How_Do_We_Hold_The_Election.3F.
PMC members do not participate in votes on their own project(s) but will simply abstain from such votes explicitly. It is up to the discretion of each PMC member to determine which votes to abstain from. However, it is good practice that PMC members abstain from votes on any of the projects they are an active committer on or for which they are project lead.
Contents
Members
New members get nominated and voted in by the current (IoT) PMC members.
The current list of members is:
- Benjamin Cabé
- Kai Hudalla
- Kai Kreuzer
- Jens Reimann
- Julien Vermillard
Reviewing CQs
First of all, the IoT PMC does not put any constraints on dependencies that projects can use in addition to the ones outlined in the Eclipse Legal Process. This mainly affects license compatibility and requirements regarding code provenance etc.
The IoT PMC needs to review newly filed CQs on IPzilla based on the Eclipse Foundation's Guidelines for the Review of Third Party Dependencies.
When a committer creates a CQ in IPzilla he indicates a preference for the CQ's designation as a pre-req or a works-with dependency. Any IoT PMC member may immediately approve a CQ with a designation of pre-req which piggy-backs another pre-req CQ that has already been approved.
In all other cases the first (and most important) task of the IoT PMC is therefore to determine whether the author's preference is appropriate or not. In order to do so, the PMC members interact with the project members via IPzilla's comment functionality (i.e. in the context of the CQ) in order to get all information relevant for determining the CQ's appropriate designation. Based on the outcome, the IoT PMC approves or rejects the CQ based on the following table:
| Designation | License | Distribution | Resolution |
|---|---|---|---|
| pre-req | compatible | any | approve |
| pre-req | incompatible | Eclipse | reject |
| pre-req | incompatible | Other | discuss and vote |
| works-with | any | any | discuss and vote |
The process for discuss and vote is as follows:
- The PMC members first try to reach consensus by means of a quick vote on the PMC mailing list (NB: this will probably be changed to take place in IPzilla as well as discussed in this issue).
- If the vote is not unanimous then the PMC discusses until a consensus is found and established by a vote with simple majority (KH: IS A SIMPLE MAJORITY SUFFICIENT?).
- The CQ's designation is adjusted according to the result of the discussion in IPzilla and the PMC's approval or disapproval of the CQ is recorded in IPzilla by the PMC member that initiated the discussion on the CQ.
Releases
- Releases are +1ed by the PMC by holding a vote
- Review security related topics
- The project must have reviewed the Eclipse security guidelines (How do we know they have? Kai H. – simply by asking, at least they are aware of them now, Jens)
- The project has to include a link on the main project home page on "how to report a security vulnerability", a properly labeled link to https://eclipse.org/security/ is fine
- The project must state which security issues have been resolved in this release. This also includes issues for which no GitHub or Bugzilla issue exists. If a vulnerability cannot be disclosed before the project is released, a link to the corresponding committer-only bugzilla issue is enough.
- If the release has known security issues those must be listed as well.
- If the release did not fix any security issues, this has to be stated explicitly by something like "No security related issues had to be fixed".
A security issue is either "a weakness of an asset or group of assets that can be exploited by one or more threats" (also see ISO 27005) or a "vulnerability" according to https://cve.mitre.org/about/terminology.html. As of now this includes only security issues in the project's code itself. Issues in shipped dependencies can be disclosed as well, but there is currently no requirement. Unless there is a specific issue raised for that Eclipse project regarding this dependency (e.g. Eclipse Foo Bar is vulnerable to ABC because dependency XZY v1.2.3).
Project
- The PMC approves all requests of projects to move to GitHub, we simply give the formal +1.