Hi Matt, Again, sorry for being PITA about it, I would really like to understand what kind of problem should be solved? I looked at the list of people that are able to work directly on the ops4j projects, 110. https://github.com/orgs/ops4j/people Then I know from the past, that we had a couple of pull requests by people not in that list. Where would we be better with moving those projects under the ASF umbrella? I really would like to understand the real issue.
Thanks, Achim Am Di., 29. März 2022 um 12:19 Uhr schrieb Matt Pavlovich < [email protected]>: > Hello Christoph- > > Again, the issue isn't a complaint. OPS4J simply does not have > verification of developer identity. More contributions or donations won't > solve that. Even the most staunch open source projects (ie Debian) require > verification of developer id. > > Thank you, > Matt > > On Monday, March 28, 2022 at 12:18:32 AM UTC-5 laeubi wrote: > >> I can only encourage everyone that get "complains" or "concerns" of "big >> bussiness" or even single users telling them to simply start >> contribution or funding OS projects they depend on: >> >> participation/review/testing (especially upcoming versions) is the best >> way to mitigate "supply-chain-attacks" instead of hoping there is any >> "governance" doing this for them for free... >> >> Am 25.02.22 um 11:39 schrieb Jean-Baptiste Onofré: >> > Thanks all for your comment. >> > >> > Fair discussion. I agree with you, just wanted to have this open >> > discussion and share some messages I received. >> > >> > Let's keep PAX as it is, at OPS4J. >> > >> > Thanks >> > Regards >> > JB >> > >> > On Fri, Feb 25, 2022 at 11:34 AM Łukasz Dywicki <[email protected]> >> wrote: >> >> >> >> I see problem similar to Achim. We still didn't hear anything about >> >> solving a community trouble. We definitely do not solve a trouble of >> >> ops4j community which probably do not overlap 100% with Karaf. We may >> be >> >> solving some trouble for Karaf community, however we probably ask >> about >> >> shifting even more work on already small set of people working on it. >> >> We hear concerns, which might or might not be justified. I don't think >> >> they are since there is no record of any malicious activities made by >> >> people contributing to ops4j/pax. >> >> People which are mainly contributing to these project are well known >> >> (Grzegorz, JB, Achim), externals contributions are coming over pull >> >> requests, just like they would come to the ASF, so why we should be >> >> moving around sources? As far I remember ASF does not scan IDs of >> their >> >> contributors so it can't guarantee identity of people behind >> >> contributions as well. Back at the times I was signing my agreement I >> >> was sending it by online fax service, so verification was very mild. >> >> While the GPG keys is some kind of resort, a lot of people (including >> >> myself) have self signed key which is as good as my ssh key I use to >> >> push things to git. >> >> >> >> The big customers can become part of community if they wish, no matter >> >> where project is hosted - at github or at ASF. So far it seems to me >> >> that they are asking for favor without giving anything back to >> >> communities which will be affected. >> >> >> >> Best, >> >> Łukasz >> >> >> >> On 25.02.2022 08:43, Achim Nierbeck wrote: >> >>> Hi, >> >>> >> >>> I'm sorry to be a PITA :) >> >>> What I've read so far has been feelings, one concern of perception by >> "big" >> >>> customers. >> >>> I would really like to know, which problem we are trying to solve by >> moving >> >>> the pax projects under the umbrella of Karaf. >> >>> Or what I personally would favor under their own tlp of the ASF. >> >>> >> >>> Just to clarify, I'm trying the 5 W's here ... >> >>> Why do you think it's a good idea to move the Pax Projects under the >> karaf >> >>> umbrella? >> >>> Why do you think customers have a wrong perception of the Pax >> Projects ... >> >>> and so on ... >> >>> >> >>> >> >>> What is the core issue we are trying to solve here? >> >>> As long as I don't get down to the core thing that needs to be solved >> I'm >> >>> not in favor of moving the pax projects anywhere. >> >>> >> >>> Again sorry if I'm PITA. >> >>> >> >>> regards, Achim >> >>> >> >>> >> >>> >> >>> Am Do., 24. Feb. 2022 um 22:44 Uhr schrieb Eric Lilja < >> [email protected] >> >>>> : >> >>> >> >>>> Personally, I would love to see this change and the other people in >> my >> >>>> organization liked the proposal as well. >> >>>> >> >>>> - Eric L >> >>>> >> >>>> On Thu, Feb 24, 2022 at 3:04 PM Jean-Baptiste Onofré < >> [email protected]> >> >>>> wrote: >> >>>> >> >>>>> Hi guys, >> >>>>> >> >>>>> Some of you already pinged me to share concerns about PAX projects >> >>>>> governance. I think it's my duty to share these concerns and >> discuss >> >>>>> possible actions. >> >>>>> >> >>>>> Apache Karaf is one of the biggest consumers of PAX projects. >> >>>>> >> >>>>> However, PAX projects use a "self own" designed governance: >> >>>>> - for contribution/IP >> >>>>> - for release >> >>>>> - for CVE/Security >> >>>>> - ... >> >>>>> >> >>>>> And it could be seen as a major concern for Apache Karaf users, as >> PAX >> >>>>> projects are not necessarily "aligned" with Apache Foundation >> rules. >> >>>>> >> >>>>> I would like to start a discussion on both Karaf and OPS4J >> communities >> >>>>> to "move" PAX projects as Karaf subproject (like karaf-pax). >> >>>>> Concretely, it would mean that: >> >>>>> 1. Karaf PAX projects would use org.apache.karaf.pax namespace >> >>>>> 2. Karaf PAX releases will have to follow the Apache release >> process >> >>>>> (binding votes, 3 days vote period, ...) >> >>>>> 3. Any active contributor on PAX projects would be invited as Karaf >> >>>>> committer >> >>>>> >> >>>>> Thoughts ? >> >>>>> >> >>>>> Regards >> >>>>> JB >> >>>>> >> >>>> >> >>> >> >>> >> >> >> >> -- >> >> -- >> >> ------------------ >> >> OPS4J - http://www.ops4j.org - [email protected] >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups "OPS4J" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ops4j/5ff43da6-8d5f-43f4-e6e6-86af4fb162b9%40code-house.org. >> >> > >> > -- > -- > ------------------ > OPS4J - http://www.ops4j.org - [email protected] > > --- > You received this message because you are subscribed to the Google Groups > "OPS4J" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ops4j/677a4877-389d-4d3d-875b-c1009ebf7d7an%40googlegroups.com > <https://groups.google.com/d/msgid/ops4j/677a4877-389d-4d3d-875b-c1009ebf7d7an%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Apache Member Apache Karaf <http://karaf.apache.org/> Committer & PMC OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead blog <http://notizblog.nierbeck.de/> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> -- -- ------------------ OPS4J - http://www.ops4j.org - [email protected] --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/CAD0r13fOhe0cuxNxs5CrMTHgiFTAJuM2zi%2BfcWxfP%3DpuV_tejw%40mail.gmail.com.
