Re: Releasing with lazy consensus

[Volkan Yazıcı]

> Just because some projects might be doing it, doesn’t mean it’s ok

This precisely captures my thoughts too. Though I feel stuck at this point.
There are a significant number of projects reaching out to this practice,
yet it is officially not allowed. Then what? Who shall I consult to outline
(and implement?) a way forward that is both legal and convenient for PMCs?

On Fri, Sep 1, 2023 at 9:42 AM Christofer Dutz 
wrote:

> Yeah,
>
> thanks for bringing this up … this is actually something I brought up in
> the last board meeting.
> I also think it’s not ok to release stuff like parent poms with lazy
> consensus and was currently following up with ASF Legal on that matter.
>
> Just because some projects might be doing it, doesn’t mean it’s ok …
> possible outcome of this might be that this practice will explicitly be
> forbidden.
>
> My personal reasoning for this:
>
>   *   With a parent pom, I can
>  *   Manage dependencies to get in vulnerable versions
>  *   Include additional dependencies
>  *   Re-Configure plugins configuration
>  *   Add plugin executions that might do bad stuff
> So I think especially for parent poms we should pay extra attention.
>
> Chris
>
>
>
>
>
> Von: Jarek Potiuk 
> Datum: Freitag, 1. September 2023 um 09:24
> An: dev@community.apache.org 
> Betreff: Re: Releasing with lazy consensus
> I would love to hear about it, but I believe releasing any software is an
> "act of Foundation" and requires 3 explicit PMC members to say "+1" in
> order for it to have legal repercussions.
>
> So I am not so sure if releasing "software" of any kind that can be "ASF
> software" should be done without voting and 3 PMC members saying +1. In
> fact even the roll calls done by the board when the projects are not active
> is to check "Is there enough  (3) active PMC members for the PMC to make a
> release).
>
> I believe in justified cases however, you can shorten the voting period or
> even vote in "secret" and announce the voting later (for example when you
> have security release). The process says that there SHOULD be 72 HRs (not
> MUST) and if there are good reasons, it can be shortened. But the act of
> voting and 3 +1 from the PMC members is - I believe - obligatory.
>
> A comment on how we deal with possibly similar cases in Airflow - where we
> often release up to 90(!) packages 2 times a month (!). Maybe that can help
> with designing a similar process.
>
> * we allow "bulk" voting. We prepare the "up to 90" provider packages as a
> single "pack" of things we vote on. We have automation and tooling that
> allows us to both release and verify  (by PMC members) all those packages
> together. We also involve the contributors and those who raised relevant
> issues in testing those packages (also heavily automated - example issue
> generated here https://github.com/apache/airflow/issues/33305  ) - this is
> nice because it allows us to streamline the process and release multiple
> things together, whil allow individuals to focus on testing all such
> packages individually and report it back in that single place where we
> discuss the whole "release pack".
>
> * when a bug / release/packaging/sources/problem is found in only one of
> those packages (which does not invalidate the rest) the release manager can
> decide to withdraw those faulty packages from that release "pack" but this
> does not remove +1 votes that were given for the ones that are good.
>
> * after releasing the "good" packages (and parallel fixing of the broken
> ones) - the broken ones are released with fixes as RC2 candidates. In most
> cases the fixes are really small, so the "user" testing (i.e. what has been
> tested and confirmed working so far) status is carried over to the RC2
> candidates. The PMC voting for those RC2 is restarted (i.e. we need three
> new +1 from the PMC) .  But this time we turn on "accelerated" voting. We
> agree to the rule that in this case 24H (and 3 PMC +1s) is enough for the
> vote to complete.
>
> * the 72HR -> 24 HR is only done when there are really small and few fixes
> since RC1
>
> This has been discussed at the devlist, agreed and captured in our
> processes. For those interested:
>
> Discussion about introducing RC2+ accelerated voting :
> https://lists.apache.org/thread/8rpq06pobp6rnm9phnbc9fz4ky32sm16
> Lazy consensus on approving it:
> https://lists.apache.org/thread/cv194w1fqqykrhswhmm54zy9gnnv6kgm
> Example recent vote result where two packages have been excluded due to
> bugs but where release manager decided not to accelerate the voting due to
> big number of fixes coming since RC1:
> https://lists.apache.org/thread/1kovpkx0t2pm2xrwf61ycqdynp0kdl19
> Example vote where we had 24 HR accelerated vote:
> https://lists.apache.org/thread/ndm71tjdd3mmx7s904ds6sqxy84vb1fw  (BTW We
> also had RC3 for google provider as another bug was found in RC2). - those
> rules are transitive. RC3 was also accelerated.
>
> I hope it helps.
>
> J.
>
>
>
>
> On Fri, Sep 1, 2023 at 

[ALC] ALC Indore Event - September 2023

[Aditya Sharma]

Hello All,

The ALC [1] Indore Chapter [2] is organizing the following events this
month:

#1  A hands-on workshop [3] on "Git and GitHub" at the Acropolis Institute,
Indore. This will be an in-person event scheduled on Tuesday 5th September
2023.

Key topics:
- Introduction to version control
- Git
  -- Repository
  -- Configuration
  -- Stages of a file
  -- Reset and revert
  -- Diffing
  -- Branching
  -- Merge conflicts
  -- Stashing
  -- Remote
- GitHub
  -- Forking and Pull Request

Speaker: Priya Sharma and Aditya Sharma

#2 An online session [4] on "Open Source and Internship opportunities" on
Saturday 16th September 2023. Registrations for this event are open to all.

Key topics:
- Introduction to Open Source
- The Importance of Open Source
- Benefits of Contributing to Open Source as an Intern
- Finding Open Source Projects
- Getting Started with Open Source Contributions
- Common Challenges & Overcoming Them
- Internship Programs and Open Source Organisations
- Success Stories
- Future Career Prospects
- Conclusion
- Q&A Session

Speaker: Praveen Kumar Purushothaman

As per ALC Event guidelines [5], we would like to request PMC approval for
these upcoming events.

[1] https://s.apache.org/alc
[2] https://s.apache.org/alc-indore
[3] https://s.apache.org/alc-guidelines
[4] https://s.apache.org/git-workshop
[5] https://s.apache.org/opensource-internships

Thanks and Regards,
Aditya Sharma

[jira] [Commented] (COMDEV-534) 3rd party downloads not allowed by privacy policy

[Sebb (Jira)]

[ 
https://issues.apache.org/jira/browse/COMDEV-534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17761854#comment-17761854
 ] 

Sebb commented on COMDEV-534:
-

The statistics page loads data from api.snoot.io.

AFAICT, we don't have a privacy agreement with them, and their website privacy 
policy [1] says they may collect PII, and furthermore that the Policy can be 
changed at any time without notice. Furthermore, the link to the vendor's 
website is broken.


[1] https://snoot.io/privacy.html

> 3rd party downloads not allowed by privacy policy
> -
>
> Key: COMDEV-534
> URL: https://issues.apache.org/jira/browse/COMDEV-534
> Project: Community Development
>  Issue Type: Bug
>  Components: Projects Tool
>Reporter: Sebb
>Priority: Major
>
> The projects.a.o website relies on Google charts.
> AFAIK, we don't have a privacy agreement for these, and according to the 
> terms of use, they cannot be used downloaded and used locally:
> https://developers.google.com/chart/interactive/faq#offline
> Some possible solutions:
> - use an alternative charting library that is not in conflict with the 
> Privacy Policy
> - ask the user's permission before making requests to such 3rd party sites; 
> if the user refuses, charts and graphs cannot be displayed, but the site 
> should otherwise continue to function
> - find some way of proxying the requests via an ASF host that strips out all 
> client-specific headers.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org