Tidelift

2022-01-11 Thread Ralph Goers 
Hello all,

Recently the Logging Services PMC was approached by Tidelift offering to 
provide monetary support either to the project or individual committers. To 
obtain that sponsorship the project has to agree to the terms at 
https://support.tidelift.com/hc/en-us/articles/4406309657876-Lifter-agreement. 
It appears that Struts has accepted this already.

Some PMC members are interested in pursuing this but I am questioning a) 
whether the agreement conflicts with ASF practices and b) whether the legal 
agreement is too ambiguous. Two ASF members commented on the Logging Services 
private list that they had concerns about the agreement.

In response to these concerns I created 
https://issues.apache.org/jira/browse/LEGAL-593. The guidance there seemed to 
be that payment to the ASF by Tidelift would not be allowed but payment to 
individuals might be. No guidance on the agreement was provided. It was 
recommended I post here instead.

In looking for more clarification from Tidelift about their agreement and who 
could receive payment we received this response:

Great follow up question, you are spot on. Each of the individuals on 
the team page could become a lifter and the funds allocated for Log4j would be 
split between them.

Additional pieces of information to add nuance:

* For someone to _start_ lifting a project with Tidelift, the 
verification process involves us looking to official sources for 
confirmation–such as the team page. After a project is lifted, the verification 
process ultimately hinges on open communication between us and whichever lifter 
has been nominated to be the primary contact (in full view of all of the 
project's lifters so that we know there's shared agreement).

* Funds can be split any way you see fit, evenly or otherwise. In most 
cases, we see an even split. In cases where the funds are directed back to a 
foundation, 100% of the funds go to the foundation and the share assigned to 
the lifters is 0%.

* This approach has allowed us to decouple any individual project's 
governance from our own processes, and has proven to be effective in many 
different contexts. As we grow, it may well be that our processes need to 
evolve, so that's a conversation that I'm open to as we continue discussing :o)

So it is clear to me that Tidelift requires the project as a whole to approve 
the agreement, even though only select individuals may choose to receive 
payment, especially since one of the requirements is a public acknowledgment of 
Tidelift on one of the project’s sites.

I find this problematic as I cannot reconcile how it is OK for individuals to 
receive payment so that the ASF is not officially involved while at the same 
time the PMC must approve the agreement for individuals to be able to accept 
payment. Furthermore, I still have no idea whether the terms of the agreement 
would put a PMC in conflict with ASF policies or whether the ambiguities in the 
agreement would put the ASF in a bad place. I realize the ASF’s argument would 
be “We have nothing to do with this” but I suspect that wouldn’t fly since the 
PMC has to agree to it.

To be clear, I have no idea if this is the correct place to discuss this. 
Personally, I was under the impression that a Legal Jira was where this kind of 
stuff got resolved. But here I am.

Thoughts?

Ralph



-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org

Re: Tidelift

2022-01-12 Thread Ralph Goers 
Jim,

While I agree with your conclusion I do disagree with how you get there. 

In your first message you seemed to think that the “self-serving nature” of 
what Tidelift is doing is any different than what many companies have been 
doing to the ASF. I am a member of the Flume PMC and my employer uses it as a 
critical component of our infrastructure, primarily at my doing. I was 
reluctant to have it graduate from the incubator since the PMC was 90%+ 
Cloudera employees. Well, Cloudera ghosted the project and many of the PMC 
members are now former Cloudera employees who, while interested in the project, 
have no time to spend on it. I view that model and outcome as worse than what 
Tidelift is proposing. I am now faced with doing a Flume update and release 
pretty much all on my own, although I am sure there are 3 PMC members active 
enough to approve the release.

Unlike corporate backed projects, Tidelift doesn’t specify any particular 
development that must be done to qualify for funding. What they require is 
mostly stuff the ASF already requires - but the agreement is unclear if the ASF 
requirements are sufficient since the agreement is ambiguous. And, of course, 
the promotion of Tidelift could be a problem. Someprojects have pages similar 
to https://activemq.apache.org/support that list places where you can get 
commercial support. Many have “Thanks” pages to thank companies such as 
Jetbrains and Yourkit for donating their products to committers. So simply 
listing a commercial entity on the web site doesn’t seem to be the issue. 

For me, the issue is that Tidelift is paying developers with the requirement 
that they follow certain processes, one of which includes an advertisement. On 
its face I just don’t see how that flies with ASF policies.

That said, if the Tidelift model for people to be funded was “Your project must 
adhere to all ASF process and guidelines AND you must have a minimum of 3 
active committers (proven by them actually approving and merging PRs, 
committing fixes for bugs, etc) and an advertising requirement I might be more 
inclined to support it since the only real requirement is that the project be 
active.

Ralph

> On Jan 12, 2022, at 7:57 AM, Jim Jagielski  wrote:
> 
> Over in the Apache HTTPD project, both the HTTP/2 and the new mod_tls modules 
> were paid for by outside entities. That is, this entity wanted these modules 
> to exist, contracted out w/ a 3rd party to write/develop them, and then 
> backed away. There was no guarantee that these modules would even be 
> accepted, that the code would be treated specially or differently, or 
> anything at all like that. At no point was the PMC or the foundation involved 
> at all. The only consideration was that whatever was being donated to the 
> project was, in fact, being donated; that this external work-for-hire was 
> allowed to be, and was intended to be, donated and used by the ASF under the 
> ALv2.
> 
> If Tidelift wishes to contract out to individuals, it is certainly within its 
> rights and that's 100% A-OK. However, they must be aware that there is no 
> guarantee that any work that the "lifters" provide will be included. There is 
> no way nor guarantee that the lifters are able to direct or manage the 
> project in a way that Tidelift and/or its customers would want. They are not 
> paying for access nor are they paying for guaranteed improvements or 
> inclusion. That must be clear.
> 
> My understanding of the Tidelift arrangement is that they are providing some 
> sort of assurance that these lifters are not only developing the code, but 
> also "maintaining" it, which implies active, constant and "guaranteed" 
> contribution. Any lifters involved with Apache projects cannot guarantee 
> that. They cannot maintain it anymore, or any less, than anyone else, working 
> within the confines of the project.
> 
>> On Jan 12, 2022, at 9:16 AM, Gary Gregory  wrote:
>> 
>> I agree that people should handle their affairs as they see fit RE Tidelift
>> but how should this be allowed to trickle in on Apache WRT mentions in web
>> sites and files like readme. IOW, should structs assets remove mentions of
>> Tidelift?
>> 
>> Gary
>> 
>> On Wed, Jan 12, 2022, 08:52 Jim Jagielski  wrote:
>> 
>>> IMO, the foundation and the project should do nothing associated with
>>> this. It should neither encourage or condone it. In no way should we enter
>>> into any agreement, contract, whatever, w/ Tidelift. If Tidelift wishes to
>>> work independently and directly w/ people, that's fine. But having the ASF
>>> and/or the project involved at any level should be disallowed.
>>> 
>>> We cannot also ignore the obvious self-serving nature of the request by
>>>

Re: Tidelift

2022-01-12 Thread Ralph Goers 


> On Jan 12, 2022, at 8:34 AM, Mohammad Noureldin  
> wrote:
> 
> Hi,
> 
> I have 2 questions:
> 1- How did that work in the case of Apache Struts ? Any details can be
> shared ?

In the case of Struts it appears there is only a single active committer and he 
is the sole 
person receiving funds from Tidelift. It isn’t clear if the PMC was ever even 
consulted.

> 2- Is the concept of "guarantying" here in the Legal sense ? or is it
> "guarantying" by approaching the "right individuals" ?
> 
> By "right individuals" (double quoting is intentional) I mean (P)PMC
> Members for example. Though they, as mentioned here, can get funded as
> individuals who don't represent the ASF as an organization nor they
> represent the target project in any official way, but being a (P)PMC Member
> (by the definition of the ASF organization itself) show/guarantees that the
> approached individuals have the merit and the commitment towards that
> target project, hence guarantying that such funds will be used efficiently
> or in the right way (I am using 'efficiently' and 'the right way' in their
> broader sense).

Yes, this is the heart of the problem. How can you be funded solely as an 
individual 
if the agreement requires agreement from the PMC?


> 
> But even with that in mind, I believe there is a catch ? If any of those
> individuals, being (P)PMC member or not, stopped working on the target
> project for whatever reason, What happens then ?
> 

That is a great question. I guess Tidelift would find out when or if its 
customers started complaining.

Ralph

Re: Tidelift

2022-01-12 Thread Ralph Goers 
Jarek,

I expect I know the answer to this but do any of your sponsors require 
(or even request) that you mention them in the project web site or in the 
README? 

What you are doing sounds fine to me simply because the agreement 
you have doesn’t obligate the PMC to anything.

Tidelift’s business model is to generate funding for open source by getting 
commercial users to pay Tidelift to support open source projects. Tidelift 
doesn’t seem to have any developers of its own so it shares a portion of 
he money it gets with projects so it can add them to its catalog of supported 
projects.

In some ways this could be a win-win-win scenario, if it actually accomplishes 
something.

Ralph

> On Jan 12, 2022, at 8:57 AM, Jarek Potiuk  wrote:
> 
> Fascinating discussion. My understanding is exactly what Jim explained.
> 
> I also can explain how it works for me as an individual in Apache
> Airflow. Apache Airflow has multiple stakeholders and I have regular
> contracts with a few of them: Google, Astronomer. Also I got a
> one-time GitHub Sponsorship from AWS. Each contract covers part of my
> time.
> 
> * The sponsorship was without any expectations.
> * The contracts I have are mostly about "We do not oblige you to do
> this and that. Those are our priorities for next year or so and we
> would like you to focus on as an individual for part of your time, but
> we are well aware the community makes decisions and nothing can be
> done without community rules being followed. We understand that and
> expect you to follow the rules." (not the exact wording but that's the
> "gist" of it).
> 
> I also do a lot of contributions in my "own" time so to speak which
> cover much broader scope and project needs and other initiatives (If I
> were to calculate it with regular rates) - and I treat seriously the
> disclaimer that was mentioned in the Legal part of the discussion (I
> believe Justin pointed to that).
> 
> Those are my own private agreements with the stakeholders, PMC members
> are aware of those (I am very transparent with that as you see), but
> it has nothing to do with the PMC nor ASF..
> 
> I believe if Tidelift were to arrange similar contracts with whoever
> are the people with "merit" in the project, they should be free to do
> that - with similar conditions.
> 
> J.
> 
> On Wed, Jan 12, 2022 at 4:56 PM Sam Ruby  wrote:
>> 
>> On Tue, Jan 11, 2022 at 4:50 PM Ralph Goers  
>> wrote:
>>> 
>>> Hello all,
>>> 
>>> Recently the Logging Services PMC was approached by Tidelift offering to 
>>> provide monetary support either to the project or individual committers. To 
>>> obtain that sponsorship the project has to agree to the terms at 
>>> https://support.tidelift.com/hc/en-us/articles/4406309657876-Lifter-agreement.
>>>  It appears that Struts has accepted this already.
>> 
>> Perusing the agreement, I see talk of payment, license, and trademark.
>> So let's cover that, and the topic we want to cover, the Apache Way.
>> 
>> Let's be welcoming and friendly, and focus more on what they need to
>> do, rather than on what they must not do
>> 
>> Outline:
>> 
>> * So you want to pay a contributor?  Great!  If that is something you
>> wish to do, do so directly with each contributor as this is not a
>> service the ASF provides.  Just make sure that each contributori is
>> aware of each of the five points listed on The Apache Way page[1].  In
>> particular, be aware that each individual contribution will be
>> evaluated on its merits and require consensus before being accepted.
>> 
>> * All code must be licensed only under the Apache Software License,
>> with no additional conditions.  Should an individual contributor
>> become a committer, they will be required to sign an ICLA.  You are
>> welcome to sign a CCLA.
>> 
>> * You are welcome to make nominative use of our trademarks.  If you
>> require anything more, see out Trademark Policy[2].
>> 
>> [1] https://www.apache.org/theapacheway/
>> [2] https://www.apache.org/foundation/marks/
>> 
>> - Sam Ruby
>> 
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>> For additional commands, e-mail: dev-h...@community.apache.org
>> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org

Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Ralph Goers 
First, I would like to clarify Gary’s email as I don’t think he characterized 
it quite correctly. 
The Logging PMC concluded we could not be part of an arrangement with TideLift 
and 
that the issues needed to be worked out at the foundation level. The primary 
issue was 
that TideLift had requirements on advertising and process details that required 
approval 
of the PMC in order for individuals to be able to be paid. We met with a Google 
security team in January and had similar issues where they required a process 
that isn’t 
aligned with the ASF’s requirements on how releases are to be performed.

Second, from my point of view the ASF should have discussions with TideLift and 
Google to 
see if those issues can be resolved. The ideal scenario would be that TideLift 
and Google 
can simply sponsor individuals from any ASF project because all ASF projects 
must 
conform to guidelines that meet their criteria - i.e. the PMC doesn’t even have 
to be 
involved. But this obviously requires that the foundation work with these third 
parties to 
either improve our processes where needed or get the third party to accept our 
processes.

So while I agree with everything Bertrand said I don’t think it resolves the 
real issue. 
TideLift is providing a guarantee to its customers that projects it sponsors 
meet certain 
standards. The standards they are looking for should really be set by the ASF, 
not 
individual projects.  

Ralph


> On Feb 28, 2022, at 5:03 AM, Bertrand Delacretaz  
> wrote:
> 
> Hi,
> 
> Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
>> ...the relationships I have is direct relationship with the
>> stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely "removing
>> bureaucratic obstacles" but they are not "between" me and my stakeholders.
>> They are "on a side". They get a small cut sometimes (which I gladly pay)
>> but I want to talk to the stakeholders directly without any intermediaries
>> and establish a long-term relationship with them as an individual
> 
> I think that's a key point, and listing such requirements for
> platforms that can help our contributors get funding sounds useful.
> 
> Here's a quick list of initial requirements that we might include:
> -Contributors can get steady funding for their work
> -ASF is out of the loop of financial transactions
> -Contributors must use a standard ASF disclaimer (draft at [1])
> -Contributors can establish a direct relationship with sponsors
> -Several "funding intermediaries" are available
> -ASF might define the wording that contributors can use when
> advertising themselves (based on facts, etc.)
> 
> I like the idea of the ASF facilitating these things.
> 
> Maintaining a comdev page that lists criteria like the above, with
> pointers to the relevant ASF policies, and lists intermediaries that
> our contributors have successfully used, might be a good start.
> 
> -Bertrand
> 
> [1] https://community.apache.org/committers/funding-disclaimer.html
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org

Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Ralph Goers 
I don’t agree. First, the “added value” Tidelift provides is not our problem. 
If they can’t attract customers then the individuals on the projects they 
support won’t get any money.

But, as I said, Tidelift could have a mechanism to fulfill their promises if 
the 
ASF had overall project requirements such as requiring that a project have 
3 active committers AND 3 active PMC members. The distinction might not 
seem like much but there are projects that are still functioning because they 
still have 3 PMC members but no one is committing anything. So when 
issues arise it could take a long timeto get a release cut to fix the issue 
since,  
presumably there could be a lot of dependency updates required.

“Why do we need Tidelift at all?”

The ASF doesn’t “need” Tidelift. Nor do we need Google. But there are 
individuals who work on projects who would welcome the opportunity to be 
paid by them. Currently, they cannot because Tidelift can’t guarantee 
anything to their customers regarding ASF projects and Google has security 
requirements that we can’t meet because they contract the ASF release policies.

Tidelift cannot resolve problems that are not in its control. Neither can ASF 
projects.

I had thought that both the VPs of Fundraising and Legal were going to reach 
out to Tidelift to discuss these issues. I don’t recall seeing any feedback 
from 
that to see if any progress was made.

> On Feb 28, 2022, at 10:50 AM, Jarek Potiuk  wrote:
> 
>> So while I agree with everything Bertrand said I don’t think it resolves
> the real issue.
> TideLift is providing a guarantee to its customers that projects it
> sponsors meet certain
> standards. The standards they are looking for should really be set by the
> ASF, not
> individual projects.
> 
> This is the part I do not understand. What Tidelift can promise to their
> customers and on what basis?
> According to ASF rules where only individuals in the project can make
> decisions - this means that Tidelift
> has no mechanisms whatsoever to fulfill their promise.
> 
> And if ASF sets the standards - why do we need Tidelift at all ?
> To be perfectly blunt -  I am afraid that until Tidelift resolves any
> of the real problems of individual committers we mentioned with Bertrand
> (including facilitating direct relationship commiter <> stakeholder),
> I do not see what's the added value of Tidelift. Seems like unnecessary
> intermediary.
> 
> J.
> 
> 
> On Mon, Feb 28, 2022 at 5:10 PM Ralph Goers 
> wrote:
> 
>> First, I would like to clarify Gary’s email as I don’t think he
>> characterized it quite correctly.
>> The Logging PMC concluded we could not be part of an arrangement with
>> TideLift and
>> that the issues needed to be worked out at the foundation level. The
>> primary issue was
>> that TideLift had requirements on advertising and process details that
>> required approval
>> of the PMC in order for individuals to be able to be paid. We met with a
>> Google
>> security team in January and had similar issues where they required a
>> process that isn’t
>> aligned with the ASF’s requirements on how releases are to be performed.
>> 
>> Second, from my point of view the ASF should have discussions with
>> TideLift and Google to
>> see if those issues can be resolved. The ideal scenario would be that
>> TideLift and Google
>> can simply sponsor individuals from any ASF project because all ASF
>> projects must
>> conform to guidelines that meet their criteria - i.e. the PMC doesn’t even
>> have to be
>> involved. But this obviously requires that the foundation work with these
>> third parties to
>> either improve our processes where needed or get the third party to accept
>> our processes.
>> 
>> So while I agree with everything Bertrand said I don’t think it resolves
>> the real issue.
>> TideLift is providing a guarantee to its customers that projects it
>> sponsors meet certain
>> standards. The standards they are looking for should really be set by the
>> ASF, not
>> individual projects.
>> 
>> Ralph
>> 
>> 
>>> On Feb 28, 2022, at 5:03 AM, Bertrand Delacretaz 
>> wrote:
>>> 
>>> Hi,
>>> 
>>> Le lun. 28 févr. 2022 à 11:06, Jarek Potiuk  a écrit :
>>>> ...the relationships I have is direct relationship with the
>>>> stakeholders. Let's deel, GitHub Sponsors, SAP Ariba are merely
>> "removing
>>>> bureaucratic obstacles" but they are not "between" me and my
>> stakeholders.
>>>> They are "on a side". They get a small cut sometimes (which I gladly
>> pay)
>>>> but I want to t

Re: Effective ways of getting individuals funded to work on ASF projects

2022-02-28 Thread Ralph Goers 
You are still confusing how individuals in ASF projects can work with Tidelift 
(or vice versa) vs why anyone would pay them. I don’t care why people pay 
Tidelift nor do I see a reason I should have to. The fact that you see no added 
value doesn’t mean people won’t pay them, even if it is just so they can feel 
that they are contributing to the open source they use.

I’m glad you get paid by Google, although I am not sure that it is the same 
group that spoke with the Logging Services PMC. But the fact is, you should 
be able to be paid by anyone who wants to pay you, assuming they aren’t 
expecting things of you as an individual that you cannot guarantee.

The important difference with Tidelift is that they are not asking for any 
specific work to be done, rather they are paying to ensure the project meets 
certain standards and will still be around for a good while. To be honest, 
I can appreciate that. I’ve seen a lot of projects on GitHub that are pretty 
neat but have lots of issues and PRs that no one is looking at and no 
commits have been done in years.  

Ralph



> On Feb 28, 2022, at 12:40 PM, Jarek Potiuk  wrote:
> 
> Ralph:
> 
>> The ASF doesn’t “need” Tidelift. Nor do we need Google. But there are
> individuals who work on projects who would welcome the opportunity to be
> paid by them
> 
> I am being paid for part of my time with Google (among others). With
> contract that recognizes that I cannot "do stuff they want"
> if the community will not agree to it.
> 
> Let's enable it for others and show them the path how to do it.
> 
> Neither Google nor I needed Tidelift for that. I still do not see what
> Tidelift could
> provide to either me or Google as the intermediary if they cannot influence
> what
> individuals running the project will do. I am scratching my head over and
> over
> and I can't see what it is.
> 
> Joshua:
> 
> I read the doc carefully. Few times. And I still am puzzled on what
> Tidelift provides
> to either individuals or stakeholders who want to pay those individuals for
> ASF
> projects. The processes are there, maintainers are there, responsible
> disclosure
> is there. Why stakeholders or ASF or individuals would need Tidelift as an
> intermediary ? I don't get it.
> 
> J.
> 
> 
> On Mon, Feb 28, 2022 at 7:30 PM Joshua Simmons 
> wrote:
> 
>> Good $localtime, folks! I just want to underscore a really important
>> section of the document I provided yesterday, as it seems this detail is
>> lost in the mix. Tidelift very deliberately does not direct development.
>> I'll remain on the sidelines here as y'all deliberate, but I want to make
>> sure we're operating from the same set of facts.
>> 
>> 
>> *Why Tidelift works with maintainers*We want the open source projects used
>> by our customers—your downstream users—to be as healthy and secure as
>> possible. We believe this requires directly supporting maintainers and
>> their work, both financially and through providing tools and resources that
>> make it easier for them to be successful.
>> 
>> 
>> *What Tidelift expects from maintainers*Maintainers provide two things to
>> our customers: information (licensing details, context on CVEs) and
>> continuity (comfort that the package is maintained and is highly likely to
>> continue to be maintained). We also expect maintainers to abide by a Code
>> of Conduct. Neither Tidelift nor our customers direct development of
>> Tidelift-supported packages.
>> 
>> 
>> *What Tidelift expects of projects*We only work with projects that meet
>> certain standards: there must be a responsible vulnerability disclosure
>> process in place, and clear licensing metadata. While mature projects have
>> these standards in place, many of the open source projects we work with
>> have just 1 or 2 maintainers, and it’s not unusual for them to implement
>> these standards as part of preparing to work with us.
>> 
>> Some projects–such as those at the ASF–can’t implement those things on our
>> behalf due to policy constraints. Good news is that those projects tend to
>> already meet these standards! Our goal here is to promote good governance.
>> 
>> Josh Simmons (he/they), Sr. Ecosystem Strategy Lead @ Tidelift
>> 
>> @joshsimmons  |
>> joshua.simm...@tidelift.com
>> | bluesomewhere on IRC
>> TZ: US/Pacific; UTC-07:00 Mar-Nov; UTC-08:00 Nov-Mar
>> ad astra per aspera 🚀
>> 
>> 
>> On Mon, Feb 28, 2022 at 10:24 AM Jim Jagielski  wrote:
>> 
>>> Tidelift's model, which expects that maintainers do have direct and
>> almost
>>> unassailable control over a project, is not compatible with the Apache
>> Way.
>>> Tidelift's model works well with projects in which developers and
>>> maintainers can "do stuff" without worrying about building a consensus
>>> around whether or not their contributions are OK or not.
>>> 
>>> I'd like to see how that model and Apache could fit together, but I'm at
>> a
>>> loss to think about how. The main benefit that those

Re: Effective ways of getting individuals funded to work on ASF projects

2022-03-02 Thread Ralph Goers 
My experience with vendors that employee people to work on ASF projects is that 
they have their own internal processes that are separate from the ASF’s. For 
example, 
as part of their product they might deliver Apache Foo for Acme Bar. The 
version they 
ship might not exactly match what the ASF distributes. 

Tidelift doesn’t deliver a product so has no way to achieve this. 

That said, Tidelift certainly could provide resources to run the processes they 
deem 
necessary and get the folks they are paying to execute those. But any issues 
that are 
found would have to be resolved in the project, not in something Tidelift 
distributes.

Ralph



> On Mar 2, 2022, at 6:10 PM, Dave Fisher  wrote:
> 
> The way this discussion is going makes me want to ask why should tidelift be 
> any different from a vendor that pays individuals to work on ASF projects as 
> part of their employment?
> 
> The same neutrality ought to apply. Why do we need to make a new 
> classification?
> 
> All the best,
> Dave
> 
> Sent from my iPhone
> 
>> On Mar 2, 2022, at 4:31 PM, Willem Jiang  wrote:
>> 
>> +1.
>> It will make the maintainer's life easier with this collected information.
>> When we bring the commercial support to the ASF project daily
>> development,  we still need to follow certain rules to avoid the
>> conflict with the Apache way we believed.
>> 
>> Willem Jiang
>> 
>> Twitter: willemjiang
>> Weibo: 姜宁willem
>> 
>>> On Thu, Mar 3, 2022 at 1:08 AM Jarek Potiuk  wrote:
>>> 
>>> Thanks Roman for the initiative. +1 on it.
>>> 
>>> I think this might allow us to focus on what we (ASF) think is really
>>> important and needed by the individuals who work on ASF projects, and set
>>> our boundaries and limits their individual approach as well as clear limits
>>> and boundaries for the organisations that would like to apply - and then
>>> let any entity who wants to help to see how they can fit-in.
>>> 
>>> Happy to help with hashing it out.
>>> 
>>> J.
>>> 
>>> On Wed, Mar 2, 2022 at 3:30 PM Bertrand Delacretaz 
>>> wrote:
>>> 
 Hi,
 
 Le mer. 2 mars 2022 à 15:19, Roman Shaposhnik  a
 écrit :
> ...Once we've collected that type of info -- we can then sort of
 "evaluate
> vendors" against that list and see what they are missing, etc. We can
> even issue a wide "call to apply" for various companies if we feel like
 it...
 
 +1, I like the idea!
 
 -Bertrand
 
 -
 To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
 For additional commands, e-mail: dev-h...@community.apache.org
 
 
>> 
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>> For additional commands, e-mail: dev-h...@community.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org

Re: Where to Get an Updated Graphic with List of ASF Projects Logos

2022-08-22 Thread Ralph Goers 
How does it pull them? While Logging Services doesn’t have a logo Log4j does 
but isn’t there.

Ralph

> On Aug 19, 2022, at 8:03 AM, Daniel Gruno  wrote:
> 
> On 19/08/2022 17.02, Sharan Foga wrote:
>> Excellent and thanks Daniel. This is exactly what I am looking for.
>> Just for info - is this refreshed automatically?  (I see the last modified 
>> date as today so guessing a something is happening behind the scenes...)
> 
> 
> Yes, it rebuilds every night using the current projects and logos.
> 
>> Thanks
>> Sharan
>> On 2022/08/18 21:18:20 Daniel Gruno wrote:
>>> On 18/08/2022 22.54, sharanf wrote:
 Hi All
 
 For Apachecon and other events we generally have a roll up banner with
 the logos of all the projects under the ASF umbrella. We also have had
 variations of these such as Incubator only projects.The current banners
 we have are out of date so I'd like to know where I can get an updated
 graphic of good enough quality to create and order a new banner.
>>> 
>>> See https://www.apache.org/logos/montages/
>>> 
 
 As it's external facing I know that M&P need to approve it and in the
 past I think it has been generated via various means (Daniel, Central
 Services and Sally :-). I know we haven't had face to face events for a
 while so it hasnt really mattered so much but as things open up we need
 to ensure we have up to date banners that reflect our existing projects
 - so my question is who is responsible for generating these type of
 graphics that are being used as our official ASF ones? (as I'd like to
 get an updated one for ApacheCon)
 
 Thanks
 Sharan
 
 -
 To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
 For additional commands, e-mail: dev-h...@community.apache.org
 
>>> 
>>> 
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>>> For additional commands, e-mail: dev-h...@community.apache.org
>>> 
>>> 
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
>> For additional commands, e-mail: dev-h...@community.apache.org
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
> For additional commands, e-mail: dev-h...@community.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org

Re: Tidelift

2022-10-31 Thread Ralph Goers 
let everyone know that
>>>> we've taken the feedback from ASF community members across a variety of
>>>> threads and updated our agreements accordingly. For context, I've
>>> attached
>>>> a doc summarizing discussion as it stood back in February (including
>>> links
>>>> to other relevant threads and docs).
>>>> 
>>>> The blocker that was identified was Tidelift's "public notice
>>> requirement"
>>>> which in most projects would've required an action by the project as a
>>>> whole, counter to the (rightful) prohibition of directed development
>>> within
>>>> ASF-hosted projects.
>>>> 
>>>> To fix that, we added language to all of our agreements that makes it
>>>> clear: Tidelift will never ask maintainers to act in contravention with
>>> the
>>>> policies of their fiscal sponsor.
>>>> 
>>>> 
>>>> *> If your Project is formally part of a larger open source organization,
>>>> such a fiscal sponsor or other non-profit that provides technical
>>>> infrastructure to open source projects, Tidelift will not require you to
>>>> perform Services that are in conflict with any written requirements of
>>> that
>>>> organization.*
>>>> 
>>>> The full text of our updated agreement can be found here:
>>>> 
>>> https://support.tidelift.com/hc/en-us/articles/4406309657876-Lifter-agreement
>>>> 
>>>> Our hope is that this removes a barrier between maintainers of ASF-hosted
>>>> projects and receiving income from downstream users through Tidelift to
>>>> support work which might otherwise go uncompensated.
>>>> 
>>>> If there are any other questions or concerns that folks have, please do
>>>> let me know! My role these days is entirely focused on making sure we're
>>>> addressing the needs of foundations like the Apache Software Foundation
>>> and
>>>> its member projects. I've also included co-founder Jeremy Katz on this
>>>> email, as doing right by foundations and the projects they host is a
>>>> priority for all of Tidelift.
>>>> 
>>>> Onward and upward,
>>>> Josh
>>>> 
>>>> Josh Simmons (he/they), Sr. Principal Foundations Advocate @ Tidelift
>>>> <https://tidelift.com/>
>>>> @joshsimmons <https://twitter.com/joshsimmons> |
>>>> joshua.simm...@tidelift.com | bluesomewhere on IRC
>>>> TZ: US/Pacific; UTC-07:00 Mar-Nov; UTC-08:00 Nov-Mar
>>>> ad astra per aspera [image: 🚀]
>>>> 
>>>> 
>>>> On 2022/01/11 21:49:59 Ralph Goers wrote:
>>>>> Hello all,
>>>>> 
>>>>> Recently the Logging Services PMC was approached by Tidelift offering
>>> to
>>>> provide monetary support either to the project or individual committers.
>>> To
>>>> obtain that sponsorship the project has to agree to the terms at
>>>> 
>>> https://support.tidelift.com/hc/en-us/articles/4406309657876-Lifter-agreement
>>> .
>>>> It appears that Struts has accepted this already.
>>>>> 
>>>>> Some PMC members are interested in pursuing this but I am questioning
>>> a)
>>>> whether the agreement conflicts with ASF practices and b) whether the
>>> legal
>>>> agreement is too ambiguous. Two ASF members commented on the Logging
>>>> Services private list that they had concerns about the agreement.
>>>>> 
>>>>> In response to these concerns I created
>>>> https://issues.apache.org/jira/browse/LEGAL-593. The guidance there
>>>> seemed to be that payment to the ASF by Tidelift would not be allowed but
>>>> payment to individuals might be. No guidance on the agreement was
>>> provided.
>>>> It was recommended I post here instead.
>>>>> 
>>>>> In looking for more clarification from Tidelift about their agreement
>>>> and who could receive payment we received this response:
>>>>> 
>>>>>Great follow up question, you are spot on. Each of the
>>>> individuals on the team page could become a lifter and the funds
>>> allocated
>>>> for Log4j would be split between them.
>>>>> 
>>>>>Additional pieces of information to add nuance:
>>>>> 
>>