The security bits are also detailed in all the repositories already by default at the org level, e.g https://github.com/apache/activemq-artemis/?tab=security-ov-file (or repositories can define their own policy, e.g https://github.com/apache/activemq/?tab=security-ov-file#readme ). Though we can of course make references to it clearer.
On Tue, 16 Apr 2024 at 17:48, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > Hi Matt > > Imho, we are mixing two topics here: > 1. The ticket management system > 2. The contribution guide > > So, let me try to clarify: > > [PROPOSAL] > > I'm in favor of GH Issues, but we don't yet have a strong consensus > about that. I would propose a new thread about that to give a chance > to anyone to speak, and move to a vote. > > [README/CONTRIBUTION GUIDE] > > First, ICLA is not strictly required before committership (the Apache > 2.0 license already covered contributor, it has been discussed on > LEGAL Jira). > Second, you don't report security issues on a mailing list, you go to > secur...@apache.org. > Explaining how to report issue, create PR, contribute (e.g. > contribution guide) is fine and welcome. > > Regards > JB > > On Tue, Apr 16, 2024 at 5:37 PM Matt Pavlovich <mattr...@gmail.com> wrote: > > > > @dev- > > > > I appreciate all the good feedback and discussion. A number of good points, > > suggestions and perspectives. Overall, I see an uptick in community > > interest in contributing to ActiveMQ and that’s a great thing! I believe > > that modernizing the toolkit, reducing contribution friction and lowering > > load on committers/PMC will help keep the community healthy going forward > > =). > > > > I've made a pass at summarizing the points and take-aways from the > > [DISCUSS] thread below. Please reply with suggested add/edit/removes. > > > > [Key community Use Cases] > > > > UC-1. Issue - User opens an Issue and may or may not intend (or be able) to > > produce a PR to address the report. > > > > UC-2. PR-onl - User opens a PR without an Issue to address their requested > > fix. > > > > UC-3. Security report - User identifies a security issue and needs to report > > > > > > [Proposal] > > > > Action-1. Enable GH issues and flip JIRA to read-only > > > > Action-2. Update README in repo to be more of a 'how to engage with the > > community' vs a project overview > > > > > > [Update README document to include] > > > > Update-1. Provide a link for users to create an issue > > > > Update-2. Provide a link to the mailing list for reporting a security issue > > > > Update-3. Provide a link for users to submit a CLA > > > > > > [Committer/PMC operating] > > > > Op-A. For use case #2 where user creates a PR without an issue, before > > approval committer/pmc may instruct contributor to provide signed CLA and > > open a corresponding issue if the complexity warrants. The PR comment can > > then be updated with the issue id for reference and linking. > > > > Op-B. Use of GHT Project(s) for planning and tracking Issue & PR for > > releases. > > > > Thanks, > > Matt Pavlovich
