Robbie/JB- Good calls outs, thanks! I did not mean to skew into contribution guide as far as I did. I will take a pass at cleaning up.
Thanks, Matt > On Apr 16, 2024, at 11:56 AM, Robbie Gemmell <robbie.gemm...@gmail.com> wrote: > > The security bits are also detailed in all the repositories already by > default at the org level, e.g > https://github.com/apache/activemq-artemis/?tab=security-ov-file (or > repositories can define their own policy, e.g > https://github.com/apache/activemq/?tab=security-ov-file#readme ). > Though we can of course make references to it clearer. > > On Tue, 16 Apr 2024 at 17:48, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: >> >> Hi Matt >> >> Imho, we are mixing two topics here: >> 1. The ticket management system >> 2. The contribution guide >> >> So, let me try to clarify: >> >> [PROPOSAL] >> >> I'm in favor of GH Issues, but we don't yet have a strong consensus >> about that. I would propose a new thread about that to give a chance >> to anyone to speak, and move to a vote. >> >> [README/CONTRIBUTION GUIDE] >> >> First, ICLA is not strictly required before committership (the Apache >> 2.0 license already covered contributor, it has been discussed on >> LEGAL Jira). >> Second, you don't report security issues on a mailing list, you go to >> secur...@apache.org. >> Explaining how to report issue, create PR, contribute (e.g. >> contribution guide) is fine and welcome. >> >> Regards >> JB >> >> On Tue, Apr 16, 2024 at 5:37 PM Matt Pavlovich <mattr...@gmail.com> wrote: >>> >>> @dev- >>> >>> I appreciate all the good feedback and discussion. A number of good points, >>> suggestions and perspectives. Overall, I see an uptick in community >>> interest in contributing to ActiveMQ and that’s a great thing! I believe >>> that modernizing the toolkit, reducing contribution friction and lowering >>> load on committers/PMC will help keep the community healthy going forward >>> =). >>> >>> I've made a pass at summarizing the points and take-aways from the >>> [DISCUSS] thread below. Please reply with suggested add/edit/removes. >>> >>> [Key community Use Cases] >>> >>> UC-1. Issue - User opens an Issue and may or may not intend (or be able) to >>> produce a PR to address the report. >>> >>> UC-2. PR-onl - User opens a PR without an Issue to address their requested >>> fix. >>> >>> UC-3. Security report - User identifies a security issue and needs to report >>> >>> >>> [Proposal] >>> >>> Action-1. Enable GH issues and flip JIRA to read-only >>> >>> Action-2. Update README in repo to be more of a 'how to engage with the >>> community' vs a project overview >>> >>> >>> [Update README document to include] >>> >>> Update-1. Provide a link for users to create an issue >>> >>> Update-2. Provide a link to the mailing list for reporting a security issue >>> >>> Update-3. Provide a link for users to submit a CLA >>> >>> >>> [Committer/PMC operating] >>> >>> Op-A. For use case #2 where user creates a PR without an issue, before >>> approval committer/pmc may instruct contributor to provide signed CLA and >>> open a corresponding issue if the complexity warrants. The PR comment can >>> then be updated with the issue id for reference and linking. >>> >>> Op-B. Use of GHT Project(s) for planning and tracking Issue & PR for >>> releases. >>> >>> Thanks, >>> Matt Pavlovich
