Hi all, On 27.10.2025 11:47, Gary Gregory wrote: > This is a poll to gauge the waters for CTR.
To summarize the discussion so far: most PMC members seem comfortable with our current policy, which allows trusted users to commit code directly, even though this leaves us without a clear, auditable review trail. However, unlike Log4j, Commons projects publicly publish OpenSSF Scorecard results (e.g. [1]), which implies that we’re paying attention to them: otherwise, why publish them at all? One of the key Scorecard checks is “Code-Review,” which (contrary to its brief documentation) is calculated as the ratio of *approved commits to total commits*, excluding Dependabot merges (see [2] and [3] for details). Would it make sense to define a minimum acceptable score for Commons projects in this category, say, at least 20% of commits provably reviewed? Currently, the check doesn’t distinguish between users with write access and others, it simply looks for approval from any *human* other than the author and ignores commits made by bots. Since Scorecard is open source, we could consider contributing improvements, for example, teaching it to recognize post-merge approvals in the form of “LGTM” comments on commits. What do you think? Piotr [1] https://scorecard.dev/viewer/?uri=github.com/apache/commons-lang [2] https://github.com/ossf/scorecard/blob/main/probes/codeApproved/impl.go [3] https://github.com/ossf/scorecard/blob/main/checks/evaluation/code_review.go --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
