Hi, Le lun. 28 févr. 2022 à 21:15, Jarek Potiuk <ja...@potiuk.com> a écrit :
> ...Proposal: > I think we all agree that ASF meets the criteria of Tidelift already. > Why don't Tidelift (in the places where open-source projects included are > listed) explain that ASF projects meet the criteria, and any one is free > to deal directly with the committers of all ASF projects directly... I'd say we all agree that *in theory* ASF projects meet Tidelift's criteria, quoting from earlier in this thread, with my own numbering added: Le lun. 28 févr. 2022 à 19:30, Joshua Simmons <joshua.simm...@tidelift.com> a écrit : > ...*What Tidelift expects from maintainers*Maintainers provide two things to > our customers: (1) information (licensing details, context on CVEs) and > (2) continuity (comfort that the package is maintained and is highly likely to > continue to be maintained). We also expect maintainers (3) to abide by a Code > of Conduct.... I think for (3) we're good, the ASF will intervene if projects are not ok. But for (1) and (2) I think the ASF *wants* our projects to be good citizens, and we work towards that and support them, but entities such as Tidelift or others could add value by measuring and reporting what actually happens. Does Apache FOO actually provide good information on security issues and CVEs? Timely response? What's their average/min/max response time, how many "in-flight" CVEs? Does Apache FOO release often enough? Maybe based on project maturity categories, new, established, mostly dormant etc. We could of course measure these things ourselves, and we do have some data. But I think having external entities provide factual data on how well our projects are doing can be useful, and for customers of Tidelift and the like that certainly has value. Whatever mechanism our contributors use to finance themselves, having information on which projects are most worthy of trust can help end users select and finance the right projects and people. -Bertrand --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
