Hi Dennis, I don't have objections to this topic, but I feel I need to make a few suggestions before this thread is either ignored or a confused mess.
(1) a long, official policy statement like this is best put into a wiki page where many can edit it and it can be an easy discussion and not a confused email mess that is started with something that is tl:dr. The maturity model was recently developed by the comdev participants on the wiki and email Effectively. This document needs to be developed in the same way. (2) why is this cross posted to private and DEV? To do so implies that there is some other non-open discussion in parallel. You and I have run into unexpected results from this strange cross posting practice of yours (hi Simon) (3) I think that working towards being able to release rather than patch as Patricia has suggested is our best way to solve the security issue. The quick patch is not much faster and has been proven to be more of a challenge then kick starting the broken build process. Regards, Dave Sent from my iPhone > On Sep 1, 2016, at 4:37 PM, Dennis E. Hamilton <orc...@apache.org> wrote: > > Here is what a careful retirement of Apache OpenOffice could look like. > > A. PERSPECTIVE > B. WHAT RETIREMENT COULD LOOK LIKE > 1. Code Base > 2. Downloads > 3. Development Support > 4. Public-Project Community Interfaces > 5. Social Media Presence > 6. Project Management Committee > 7. Branding > > A. PERSPECTIVE > > I have regularly observed that the Apache OpenOffice project has limited > capacity for sustaining the project in an energetic manner. It is also my > considered opinion that there is no ready supply of developers who have the > capacity, capability, and will to supplement the roughly half-dozen > volunteers holding the project together. It doesn't matter what the reasons > for that might be. > > The Apache Project Maturity Model, > <http://community.apache.org/apache-way/apache-project-maturity-model.html>, > identifies the characteristics for which an Apache project is expected to > strive. > > Recently, some elements have been brought into serious question: > > QU20: The project puts a very high priority on producing secure software. > QU50: The project strives to respond to documented bug reports in a timely > manner. > > There is also a litmus test which is kind of a red line. That is for the > project to have a PMC capable of producing releases. That means that there > are at least three available PMC members capable of building a functioning > binary from a release-candidate archive, and who do so in providing binding > votes to approve the release of that code. > > In the case of Apache OpenOffice, needing to disclose security > vulnerabilities for which there is no mitigation in an update has become a > serious issue. > > In responses to concerns raised in June, the PMC is currently tasked by the > ASF Board to account for this inability and to provide a remedy. An > indicator of the seriousness of the Board's concern is the PMC been requested > to report to the Board every month, starting in August, rather than > quarterly, the normal case. One option for remedy that must be considered is > retirement of the project. The request is for the PMC's consideration among > other possible options. The Board has not ordered a solution. > > I cannot prediction how this will all work out. It is remiss of me not to > point out that retirement of the project is a serious possibility. > > There are those who fear that discussing retirement can become a > self-fulfilling prophecy. My concern is that the project could end with a > bang or a whimper. My interest is in seeing any retirement happen > gracefully. That means we need to consider it as a contingency. For > contingency plans, no time is a good time, but earlier is always better than > later. > > > B. WHAT RETIREMENT COULD LOOK LIKE > > Here is a provisional list of all elements that would have to be addressed, > over a period of time, as part of any retirement effort. > > In order to understand what would have had to happen in a graceful process, > the assumption below is that the project has already retired. > > Requests for additions and adjustments to this compilation are welcome. > > 1. CODE BASE > > 1.1 The Apache OpenOffice Subversion repository where code is maintained > has been moved to "The Attic." Apache Attic is an actual project, > <http://attic.apache.org/>. The source code would remain > available and could be checked-out from Subversion by anyone interested in > making use of it. There is no means of committing changes. > > 1.2 Apache Externals/Extras consists of external libraries that are relied > upon by the source code but are not part of the source code. These were > housed on SourceForge and elsewhere. (a) They might have been archived in > conjunction with the SVN (1.1). (b) They might be identified in a way that > someone attempting to build from source later on would be able to work with > later versions of the external dependencies. There are additional external > dependencies that might have become obsolete. > > 1.3 Build Dependencies/Tool Chains. The actual construction of the > released binaries depends on particular versions of specific tools that are > used for carrying out builds of binaries from the source. The dependencies > as they last were used are identified in a historical location. Some of the > tools and their use become obsolete over time. > > 1.4 GitHub Mirror. For the GitHub Mirror of the Apache OpenOffice SVN (a) > pull requests are not accepted. (b) Continuation of the presence of the > GitHub repository might be shut down at some point depending on GitHub policy > and ASF support. > > 2. DOWNLOADS > > 2.1 The source code releases, patches, and installable binaries are all > retained in the archive system that is already maintained. There are no > further additions. > > 2.2 The downloading of full releases is supported on the SourceForge > mirroring system. There are no new downloads. How long until SourceForge > retires its support for downloads is not predictable (and see 4.3). > > 2.3 The Apache OpenOffice Extensions and Templates system is an > independent arrangement hosted and curated on SourceForge. Whether and how > long the download service is preserved by SourceForge is not predictable. > > 2.4 The mechanism for announcing updates to installed versions of > OpenOffice binaries is adjusted to indicate that (a) particular versions are > no longer supported. (b) For the latest distribution(s), there may be advice > to users about investigating still-supported alternatives. > > 3. DEVELOPMENT SUPPORT > > 3.1 The Apache OpenOffice Bugzilla is mirrored in The Attic. The Bugzilla > is read-only and preserved for historical purposes. > > 3.2 The Pootle materials used for the development of localizations are > exported and archived. > > 3.3 The Confluence Wiki operated by the project is preserved in a > read-only state:<https://cwiki.apache.org/confluence/display/OOOUSERS/>. > > 3.4 The commits@ and issues@ mailing lists are shut down although archived. > > 4. PUBLIC PROJECT-COMMUNITY INTERFACES > > 4.1 All public discussion mailing lists are shut down. They are all > archived and accessible from The Attic. > > 4.2 The dev@ list was the last to shut down, having been used during > orchestration of the retirement. > > 4.3 The http://openoffice.org site is static and uneditable. The CMS > functions for contribution to the site are disabled. Over the course of > retirement, key pages of the site were updated to reflect the retirement > activity and to eventually end some of the functions, such as information on > how to contribute, how to obtain the software, how to obtain help, branding > requirements, etc. > > 4.4 The Wikimedia subsite of openoffice.org is read-only and static. No > contributions or edits can be made. At some point, the Wikimedia server will > need to be shut down and (a) the server is shutdown/moved with openoffice.org > indicating that the wiki is unavailable. (b) Only a static form of the pages > is provided. (c) Alternative hosting and rebranding is achieved. > > 4.5 The OpenOffice Community Forums were semi-autonomous. (a) The server > is retired. (b) The site is rehosted and rebranded by agreement with the > Apache OpenOffice project and the ASF. > > > 5. SOCIAL MEDIA PRESENCE > > 5.1 The Apache Planet OpenOffice Blog is terminated with the announcement > that Retirement is complete. > > 5.2 The Twitter account is terminated. > > 5.3 Any Facebook page under control of the project is closed. > > 5.4 The announce@ list is terminated and archived with the announcement of > Retirement completion. > > > 6. PROJECT MANAGEMENT COMMITTEE > > 6.1 With completion of the retirement, the private@ and security@ > openoffice.org lists were shutdown (although archived as are all such lists). > > 6.2 The Project Management Committee is disbanded and the Chair is > relieved. > > 6.3 There is no longer any identified operation for continuation of the > project except as specified for The Attic. > > > 7. BRANDING > > 7.1 With the cessation of releases, it is made widely known that official > releases other than the last ones provided by the project are not the work of > Apache OpenOffice and any claimed association, justification for charge of > fees and for carrying of advertising are not in support of the Apache > OpenOffice project. This notification will also be made to those > organizations that carry offerings to the contrary (e.g., eBay). > > 7.2 There is no point of contact, other than branding@ apache.org, for > request to make use of the brands. > > 7.3 There is no active attention to preservation of the trademarks related > to Apache OpenOffice. (a) Inappropriate use of Apache and its symbols in > names of offerings will be defended when brought to the attention of > branding@. (b) Uses of OpenOffice, Open Office, openoffice.org and other > similarities without attribution to Apache are not addressed. > > *** end of the list as of 2016-09-01 *** > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org