Hello Christoph- Again, the issue isn't a complaint. OPS4J simply does not have verification of developer identity. More contributions or donations won't solve that. Even the most staunch open source projects (ie Debian) require verification of developer id.
Thank you, Matt On Monday, March 28, 2022 at 12:18:32 AM UTC-5 laeubi wrote: > I can only encourage everyone that get "complains" or "concerns" of "big > bussiness" or even single users telling them to simply start > contribution or funding OS projects they depend on: > > participation/review/testing (especially upcoming versions) is the best > way to mitigate "supply-chain-attacks" instead of hoping there is any > "governance" doing this for them for free... > > Am 25.02.22 um 11:39 schrieb Jean-Baptiste Onofré: > > Thanks all for your comment. > > > > Fair discussion. I agree with you, just wanted to have this open > > discussion and share some messages I received. > > > > Let's keep PAX as it is, at OPS4J. > > > > Thanks > > Regards > > JB > > > > On Fri, Feb 25, 2022 at 11:34 AM Łukasz Dywicki <[email protected]> > wrote: > >> > >> I see problem similar to Achim. We still didn't hear anything about > >> solving a community trouble. We definitely do not solve a trouble of > >> ops4j community which probably do not overlap 100% with Karaf. We may be > >> solving some trouble for Karaf community, however we probably ask about > >> shifting even more work on already small set of people working on it. > >> We hear concerns, which might or might not be justified. I don't think > >> they are since there is no record of any malicious activities made by > >> people contributing to ops4j/pax. > >> People which are mainly contributing to these project are well known > >> (Grzegorz, JB, Achim), externals contributions are coming over pull > >> requests, just like they would come to the ASF, so why we should be > >> moving around sources? As far I remember ASF does not scan IDs of their > >> contributors so it can't guarantee identity of people behind > >> contributions as well. Back at the times I was signing my agreement I > >> was sending it by online fax service, so verification was very mild. > >> While the GPG keys is some kind of resort, a lot of people (including > >> myself) have self signed key which is as good as my ssh key I use to > >> push things to git. > >> > >> The big customers can become part of community if they wish, no matter > >> where project is hosted - at github or at ASF. So far it seems to me > >> that they are asking for favor without giving anything back to > >> communities which will be affected. > >> > >> Best, > >> Łukasz > >> > >> On 25.02.2022 08:43, Achim Nierbeck wrote: > >>> Hi, > >>> > >>> I'm sorry to be a PITA :) > >>> What I've read so far has been feelings, one concern of perception by > "big" > >>> customers. > >>> I would really like to know, which problem we are trying to solve by > moving > >>> the pax projects under the umbrella of Karaf. > >>> Or what I personally would favor under their own tlp of the ASF. > >>> > >>> Just to clarify, I'm trying the 5 W's here ... > >>> Why do you think it's a good idea to move the Pax Projects under the > karaf > >>> umbrella? > >>> Why do you think customers have a wrong perception of the Pax Projects > ... > >>> and so on ... > >>> > >>> > >>> What is the core issue we are trying to solve here? > >>> As long as I don't get down to the core thing that needs to be solved > I'm > >>> not in favor of moving the pax projects anywhere. > >>> > >>> Again sorry if I'm PITA. > >>> > >>> regards, Achim > >>> > >>> > >>> > >>> Am Do., 24. Feb. 2022 um 22:44 Uhr schrieb Eric Lilja < > [email protected] > >>>> : > >>> > >>>> Personally, I would love to see this change and the other people in my > >>>> organization liked the proposal as well. > >>>> > >>>> - Eric L > >>>> > >>>> On Thu, Feb 24, 2022 at 3:04 PM Jean-Baptiste Onofré < > [email protected]> > >>>> wrote: > >>>> > >>>>> Hi guys, > >>>>> > >>>>> Some of you already pinged me to share concerns about PAX projects > >>>>> governance. I think it's my duty to share these concerns and discuss > >>>>> possible actions. > >>>>> > >>>>> Apache Karaf is one of the biggest consumers of PAX projects. > >>>>> > >>>>> However, PAX projects use a "self own" designed governance: > >>>>> - for contribution/IP > >>>>> - for release > >>>>> - for CVE/Security > >>>>> - ... > >>>>> > >>>>> And it could be seen as a major concern for Apache Karaf users, as > PAX > >>>>> projects are not necessarily "aligned" with Apache Foundation rules. > >>>>> > >>>>> I would like to start a discussion on both Karaf and OPS4J > communities > >>>>> to "move" PAX projects as Karaf subproject (like karaf-pax). > >>>>> Concretely, it would mean that: > >>>>> 1. Karaf PAX projects would use org.apache.karaf.pax namespace > >>>>> 2. Karaf PAX releases will have to follow the Apache release process > >>>>> (binding votes, 3 days vote period, ...) > >>>>> 3. Any active contributor on PAX projects would be invited as Karaf > >>>>> committer > >>>>> > >>>>> Thoughts ? > >>>>> > >>>>> Regards > >>>>> JB > >>>>> > >>>> > >>> > >>> > >> > >> -- > >> -- > >> ------------------ > >> OPS4J - http://www.ops4j.org - [email protected] > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "OPS4J" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/ops4j/5ff43da6-8d5f-43f4-e6e6-86af4fb162b9%40code-house.org > . > > > -- -- ------------------ OPS4J - http://www.ops4j.org - [email protected] --- You received this message because you are subscribed to the Google Groups "OPS4J" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/677a4877-389d-4d3d-875b-c1009ebf7d7an%40googlegroups.com.
