[Board] incubation and risk

Mattmann, Chris A (3980) chris.a.mattmann at jpl.nasa.gov
Sun Oct 5 23:13:29 PDT 2014

Guys, if the Projects (or in ASF parlance, PMCs) are responsible
for doing code audits, I would love to encourage you to check out
a Distributed Code Audit Tool (DRAT, Distributed Release Audit
Tool) that we have been baking up in my team.

I intend to bring it to the Apache Software Foundation as a project
and am working on the necessary approvals to get that done,
but it¹s free and easy/able to use for projects in OSGeo too, and
we have been working with it for over a year now. It builds and
expands upon the Apache Release Audit Tool (RAT) and makes it a
lot more expressive and scalable.

Just saw this thread and thought I¹d chime in since I saw that
projects/PMCs are responsible from the OSGeo sense in checking
this and thought I¹d point them at this tool:



Chris Mattmann, Ph.D.
Chief Architect
Instrument Software and Science Data Systems Section (398)
NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
Office: 168-519, Mailstop: 168-527
Email: chris.a.mattmann at nasa.gov
WWW:  http://sunset.usc.edu/~mattmann/
Adjunct Associate Professor, Computer Science Department
University of Southern California, Los Angeles, CA 90089 USA

-----Original Message-----
From: Jody Garnett <jody.garnett at gmail.com>
Date: Tuesday, September 30, 2014 at 4:08 PM
To: "board at lists.osgeo.org" <board at lists.osgeo.org>
Subject: [Board] incubation and risk

>One nice thing coming out of foss4g presentation and discussion has been
>additional questions about incubation, offers to help on the incubation
>list and a few good questions.
>I have gotten a couple questions about incubation and risk from potential
>mentors worried about liability. In response to one of these off-list
>questions I have been asked to bounce the current state of play off the
>board list.
>My understanding is that OSGeo does not provide a formal code audit. We
>ask that the software be made available under an open source license, and
>we ask projects themselves to perform a minimal sanity check on their
>codebase (basically checking the headers
> and listing known problems - preferably in an issue tracker).
>Our OSGeo badged software is thus use-at-your-own-risk (indeed the open
>source licenses all make that pretty clear).
>The advantage of incubation:
>- the board has some assurance a project is open source before we
>consider any promotion
>- with list of known problems provide potential users have a head start
>for their own audit/risk assessment
>So the question from off-list is this:
>- Checking that board members understand the current state of play
>- Sanity check that OSGeo, and importantly project mentors, are not being
>exposed to liability
>My own experience of incubation was mentors acting as a guide to what
>resources are available. Be that an example of how other projects
>managed, or putting us in contact with free software foundation or
>similar as required.
>Jody Garnett

More information about the Board mailing list