[QGIS-Developer] Urgent review of github rules and policies required! (was: Nomination for Benoit de Mezzo and Jean Felder as QGIS core committers)

Sun Feb 9 16:45:56 PST 2025

On Sat, 8 Feb 2025 at 21:28, Saber Razmjooei via QGIS-PSC <
qgis-psc at lists.osgeo.org> wrote:
>
> Hi,
>
> Nothing against this nomination but I remember the discussion for
becoming a core contributor was raised before with the PSC and it was
agreed the current method is not ideal and should be reviewed. There was a
plan to formalise the process. There were concerns about security,
rationale to have write access, number of contributors from an entity, ...
but I have not seen the discussions on that. Similar to QEP, I think this
process also would benefit from formalisation.

(I'm splitting this off to a new thread so as not to hijack the original,
which should instead be focused on Benoit's/Jean's contributions and
achievements. They are both wonderful QGIS developers and I don't want any
of the following to be mis-interpreted as anything to do with these two
contributors in any way, or as blocking their nominations under the current
policies/processes!)

That said: I strongly believe that we are overdue for an URGENT review of
how we handle "core contributors" and git commit rights.

This topic was raised some time ago in this thread:
https://lists.osgeo.org/pipermail/qgis-psc/2020-June/008895.html , but
unfortunately the discussion did not lead to any concrete policy changes.

That thread swings between a whole lot of different ideas/topics, but the
main pressing concern I have right now is that we have NO formal policy or
process for "sunsetting" developers we have previously given commit rights
to. This is a very large security risk -- we have developers who have not
contributed to the project (or other open source geo projects) in years,
but who still have full commit rights to our code repository.

So, as an urgent band-aid fix to this, I would like to propose the
following:

1. We amend
https://web.archive.org/web/20240116120206/https://qgis.org/en/site/getinvolved/development/contributor_requirements.html
(i can't find where this page was moved to on the new website!! 🤣) to add
a term:

"I agree to immediately notify the QGIS project in the case of a change in
job position or personal circumstances which means that I am unlikely to
continue regular contributions to QGIS. I understand that my commit rights
may be revoked at this time."

2. We make a policy that after 12 months without significant code
contributions to QGIS, a developer's commit rights will be revoked. (That
developer is obviously still able to contribute to QGIS, review code, send
in pull requests, etc... they just won't have merge rights themselves
anymore). These rights can be resurrected when regular contributions
re-commence. A good example of this would be Paul Blottiere -- he's no
longer involved directly in QGIS development, but does still respond when
pinged on code related questions. He does not need and should not have
direct commit rights anymore. This is NOT a reflection on his abilities,
committment or anything -- it's just plugging a security hole in our
processes.[1] (For reference, of the 39 developers who currently have
direct commit rights, 12 have not committed to the repo in 2 years or
more!).

3. We make some pro-active policy for handling "bad actors". This might be
as simple as adding "I understand that at any stage PSC my act to remove my
commit rights", and document somewhere that in extreme cases PSC has this
right.

And then the next issue 😬... we have people who were nominated for core
committer status over the last couple of years but who NEVER received this
status, I think because of the  current uncertainty in the whole process.
Specifically I'm thinking of Andrea Giudiceandrea, who was nominated in
Aug 2023. Andrea is SOO extremely valuable to the project, and I would hate
to think that there's any ill-will or risk of resentment because of this.
What do we need to do to move forward with Andrea's nomination?

Nyall

[1] If we did this, the following developers would lose direct commit
rights:
- luipir (last commit Feb 2021)
- volaya (last commit May 2020)
- mhugo (last commit Oct 2019)
- slarosa (last commit Jan 2021)
- etiennesky (last commit 2015)
- PeterPetrik (last commit Nov 2022)
- kyngchaos (last commit Mar 2020)
- pcav (last commit Mar 2019)
- blazek (last commit Feb 2020)
- ccrook (last commit Jan 2018)
- sbrunner (last commit Jan 2022)
- pka (last commit Jan 2015)

>
> Kind regards
> Saber
>
> On Fri, 7 Feb 2025, 15:05 Even Rouault via QGIS-Developer, <
qgis-developer at lists.osgeo.org> wrote:
>>
>> Hi PSC,
>>
>> I'd like to propose that Benoit de Mezzo
>> (https://github.com/benoitdm-oslandia) and Jean Felder
>> (https://github.com/ptitjano) are granted core committer rights.
>>
>> They have been active on QGIS development for 3 years now, especially on
>> the 3D part and also on server, contributing interesting features and
>> fixes, on particularly tedious areas.
>> They also proved their capability to listen and integrate feedback into
>> their work. They showed their dedication to quality of the code and
>> contribution process.
>> They also actively contribute to PR reviews and general community effort.
>> They are willing to stay involved with the QGIS project and continue to
>> be active contributors.
>> I believe it is time to acknowledge their continuous involvement in the
>> project.
>>
>> Even
>>
>> --
>> http://www.spatialys.com
>> My software is free, but my time generally not.
>>
>> _______________________________________________
>> QGIS-Developer mailing list
>> QGIS-Developer at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20250210/dba5ed60/attachment-0001.htm>