[QGIS-Developer] [Qgis-psc] Urgent review of github rules and policies required! (was: Nomination for Benoit de Mezzo and Jean Felder as QGIS core committers)

[Loic Bartoletti]

Hi,
Thank you Nyall for raising this topic again regarding the management of commit rights in QGIS.
I fully support this proposal, which I find particularly relevant for the security and sustainability of the project. Having observed similar policies in other major open source projects, the 12-month inactivity period seems to be a reasonable and balanced timeframe.
As you point out, it's important to note that activity is not solely measured by direct commits, but encompasses all significant contributions to the project (code reviews, participation in technical discussions, etc.).In addition to describing the points I'm in favor of, I think it's important to write down the policies with a dedicated page. Inspired by different projects/ideas, I've made a first draft, in the attached markdown. Feel free to adapt/improve...

Loïc

(In this thread, I won't write about nomination.)

Le Lundi, Février 10, 2025 01:45 CET, Nyall Dawson via QGIS-PSC <qgis-psc at lists.osgeo.org> a écrit:
 On Sat, 8 Feb 2025 at 21:28, Saber Razmjooei via QGIS-PSC <qgis-psc at lists.osgeo.org> wrote:
>
> Hi,
>  
> Nothing against this nomination but I remember the discussion for becoming a core contributor was raised before with the PSC and it was agreed the current method is not ideal and should be reviewed. There was a plan to formalise the process. There were concerns about security, rationale to have write access, number of contributors from an entity, ... but I have not seen the discussions on that. Similar to QEP, I think this process also would benefit from formalisation.

(I'm splitting this off to a new thread so as not to hijack the original, which should instead be focused on Benoit's/Jean's contributions and achievements. They are both wonderful QGIS developers and I don't want any of the following to be mis-interpreted as anything to do with these two contributors in any way, or as blocking their nominations under the current policies/processes!)

That said: I strongly believe that we are overdue for an URGENT review of how we handle "core contributors" and git commit rights.

This topic was raised some time ago in this thread: https://lists.osgeo.org/pipermail/qgis-psc/2020-June/008895.html , but unfortunately the discussion did not lead to any concrete policy changes.

That thread swings between a whole lot of different ideas/topics, but the main pressing concern I have right now is that we have NO formal policy or process for "sunsetting" developers we have previously given commit rights to. This is a very large security risk -- we have developers who have not contributed to the project (or other open source geo projects) in years, but who still have full commit rights to our code repository.

So, as an urgent band-aid fix to this, I would like to propose the following:

1. We amend https://web.archive.org/web/20240116120206/https://qgis.org/en/site/getinvolved/development/contributor_requirements.html (i can't find where this page was moved to on the new website!! 🤣) to add a term: "I agree to immediately notify the QGIS project in the case of a change in job position or personal circumstances which means that I am unlikely to continue regular contributions to QGIS. I understand that my commit rights may be revoked at this time." 2. We make a policy that after 12 months without significant code contributions to QGIS, a developer's commit rights will be revoked. (That developer is obviously still able to contribute to QGIS, review code, send in pull requests, etc... they just won't have merge rights themselves anymore). These rights can be resurrected when regular contributions re-commence. A good example of this would be Paul Blottiere -- he's no longer involved directly in QGIS development, but does still respond when pinged on code related questions. He does not need and should not have direct commit rights anymore. This is NOT a reflection on his abilities, committment or anything -- it's just plugging a security hole in our processes.[1] (For reference, of the 39 developers who currently have direct commit rights, 12 have not committed to the repo in 2 years or more!). 3. We make some pro-active policy for handling "bad actors". This might be as simple as adding "I understand that at any stage PSC my act to remove my commit rights", and document somewhere that in extreme cases PSC has this right. And then the next issue 😬... we have people who were nominated for core committer status over the last couple of years but who NEVER received this status, I think because of the  current uncertainty in the whole process. Specifically I'm thinking of Andrea Giudiceandrea, who was nominated in  Aug 2023. Andrea is SOO extremely valuable to the project, and I would hate to think that there's any ill-will or risk of resentment because of this. What do we need to do to move forward with Andrea's nomination? Nyall [1] If we did this, the following developers would lose direct commit rights:- luipir (last commit Feb 2021)- volaya (last commit May 2020)- mhugo (last commit Oct 2019)- slarosa (last commit Jan 2021)- etiennesky (last commit 2015)- PeterPetrik (last commit Nov 2022)- kyngchaos (last commit Mar 2020)- pcav (last commit Mar 2019)- blazek (last commit Feb 2020)- ccrook (last commit Jan 2018)- sbrunner (last commit Jan 2022)- pka (last commit Jan 2015)       







>
> Kind regards
> Saber
>
> On Fri, 7 Feb 2025, 15:05 Even Rouault via QGIS-Developer, <qgis-developer at lists.osgeo.org> wrote:
>>
>> Hi PSC,
>>
>> I'd like to propose that Benoit de Mezzo
>> (https://github.com/benoitdm-oslandia) and Jean Felder
>> (https://github.com/ptitjano) are granted core committer rights.
>>
>> They have been active on QGIS development for 3 years now, especially on
>> the 3D part and also on server, contributing interesting features and
>> fixes, on particularly tedious areas.
>> They also proved their capability to listen and integrate feedback into
>> their work. They showed their dedication to quality of the code and
>> contribution process.
>> They also actively contribute to PR reviews and general community effort.
>> They are willing to stay involved with the QGIS project and continue to
>> be active contributors.
>> I believe it is time to acknowledge their continuous involvement in the
>> project.
>>
>> Even
>>
>> --
>> http://www.spatialys.com
>> My software is free, but my time generally not.
>>
>> _______________________________________________
>> QGIS-Developer mailing list
>> QGIS-Developer at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20250210/19a177d4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: commit-policy.md
Type: application/octet-stream
Size: 1882 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20250210/19a177d4/attachment.obj>