[QGIS-Developer] [Qgis-psc] Urgent review of github rules and policies required! (was: Nomination for Benoit de Mezzo and Jean Felder as QGIS core committers)
Tim Sutton
tim at kartoza.com
Mon Feb 10 02:54:10 PST 2025
Hi Nyall
Thanks for raising this.
I think you should include my name in the sunsetted (?) users list. I can
always make a PR if I get to C++ coding land again..
For the web page, Lova has kindly prepared this:
https://github.com/qgis/QGIS-Website/pull/541
My suggestion is to first merge that (reflecting the current policy) and
then we can make a new PR to update the page once this discussion is
finalised.
Regards
Tim
On Mon, Feb 10, 2025 at 7:44 AM Nyall Dawson via QGIS-PSC <
qgis-psc at lists.osgeo.org> wrote:
> On Mon, 10 Feb 2025 at 17:00, Loic Bartoletti
> <loic.bartoletti at oslandia.com> wrote:
>
> > As you point out, it's important to note that activity is not solely
> measured by direct commits, but encompasses all significant contributions
> to the project (code reviews, participation in technical discussions, etc.).
>
> Actually, I **would** consider only code merges/commits in this 12
> month threshold. If someone is making other contributions to the
> project (tech discussion, issue filing, etc) then they don't need
> commit rights for those, and won't be impacted by their removal.
> Again, we need to stress that the rights removal isn't due to a lack
> of trust in an individual, but rather a lack of necessity and in order
> to minimise the potential attack surface for the QGIS project.
>
> Nyall
>
>
>
> >
> > In addition to describing the points I'm in favor of, I think it's
> important to write down the policies with a dedicated page. Inspired by
> different projects/ideas, I've made a first draft, in the attached
> markdown. Feel free to adapt/improve...
> >
> > Loïc
> >
> > (In this thread, I won't write about nomination.)
> >
> > Le Lundi, Février 10, 2025 01:45 CET, Nyall Dawson via QGIS-PSC <
> qgis-psc at lists.osgeo.org> a écrit:
> >
> >
> > On Sat, 8 Feb 2025 at 21:28, Saber Razmjooei via QGIS-PSC <
> qgis-psc at lists.osgeo.org> wrote:
> > >
> > > Hi,
> > >
> > > Nothing against this nomination but I remember the discussion for
> becoming a core contributor was raised before with the PSC and it was
> agreed the current method is not ideal and should be reviewed. There was a
> plan to formalise the process. There were concerns about security,
> rationale to have write access, number of contributors from an entity, ...
> but I have not seen the discussions on that. Similar to QEP, I think this
> process also would benefit from formalisation.
> >
> > (I'm splitting this off to a new thread so as not to hijack the
> original, which should instead be focused on Benoit's/Jean's contributions
> and achievements. They are both wonderful QGIS developers and I don't want
> any of the following to be mis-interpreted as anything to do with these two
> contributors in any way, or as blocking their nominations under the current
> policies/processes!)
> >
> > That said: I strongly believe that we are overdue for an URGENT review
> of how we handle "core contributors" and git commit rights.
> >
> > This topic was raised some time ago in this thread:
> https://lists.osgeo.org/pipermail/qgis-psc/2020-June/008895.html , but
> unfortunately the discussion did not lead to any concrete policy changes.
> >
> > That thread swings between a whole lot of different ideas/topics, but
> the main pressing concern I have right now is that we have NO formal policy
> or process for "sunsetting" developers we have previously given commit
> rights to. This is a very large security risk -- we have developers who
> have not contributed to the project (or other open source geo projects) in
> years, but who still have full commit rights to our code repository.
> >
> > So, as an urgent band-aid fix to this, I would like to propose the
> following:
> >
> > 1. We amend
> https://web.archive.org/web/20240116120206/https://qgis.org/en/site/getinvolved/development/contributor_requirements.html
> (i can't find where this page was moved to on the new website!! 🤣) to add
> a term:
> >
> > "I agree to immediately notify the QGIS project in the case of a change
> in job position or personal circumstances which means that I am unlikely to
> continue regular contributions to QGIS. I understand that my commit rights
> may be revoked at this time."
> >
> > 2. We make a policy that after 12 months without significant code
> contributions to QGIS, a developer's commit rights will be revoked. (That
> developer is obviously still able to contribute to QGIS, review code, send
> in pull requests, etc... they just won't have merge rights themselves
> anymore). These rights can be resurrected when regular contributions
> re-commence. A good example of this would be Paul Blottiere -- he's no
> longer involved directly in QGIS development, but does still respond when
> pinged on code related questions. He does not need and should not have
> direct commit rights anymore. This is NOT a reflection on his abilities,
> committment or anything -- it's just plugging a security hole in our
> processes.[1] (For reference, of the 39 developers who currently have
> direct commit rights, 12 have not committed to the repo in 2 years or
> more!).
> >
> > 3. We make some pro-active policy for handling "bad actors". This might
> be as simple as adding "I understand that at any stage PSC my act to remove
> my commit rights", and document somewhere that in extreme cases PSC has
> this right.
> >
> > And then the next issue 😬... we have people who were nominated for core
> committer status over the last couple of years but who NEVER received this
> status, I think because of the current uncertainty in the whole process.
> Specifically I'm thinking of Andrea Giudiceandrea, who was nominated in
> Aug 2023. Andrea is SOO extremely valuable to the project, and I would hate
> to think that there's any ill-will or risk of resentment because of this.
> What do we need to do to move forward with Andrea's nomination?
> >
> > Nyall
> >
> > [1] If we did this, the following developers would lose direct commit
> rights:
> > - luipir (last commit Feb 2021)
> > - volaya (last commit May 2020)
> > - mhugo (last commit Oct 2019)
> > - slarosa (last commit Jan 2021)
> > - etiennesky (last commit 2015)
> > - PeterPetrik (last commit Nov 2022)
> > - kyngchaos (last commit Mar 2020)
> > - pcav (last commit Mar 2019)
> > - blazek (last commit Feb 2020)
> > - ccrook (last commit Jan 2018)
> > - sbrunner (last commit Jan 2022)
> > - pka (last commit Jan 2015)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > >
> > > Kind regards
> > > Saber
> > >
> > > On Fri, 7 Feb 2025, 15:05 Even Rouault via QGIS-Developer, <
> qgis-developer at lists.osgeo.org> wrote:
> > >>
> > >> Hi PSC,
> > >>
> > >> I'd like to propose that Benoit de Mezzo
> > >> (https://github.com/benoitdm-oslandia) and Jean Felder
> > >> (https://github.com/ptitjano) are granted core committer rights.
> > >>
> > >> They have been active on QGIS development for 3 years now, especially
> on
> > >> the 3D part and also on server, contributing interesting features and
> > >> fixes, on particularly tedious areas.
> > >> They also proved their capability to listen and integrate feedback
> into
> > >> their work. They showed their dedication to quality of the code and
> > >> contribution process.
> > >> They also actively contribute to PR reviews and general community
> effort.
> > >> They are willing to stay involved with the QGIS project and continue
> to
> > >> be active contributors.
> > >> I believe it is time to acknowledge their continuous involvement in
> the
> > >> project.
> > >>
> > >> Even
> > >>
> > >> --
> > >> http://www.spatialys.com
> > >> My software is free, but my time generally not.
> > >>
> > >> _______________________________________________
> > >> QGIS-Developer mailing list
> > >> QGIS-Developer at lists.osgeo.org
> > >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > >
> > > _______________________________________________
> > > QGIS-PSC mailing list
> > > QGIS-PSC at lists.osgeo.org
> > > https://lists.osgeo.org/mailman/listinfo/qgis-psc
> >
> >
> >
> >
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
>
--
Tim Sutton
*Kartoza Cofounder*Tim is a member of the QGIS Project Steering Committee
*T *: +27(0) 87 809 2702 *E *: tim at kartoza.com *W* :
kartoza.com
*This email and any attachments are confidential and intended solely for
the use of the individual or entity to whom they are addressed. If you *
*have received this email in error, please notify the sender immediately
and delete it from your system. Unauthorised use, disclosure, or copying*
*of the contents is prohibited.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20250210/58adb2ce/attachment-0001.htm>
More information about the QGIS-Developer
mailing list