[QGIS-Developer] [Qgis-psc] Urgent review of github rules and policies required! (was: Nomination for Benoit de Mezzo and Jean Felder as QGIS core committers)
Nyall Dawson
nyall.dawson at gmail.com
Mon Feb 10 13:56:16 PST 2025
On Mon, 10 Feb 2025 at 20:54, Tim Sutton <tim at kartoza.com> wrote:
> Hi Nyall
>
> Thanks for raising this.
>
> I think you should include my name in the sunsetted (?) users list. I can
> always make a PR if I get to C++ coding land again..
>
Thanks Tim! I'd intentionally omitted your name as I assumed you needed
permissions for something changelog/website related, but if not then let's
add you to the pending-removal list too...
(Note that Gary also technically would fall into this group, but I'd
propose a exemption for that special case 😝)
Nyall
>
> For the web page, Lova has kindly prepared this:
> https://github.com/qgis/QGIS-Website/pull/541
>
> My suggestion is to first merge that (reflecting the current policy) and
> then we can make a new PR to update the page once this discussion is
> finalised.
>
> Regards
>
> Tim
>
> On Mon, Feb 10, 2025 at 7:44 AM Nyall Dawson via QGIS-PSC <
> qgis-psc at lists.osgeo.org> wrote:
>
>> On Mon, 10 Feb 2025 at 17:00, Loic Bartoletti
>> <loic.bartoletti at oslandia.com> wrote:
>>
>> > As you point out, it's important to note that activity is not solely
>> measured by direct commits, but encompasses all significant contributions
>> to the project (code reviews, participation in technical discussions, etc.).
>>
>> Actually, I **would** consider only code merges/commits in this 12
>> month threshold. If someone is making other contributions to the
>> project (tech discussion, issue filing, etc) then they don't need
>> commit rights for those, and won't be impacted by their removal.
>> Again, we need to stress that the rights removal isn't due to a lack
>> of trust in an individual, but rather a lack of necessity and in order
>> to minimise the potential attack surface for the QGIS project.
>>
>> Nyall
>>
>>
>>
>> >
>> > In addition to describing the points I'm in favor of, I think it's
>> important to write down the policies with a dedicated page. Inspired by
>> different projects/ideas, I've made a first draft, in the attached
>> markdown. Feel free to adapt/improve...
>> >
>> > Loïc
>> >
>> > (In this thread, I won't write about nomination.)
>> >
>> > Le Lundi, Février 10, 2025 01:45 CET, Nyall Dawson via QGIS-PSC <
>> qgis-psc at lists.osgeo.org> a écrit:
>> >
>> >
>> > On Sat, 8 Feb 2025 at 21:28, Saber Razmjooei via QGIS-PSC <
>> qgis-psc at lists.osgeo.org> wrote:
>> > >
>> > > Hi,
>> > >
>> > > Nothing against this nomination but I remember the discussion for
>> becoming a core contributor was raised before with the PSC and it was
>> agreed the current method is not ideal and should be reviewed. There was a
>> plan to formalise the process. There were concerns about security,
>> rationale to have write access, number of contributors from an entity, ...
>> but I have not seen the discussions on that. Similar to QEP, I think this
>> process also would benefit from formalisation.
>> >
>> > (I'm splitting this off to a new thread so as not to hijack the
>> original, which should instead be focused on Benoit's/Jean's contributions
>> and achievements. They are both wonderful QGIS developers and I don't want
>> any of the following to be mis-interpreted as anything to do with these two
>> contributors in any way, or as blocking their nominations under the current
>> policies/processes!)
>> >
>> > That said: I strongly believe that we are overdue for an URGENT review
>> of how we handle "core contributors" and git commit rights.
>> >
>> > This topic was raised some time ago in this thread:
>> https://lists.osgeo.org/pipermail/qgis-psc/2020-June/008895.html , but
>> unfortunately the discussion did not lead to any concrete policy changes.
>> >
>> > That thread swings between a whole lot of different ideas/topics, but
>> the main pressing concern I have right now is that we have NO formal policy
>> or process for "sunsetting" developers we have previously given commit
>> rights to. This is a very large security risk -- we have developers who
>> have not contributed to the project (or other open source geo projects) in
>> years, but who still have full commit rights to our code repository.
>> >
>> > So, as an urgent band-aid fix to this, I would like to propose the
>> following:
>> >
>> > 1. We amend
>> https://web.archive.org/web/20240116120206/https://qgis.org/en/site/getinvolved/development/contributor_requirements.html
>> (i can't find where this page was moved to on the new website!! 🤣) to add
>> a term:
>> >
>> > "I agree to immediately notify the QGIS project in the case of a change
>> in job position or personal circumstances which means that I am unlikely to
>> continue regular contributions to QGIS. I understand that my commit rights
>> may be revoked at this time."
>> >
>> > 2. We make a policy that after 12 months without significant code
>> contributions to QGIS, a developer's commit rights will be revoked. (That
>> developer is obviously still able to contribute to QGIS, review code, send
>> in pull requests, etc... they just won't have merge rights themselves
>> anymore). These rights can be resurrected when regular contributions
>> re-commence. A good example of this would be Paul Blottiere -- he's no
>> longer involved directly in QGIS development, but does still respond when
>> pinged on code related questions. He does not need and should not have
>> direct commit rights anymore. This is NOT a reflection on his abilities,
>> committment or anything -- it's just plugging a security hole in our
>> processes.[1] (For reference, of the 39 developers who currently have
>> direct commit rights, 12 have not committed to the repo in 2 years or
>> more!).
>> >
>> > 3. We make some pro-active policy for handling "bad actors". This might
>> be as simple as adding "I understand that at any stage PSC my act to remove
>> my commit rights", and document somewhere that in extreme cases PSC has
>> this right.
>> >
>> > And then the next issue 😬... we have people who were nominated for
>> core committer status over the last couple of years but who NEVER received
>> this status, I think because of the current uncertainty in the whole
>> process. Specifically I'm thinking of Andrea Giudiceandrea, who was
>> nominated in Aug 2023. Andrea is SOO extremely valuable to the project,
>> and I would hate to think that there's any ill-will or risk of resentment
>> because of this. What do we need to do to move forward with Andrea's
>> nomination?
>> >
>> > Nyall
>> >
>> > [1] If we did this, the following developers would lose direct commit
>> rights:
>> > - luipir (last commit Feb 2021)
>> > - volaya (last commit May 2020)
>> > - mhugo (last commit Oct 2019)
>> > - slarosa (last commit Jan 2021)
>> > - etiennesky (last commit 2015)
>> > - PeterPetrik (last commit Nov 2022)
>> > - kyngchaos (last commit Mar 2020)
>> > - pcav (last commit Mar 2019)
>> > - blazek (last commit Feb 2020)
>> > - ccrook (last commit Jan 2018)
>> > - sbrunner (last commit Jan 2022)
>> > - pka (last commit Jan 2015)
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > >
>> > > Kind regards
>> > > Saber
>> > >
>> > > On Fri, 7 Feb 2025, 15:05 Even Rouault via QGIS-Developer, <
>> qgis-developer at lists.osgeo.org> wrote:
>> > >>
>> > >> Hi PSC,
>> > >>
>> > >> I'd like to propose that Benoit de Mezzo
>> > >> (https://github.com/benoitdm-oslandia) and Jean Felder
>> > >> (https://github.com/ptitjano) are granted core committer rights.
>> > >>
>> > >> They have been active on QGIS development for 3 years now,
>> especially on
>> > >> the 3D part and also on server, contributing interesting features and
>> > >> fixes, on particularly tedious areas.
>> > >> They also proved their capability to listen and integrate feedback
>> into
>> > >> their work. They showed their dedication to quality of the code and
>> > >> contribution process.
>> > >> They also actively contribute to PR reviews and general community
>> effort.
>> > >> They are willing to stay involved with the QGIS project and continue
>> to
>> > >> be active contributors.
>> > >> I believe it is time to acknowledge their continuous involvement in
>> the
>> > >> project.
>> > >>
>> > >> Even
>> > >>
>> > >> --
>> > >> http://www.spatialys.com
>> > >> My software is free, but my time generally not.
>> > >>
>> > >> _______________________________________________
>> > >> QGIS-Developer mailing list
>> > >> QGIS-Developer at lists.osgeo.org
>> > >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> > >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> > >
>> > > _______________________________________________
>> > > QGIS-PSC mailing list
>> > > QGIS-PSC at lists.osgeo.org
>> > > https://lists.osgeo.org/mailman/listinfo/qgis-psc
>> >
>> >
>> >
>> >
>> _______________________________________________
>> QGIS-PSC mailing list
>> QGIS-PSC at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/qgis-psc
>>
>
>
> --
> Tim Sutton
>
> *Kartoza Cofounder*Tim is a member of the QGIS Project Steering Committee
>
> *T *: +27(0) 87 809 2702 *E *: tim at kartoza.com *W* :
> kartoza.com
>
>
>
> *This email and any attachments are confidential and intended solely for
> the use of the individual or entity to whom they are addressed. If you *
> *have received this email in error, please notify the sender immediately
> and delete it from your system. Unauthorised use, disclosure, or copying*
> *of the contents is prohibited.*
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20250211/ab78bfb6/attachment-0001.htm>
More information about the QGIS-Developer
mailing list