[Qgis-psc] Urgent review of github rules and policies required! (was: Nomination for Benoit de Mezzo and Jean Felder as QGIS core committers)
Marco Bernasocchi
marco at qgis.org
Mon Feb 10 14:06:39 PST 2025
@Nyall Dawson <nyall.dawson at gmail.com> I think Tim (and myself) belong in
that list. We get the needed permissions through the organisation in GH.
Regarding the subject, it is indeed a longstanding issue for which we had a
todo item that was never tackled [1].
Maybe we should start a QEP (with Loic's MD draft) so at the next PSC
(4.3.25) we can discuss it?
Cheers Marco
[1] https://github.com/qgis/PSC/issues/41
On Mon, 10 Feb 2025 at 22:56, Nyall Dawson via QGIS-PSC <
qgis-psc at lists.osgeo.org> wrote:
>
>
> On Mon, 10 Feb 2025 at 20:54, Tim Sutton <tim at kartoza.com> wrote:
>
>> Hi Nyall
>>
>> Thanks for raising this.
>>
>> I think you should include my name in the sunsetted (?) users list. I can
>> always make a PR if I get to C++ coding land again..
>>
>
> Thanks Tim! I'd intentionally omitted your name as I assumed you needed
> permissions for something changelog/website related, but if not then let's
> add you to the pending-removal list too...
>
> (Note that Gary also technically would fall into this group, but I'd
> propose a exemption for that special case 😝)
>
> Nyall
>
>
>
>
>
>>
>> For the web page, Lova has kindly prepared this:
>> https://github.com/qgis/QGIS-Website/pull/541
>>
>> My suggestion is to first merge that (reflecting the current policy) and
>> then we can make a new PR to update the page once this discussion is
>> finalised.
>>
>> Regards
>>
>> Tim
>>
>> On Mon, Feb 10, 2025 at 7:44 AM Nyall Dawson via QGIS-PSC <
>> qgis-psc at lists.osgeo.org> wrote:
>>
>>> On Mon, 10 Feb 2025 at 17:00, Loic Bartoletti
>>> <loic.bartoletti at oslandia.com> wrote:
>>>
>>> > As you point out, it's important to note that activity is not solely
>>> measured by direct commits, but encompasses all significant contributions
>>> to the project (code reviews, participation in technical discussions, etc.).
>>>
>>> Actually, I **would** consider only code merges/commits in this 12
>>> month threshold. If someone is making other contributions to the
>>> project (tech discussion, issue filing, etc) then they don't need
>>> commit rights for those, and won't be impacted by their removal.
>>> Again, we need to stress that the rights removal isn't due to a lack
>>> of trust in an individual, but rather a lack of necessity and in order
>>> to minimise the potential attack surface for the QGIS project.
>>>
>>> Nyall
>>>
>>>
>>>
>>> >
>>> > In addition to describing the points I'm in favor of, I think it's
>>> important to write down the policies with a dedicated page. Inspired by
>>> different projects/ideas, I've made a first draft, in the attached
>>> markdown. Feel free to adapt/improve...
>>> >
>>> > Loïc
>>> >
>>> > (In this thread, I won't write about nomination.)
>>> >
>>> > Le Lundi, Février 10, 2025 01:45 CET, Nyall Dawson via QGIS-PSC <
>>> qgis-psc at lists.osgeo.org> a écrit:
>>> >
>>> >
>>> > On Sat, 8 Feb 2025 at 21:28, Saber Razmjooei via QGIS-PSC <
>>> qgis-psc at lists.osgeo.org> wrote:
>>> > >
>>> > > Hi,
>>> > >
>>> > > Nothing against this nomination but I remember the discussion for
>>> becoming a core contributor was raised before with the PSC and it was
>>> agreed the current method is not ideal and should be reviewed. There was a
>>> plan to formalise the process. There were concerns about security,
>>> rationale to have write access, number of contributors from an entity, ...
>>> but I have not seen the discussions on that. Similar to QEP, I think this
>>> process also would benefit from formalisation.
>>> >
>>> > (I'm splitting this off to a new thread so as not to hijack the
>>> original, which should instead be focused on Benoit's/Jean's contributions
>>> and achievements. They are both wonderful QGIS developers and I don't want
>>> any of the following to be mis-interpreted as anything to do with these two
>>> contributors in any way, or as blocking their nominations under the current
>>> policies/processes!)
>>> >
>>> > That said: I strongly believe that we are overdue for an URGENT review
>>> of how we handle "core contributors" and git commit rights.
>>> >
>>> > This topic was raised some time ago in this thread:
>>> https://lists.osgeo.org/pipermail/qgis-psc/2020-June/008895.html , but
>>> unfortunately the discussion did not lead to any concrete policy changes.
>>> >
>>> > That thread swings between a whole lot of different ideas/topics, but
>>> the main pressing concern I have right now is that we have NO formal policy
>>> or process for "sunsetting" developers we have previously given commit
>>> rights to. This is a very large security risk -- we have developers who
>>> have not contributed to the project (or other open source geo projects) in
>>> years, but who still have full commit rights to our code repository.
>>> >
>>> > So, as an urgent band-aid fix to this, I would like to propose the
>>> following:
>>> >
>>> > 1. We amend
>>> https://web.archive.org/web/20240116120206/https://qgis.org/en/site/getinvolved/development/contributor_requirements.html
>>> (i can't find where this page was moved to on the new website!! 🤣) to add
>>> a term:
>>> >
>>> > "I agree to immediately notify the QGIS project in the case of a
>>> change in job position or personal circumstances which means that I am
>>> unlikely to continue regular contributions to QGIS. I understand that my
>>> commit rights may be revoked at this time."
>>> >
>>> > 2. We make a policy that after 12 months without significant code
>>> contributions to QGIS, a developer's commit rights will be revoked. (That
>>> developer is obviously still able to contribute to QGIS, review code, send
>>> in pull requests, etc... they just won't have merge rights themselves
>>> anymore). These rights can be resurrected when regular contributions
>>> re-commence. A good example of this would be Paul Blottiere -- he's no
>>> longer involved directly in QGIS development, but does still respond when
>>> pinged on code related questions. He does not need and should not have
>>> direct commit rights anymore. This is NOT a reflection on his abilities,
>>> committment or anything -- it's just plugging a security hole in our
>>> processes.[1] (For reference, of the 39 developers who currently have
>>> direct commit rights, 12 have not committed to the repo in 2 years or
>>> more!).
>>> >
>>> > 3. We make some pro-active policy for handling "bad actors". This
>>> might be as simple as adding "I understand that at any stage PSC my act to
>>> remove my commit rights", and document somewhere that in extreme cases PSC
>>> has this right.
>>> >
>>> > And then the next issue 😬... we have people who were nominated for
>>> core committer status over the last couple of years but who NEVER received
>>> this status, I think because of the current uncertainty in the whole
>>> process. Specifically I'm thinking of Andrea Giudiceandrea, who was
>>> nominated in Aug 2023. Andrea is SOO extremely valuable to the project,
>>> and I would hate to think that there's any ill-will or risk of resentment
>>> because of this. What do we need to do to move forward with Andrea's
>>> nomination?
>>> >
>>> > Nyall
>>> >
>>> > [1] If we did this, the following developers would lose direct commit
>>> rights:
>>> > - luipir (last commit Feb 2021)
>>> > - volaya (last commit May 2020)
>>> > - mhugo (last commit Oct 2019)
>>> > - slarosa (last commit Jan 2021)
>>> > - etiennesky (last commit 2015)
>>> > - PeterPetrik (last commit Nov 2022)
>>> > - kyngchaos (last commit Mar 2020)
>>> > - pcav (last commit Mar 2019)
>>> > - blazek (last commit Feb 2020)
>>> > - ccrook (last commit Jan 2018)
>>> > - sbrunner (last commit Jan 2022)
>>> > - pka (last commit Jan 2015)
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > >
>>> > > Kind regards
>>> > > Saber
>>> > >
>>> > > On Fri, 7 Feb 2025, 15:05 Even Rouault via QGIS-Developer, <
>>> qgis-developer at lists.osgeo.org> wrote:
>>> > >>
>>> > >> Hi PSC,
>>> > >>
>>> > >> I'd like to propose that Benoit de Mezzo
>>> > >> (https://github.com/benoitdm-oslandia) and Jean Felder
>>> > >> (https://github.com/ptitjano) are granted core committer rights.
>>> > >>
>>> > >> They have been active on QGIS development for 3 years now,
>>> especially on
>>> > >> the 3D part and also on server, contributing interesting features
>>> and
>>> > >> fixes, on particularly tedious areas.
>>> > >> They also proved their capability to listen and integrate feedback
>>> into
>>> > >> their work. They showed their dedication to quality of the code and
>>> > >> contribution process.
>>> > >> They also actively contribute to PR reviews and general community
>>> effort.
>>> > >> They are willing to stay involved with the QGIS project and
>>> continue to
>>> > >> be active contributors.
>>> > >> I believe it is time to acknowledge their continuous involvement in
>>> the
>>> > >> project.
>>> > >>
>>> > >> Even
>>> > >>
>>> > >> --
>>> > >> http://www.spatialys.com
>>> > >> My software is free, but my time generally not.
>>> > >>
>>> > >> _______________________________________________
>>> > >> QGIS-Developer mailing list
>>> > >> QGIS-Developer at lists.osgeo.org
>>> > >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> > >> Unsubscribe:
>>> https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> > >
>>> > > _______________________________________________
>>> > > QGIS-PSC mailing list
>>> > > QGIS-PSC at lists.osgeo.org
>>> > > https://lists.osgeo.org/mailman/listinfo/qgis-psc
>>> >
>>> >
>>> >
>>> >
>>> _______________________________________________
>>> QGIS-PSC mailing list
>>> QGIS-PSC at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/qgis-psc
>>>
>>
>>
>> --
>> Tim Sutton
>>
>> *Kartoza Cofounder*Tim is a member of the QGIS Project Steering Committee
>>
>> *T *: +27(0) 87 809 2702 *E *: tim at kartoza.com *W* :
>> kartoza.com
>>
>>
>>
>> *This email and any attachments are confidential and intended solely for
>> the use of the individual or entity to whom they are addressed. If you *
>> *have received this email in error, please notify the sender immediately
>> and delete it from your system. Unauthorised use, disclosure, or copying*
>> *of the contents is prohibited.*
>>
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
>
--
Marco Bernasocchi
QGIS.org Chair
OSGEO.org VP Europe
OPENGIS.ch CEO
http://berna.io
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20250210/ddafc00d/attachment-0001.htm>
More information about the QGIS-PSC
mailing list