community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Vesse <>
Subject Re: Some maturity model comments
Date Wed, 14 Jan 2015 16:46:37 GMT

I think the LC50 is actually correct but could perhaps be phrased better

My understanding was that the ASF owns the copyright for the collective
work of the project I.e. releases.  As Benson notes contributors retain
copyright on their contributions but grant the ASF a perpetual license to
their contributions


Agreed, some projects may not do anything that is attack prone or are
likely only to be run such that any "security" is provided by whatever
runtime they use and the security of that runtime is well beyond the
purview of the project.

Consensus building:

Should there be a CS60 about the rare need for private discussions


In rare situations (typically security, brand enforcement, legal and
personnel discussions) the project may need to first reach consensus in
private in which case the project should use their official private
communications channel such that these rare private discussions are
privately archived.  The outcomes of such consensus should where possible
be discussed in public as soon as it is appropriate to do so.

That isn't great wording but hopefully you get what I am trying to convey
- projects should rarely discuss in private and any discussions should
become public as soon as it is possible to do so


On 14/01/2015 15:33, "Benson Margulies" <> wrote:

>CD40: perhaps change 'previous version' to 'released version'
>CD50: the committer is not necessarily the author; someone might read
>this and not understand what it implies for committers committing
>contributions via all of the channels allowed for by the AL. One patch
>would be 'immediate provenance', another would be some more lengthier
>language about the process.
>LC20: do we need to explain what we mean by 'dependencies'? This has
>been a point of friction. Expand or footnote to the distinctions
>between essential and optional?
>LC50: the footnote seems wrong; the ASF does not own copyright,
>rather, the author retains, and grants the license.
>RE40: do you want to add an explicit statement that legal
>responsibility falls upon the head of the person who happened to run
>the build?
>QU20: Maybe we need to expands on 'secure'? Maybe this is too strong?
>What's wrong with building a product that is explicitly not intended
>for use attack-prone environments.
>QU40: Not all communities might agree. Some communities might see
>themselves as building fast-moving products. Some communities may lack
>the level of volunteer effort required to satisfy this. Does this make
>them immature, or just a group of volunteers with different
>IN10: I fear that a more detailed definition of independence is going
>to be called for here to avoid controversy.

View raw message