-
Notifications
You must be signed in to change notification settings - Fork 82
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
### Feature or Bugfix - Feature ### Detail - Update to the Governance model to formalise the status of maintainers and how decisions are mode on the project ### Relates ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? N/A - Is the input sanitized? N/A - What precautions are you taking before deserializing the data you consume? N/A - Is injection prevented by parametrizing queries? N/A - Have you ensured no `eval` or similar functions are used? N/A - Does this PR introduce any functionality or component that requires authorization? N/A - How have you ensured it respects the existing AuthN/AuthZ mechanisms? N/A - Are you logging failed auth attempts? N/A - Are you using or adding any cryptographic features? N/A - Do you use a standard proven implementations? N/A - Are the used keys controlled by the customer? Where are they stored? N/A - Are you introducing any new policies/roles/users? N/A - Have you used the least-privilege principle? How? N/A By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Nick Corbett <corbetn@amazon.co.uk>
- Loading branch information
1 parent
38a089d
commit 6e2fdb0
Showing
5 changed files
with
224 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Project Governance (Very Minimal Governance model) | ||
|
||
This open source project is managed by a Steering Committee composed of the maintainers of this project. Maintainers are | ||
defined as individuals with [maintain-level permissions on the data.all repository](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-permission-levels-for-an-organization). | ||
|
||
## Steering Committee | ||
|
||
The Steering Committee will be responsible for oversight of all technical, project, approval, and policy matters for the | ||
project. This notably includes brand and trademark management. | ||
|
||
The Steering Committee members are listed in the MAINTAINERS.md file in the repository. New maintainers (and accordingly, | ||
Steering Committee members) may be added or removed as outlined in [RESPONSIBILITIES.md](./RESPONSIBILITIES.md). The | ||
Steering Committee will appoint a Chair responsible for organizing Steering Committee activity. If the Steering Committee | ||
Chair is removed from the Committee (or the Chair steps down from that role), it is the responsibility of the Steering | ||
Committee to appoint a new Chair. | ||
|
||
The Steering Committee may, at its discretion, add or remove members who are not maintainers. | ||
|
||
## Voting | ||
|
||
The Steering Committee will strive for all decisions to be made by consensus. While explicit agreement of the entire | ||
Steering Committee is preferred, it is not required for consensus. Rather, the Steering Committee will determine | ||
consensus based on their good faith consideration of a number of factors, including the dominant view of the Steering | ||
Committee and nature of support and objections. The Steering Committee will document evidence of consensus in accordance | ||
with these requirements. If consensus cannot be reached, the Steering Committee will make the decision by a vote. | ||
|
||
The Steering Committee Chair will call a vote with reasonable notice to the Steering Committee, setting out a discussion | ||
period and a separate voting period. Any discussion may be conducted in person or electronically by text, voice, or video. | ||
The discussion will be open to the public, with the notable exception of discussions involving embargoed security issues | ||
or the addition or removal of maintainers, which will be private. In any vote, each voting representative will have one | ||
vote. Except as specifically noted elsewhere in this document, decisions by vote require a simple majority vote of all | ||
voting members. | ||
|
||
## Termination of Membership | ||
|
||
A maintainer’s access (and accordingly, their position on the Steering Committee) will be removed if any of the following | ||
occur: | ||
|
||
* Resignation: Written notice of resignation to the Steering Committee | ||
* Steering Committee Vote: 3/4 affirmative vote of the Steering Committee to remove a member | ||
* Unreachable Member: If a member is unresponsive for more than six months, the remaining active members of the Steering | ||
Committee may vote to remove the member | ||
|
||
## License of this document | ||
|
||
This document is a modified work of the GitHub Minimal Viable Governance model, located here: | ||
[https://github.com/github/MVG](https://github.com/github/MVG) | ||
This document may be used, modified, and/or distributed under the terms of the | ||
[Creative Commons Attribution 4.0 International (CC-BY) license](https://creativecommons.org/licenses/by/4.0/legalcode). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
## Overview | ||
|
||
This document contains a list of maintainers in this repo. See [RESPONSIBILITIES.md](./RESPONSIBILITIES.md) | ||
that explains what the role of maintainer means, what maintainers do, how they should be | ||
doing it, and how to become one. If you're interested in becoming a maintainer, the best place to start is by first [CONTRIBUTING](CONTRIBUTING.md). | ||
|
||
## Current Maintainers | ||
|
||
| Maintainer | GitHub ID | Affiliation | | ||
|----------------------|-----------------------------------------------| ----------- | | ||
| Nick Corbett (chair) | [NickCorbett](https://github.com/NickCorbett) | Amazon | | ||
| Anmol Gandhi | [anmolsgandhi](https://github.com/anmolsgandhi) | Amazon | | ||
| Adriana Lopez | [dlpzx](https://github.com/dlpzx) | Amazon | | ||
| Noah Paige | [noah-paige](https://github.com/noah-paige) | Amazon | | ||
| Nikita Podshivalov | [nikpodsh](https://github.com/nikpodsh) | Amazon | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
# Maintainer Responsibilities | ||
|
||
- [Overview](#overview) | ||
- [Current Maintainers](#current-maintainers) | ||
- [Maintainer Responsibilities](#maintainer-responsibilities) | ||
- [Uphold Code of Conduct](#uphold-code-of-conduct) | ||
- [Prioritize Security](#prioritize-security) | ||
- [Review Pull Requests](#review-pull-requests) | ||
- [Triage Open Issues](#triage-open-issues) | ||
- [Automatically Label Issues](#automatically-label-issues) | ||
- [Be Responsive](#be-responsive) | ||
- [Maintain Overall Health of the Repo](#maintain-overall-health-of-the-repo) | ||
- [Keep Dependencies up to Date](#keep-dependencies-up-to-date) | ||
- [Manage Roadmap](#manage-roadmap) | ||
- [Add Continuous Integration Checks](#add-continuous-integration-checks) | ||
- [Use Semver](#use-semver) | ||
- [Release Frequently](#release-frequently) | ||
- [Promote Other Maintainers](#promote-other-maintainers) | ||
- [Describe the Repo](#describe-the-repo) | ||
- [Becoming a Maintainer](#becoming-a-maintainer) | ||
- [Nomination](#nomination) | ||
- [Interest](#interest) | ||
- [Addition](#addition) | ||
- [Removing a Maintainer](#removing-a-maintainer) | ||
- [Moving On](#moving-on) | ||
- [Inactivity](#inactivity) | ||
- [Negative Impact on the Project](#negative-impact-on-the-project) | ||
|
||
## Overview | ||
|
||
This document explains who maintainers are, what they do in the data.all project, and how they should be doing it. | ||
If you're interested in contributing, see [Becoming a Maintainer](#becoming-a-maintainer). | ||
|
||
## Current Maintainers | ||
|
||
The current maintainers are listed in [MAINTAINERS.md](MAINTAINERS.md). | ||
|
||
## Maintainer Responsibilities | ||
|
||
Maintainers are active and visible members of the community, and have [maintain-level permissions on a repository](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-permission-levels-for-an-organization). Use those privileges to serve the community and evolve code as follows. | ||
|
||
### Uphold Code of Conduct | ||
|
||
Model the behavior set forward by the [Code of Conduct](CODE_OF_CONDUCT.md) and raise any violations to other maintainers. | ||
|
||
### Prioritize Security | ||
|
||
Security is our number one priority. Maintainer's Github keys must be password protected securely and any reported security vulnerabilities are addressed before features or bugs. | ||
|
||
Note that this repository is monitored and supported 24/7 by Amazon Security, see [Reporting a Vulnerability](SECURITY.md) for details. | ||
|
||
### Review Pull Requests | ||
|
||
Review pull requests regularly, comment, suggest, reject, merge and close. Accept only high quality pull-requests. Provide code reviews and guidance on incoming pull requests. Don't let PRs be stale and do your best to be helpful to contributors. | ||
|
||
### Triage Open Issues | ||
|
||
Manage labels, review issues regularly, and triage by labelling them. | ||
|
||
We use key value labels, use the `priority:`, `type:`, `effort:` and `status:` when triaging issues. | ||
|
||
Use the `good first issue` label to let new community members know where to start and `blocker` for issues that scare you or need immediate attention. Request for more information from a submitter if an issue is not clear. Create new labels as needed by the project. | ||
|
||
### Be Responsive | ||
|
||
Respond to enhancement requests, and forum posts. Allocate time to reviewing and commenting on issues and conversations as they come in. | ||
|
||
### Maintain Overall Health of the Repo | ||
|
||
Keep the `main` branch at production quality at all times. Backport features as needed. Cut release branches and tags to enable future patches. | ||
|
||
#### Keep Dependencies up to Date | ||
|
||
Maintaining up-to-date dependencies on third party projects reduces the risk of security vulnerabilities. As | ||
[recommended](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) by | ||
The Open Source Security Foundation (OpenSSF) we use Dependabot, which is integrated with GitHub. Dependabot does not | ||
have any centralized management dashboard, so maintainers may use tags or other PR filters to track pending updates. | ||
|
||
### Manage Roadmap | ||
|
||
Ensure the repo highlights features that should be elevated to the project roadmap. Be clear about the feature’s status, | ||
priority, target version, and whether or not it should be elevated to the roadmap. Any feature that you want highlighted | ||
on the data.all Roadmap should be tagged with "roadmap". | ||
|
||
### Add Continuous Integration Checks | ||
|
||
Add integration checks that validate pull requests and pushes to ease the burden on Pull Request reviewers. | ||
|
||
### Use Semver | ||
|
||
Use and enforce [semantic versioning](https://semver.org/) and do not let breaking changes be made outside of major releases. | ||
|
||
### Release Frequently | ||
|
||
Make frequent project releases to the community. | ||
|
||
### Promote Other Maintainers | ||
|
||
Assist, add, and remove [MAINTAINERS](MAINTAINERS.md). Exercise good judgement, and propose high quality contributors to become co-maintainers. See [Becoming a Maintainer](#becoming-a-maintainer) for more information. | ||
|
||
### Describe the Repo | ||
|
||
Make sure the repo has a well-written, accurate, and complete description. | ||
## Becoming a Maintainer | ||
|
||
You can become a maintainer by actively [contributing](CONTRIBUTING.md) to the project, and being nominated by an existing maintainer. | ||
|
||
### Nomination | ||
|
||
Any current maintainer starts a private conversation (e-mail or IM) with all other maintainers to discuss nomination using the template below. | ||
In order to be approved, at least three positive (+1) maintainer votes are necessary (or all maintainers, if there are fewer than 3), and no vetoes (-1). | ||
|
||
The nomination should clearly identify the person with their real name and a link to their GitHub profile, and the | ||
rationale for the nomination, with concrete example contributions. | ||
|
||
### Interest | ||
|
||
Upon receiving at least three positive (+1) maintainer votes, and no vetoes (-1), from existing maintainers after a one week period, the nominating maintainer asks the nominee whether they might be interested in becoming a maintainer on the repository via private e-mail message. | ||
|
||
> This is great work! Based on your valuable contribution and ongoing engagement with the project, the current maintainers invite you to become a co-maintainer for this project. Please respond and let us know if you accept the invitation to become maintainer. | ||
Individuals accept the nomination by replying, or commenting, for example _"Thank you! I would love to."_ | ||
|
||
### Addition | ||
|
||
Upon receiving three positive (+1) maintainer votes, and no vetoes (-1), from other maintainers, and after having privately confirmed interest with the nominee, the maintainer opens a pull request adding the proposed co-maintainer to MAINTAINERS.md. The pull request is approved and merged. | ||
|
||
> _Content from the above nomination._ | ||
> | ||
> The maintainers have voted and agreed to this nomination. | ||
Finally, the new maintainer's permissions are adjusted to reflect their new role. | ||
|
||
## Removing a Maintainer | ||
|
||
Removing a maintainer is a disruptive action that the community of maintainers should not undertake lightly. There are several reasons that a maintainer may be removed from the project including: | ||
|
||
- **Moving On.** There are plenty of reasons that might cause someone to want to take a step back or even a hiatus from a project. | ||
- **Inactivity.** Although maintainer status never expires, other maintainers may choose to remove anyone who has been inactive for a prolonged time (over six months). | ||
- **Violating the [code of conduct](./CODE_OF_CONDUCT.md)** or taking other actions that negatively impact the project. | ||
|
||
A maintainer can choose to leave the project at any time, with or without reason, by making a pull request to move themselves to the "Emeritus" section of MAINTAINERS.md, and asking an existing maintainer to remove their permissions. | ||
|
||
A maintainer can be removed by other maintainers, as set out in [governance](./GOVERNANCE.md). Once the decision has been made to remove a maintainer, a pull request will be raised to move them to the "Emeritus" section of MAINTAINERS.md, and asking the existing maintainers will remove their permissions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
## Reporting a Vulnerability | ||
|
||
If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue. |