On May 31, 2024, at 08:36, Mikael Barbero via eclipse.org-architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx> wrote:
However, this is the exception rather than the default, where all committers are part of the security team. Any deviation from this norm (where the security team should only be a subset of the committers or include non-committers) is subject to a vote by the project committers and the PMC.
I think I don't like that project committers can "opt-out" themselves from the project security team. I recommend further change to the language to prevent that and protect from responsibility delegated away. We should make membership of committers implicit and never be removable. Specifically it should be impossible for project committers to have a vote for a construct allowing them to remove themselves or any other committer from the security team. As it's written right now it seems possible.
Security shall be an important value for any Eclipse project. As such it shall be an expectation that any committer working on any Eclipse projects feels ownership of security for the project. Committers must be accountable for security and should not be able to "opt-out".
What about this:
The Project Security Team is responsible for implementing the Eclipse Foundation Security Policy.
By default, the Project Security Team includes all Project Committers. A project committer is always a member of the Project Security Team; likewise, membership of committers in the Project Security Team is automatically revoked when Committer status is revoked.
The Project Committers may elect non-Project Committers to the Project Security Team when they have related knowledge and experience. Non-Project Committer Members of the Project Security team are voted in by all Project Committers using the same rules as for election of Committers.
At times, Non-Project Committer Members of the Project Security Team may become inactive for a variety of reasons. The Project Leads are responsible for ensuring the smooth operation of the Project Security Team. A Non-Project Committer Member who is disruptive, does not participate actively, or has been inactive for an extended period may have his or her membership status revoked by the unanimous consent of the Project Leads. Unless otherwise specified, "an extended period" is defined as "no activity for more than six months".