Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] ORC Charter

On 12/14/2024 7:03 AM, Tobie Langel wrote:
Hi Scott,

Thanks for taking the time to email us.

The omission of committer members is an accident that was recently noticed and that is currently being fixed.

Glad to hear.


The replacement of Steward Members by Foundation Members was done on purpose to avoid creating the impression of a 1:1 mapping between member classes and the description of certain roles in the Cyber Resilience Act. "Open Source Steward" is a role that both a foundation and a forprofit can take on.

Yes I understand that.  But one complication I'm concerned about:  in the real Eclipse project world, we are talking about diverse/dynamic project teams (some corp and some not with members that come and go).   This does not match well...IMHO...with the current hierarchical governance structure of EF/PMC -> Working groups -> EF projects -> (typically one person) project lead -> project team committers, etc.   For example, currently, Foundation personnel, Working Groups reps, PMC contribute very little/nothing to the actual technical/project work of many relevant projects.

Has anyone done any thinking about this wrt the CRA application of 'stewardship' to Eclipse projects? 

It's even possible for an organization to be both the manufacturer of a project and the steward of another. That would be super confusing for member classes.

Sure.   IMHO that suggests that for some kinds of project-level 'stewardship', it would make sense to have multiple stewards and/or independent stewards...that are not from the same corp (or even the same non-profit).  Project diversity was one of the founding principles for Eclipse projects and seems to me important to maintain as security regulatory compliance is figured out.


Hope this helps address the concerns you've raised. Please let us know if it doesn't.

It does at this point, thank you.   As stated above, I think there further questions about how compliance will actually happen/be implemented in the relevant Eclipse projects.   I request that these questions be discussed openly and publicly on forums like this.

Scott



Thanks,

--tobie

---
Tobie Langel
Senior Technical Lead, ORC WG
Principal, UnlockOpen

On Fri, Dec 13, 2024 at 11:42 PM Scott Lewis via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Greetings,

I recently became aware of the ORC, joined the mailing list, and saw that the ORC charter was published recently [1][2].

As a 20 year+ committer member, I was shocked to see no inclusion of committer members in the 'Classes of Membership' section of the charter.   

This seems like a clear oversight to me, at least partially because the CRA now includes important new language of 'project-level stewards' [3] that will in many/most cases be doing the actual work of security maintenance and innovation for the Eclipse IDE platform [4] as well as many other Eclipse projects.  

It is also surprising to me that the charter makes no mention of 'stewards' (a key new part of CRA it appears to me), *except* this one: 

  • v0.3 rename Steward member to Foundation member - 2 June 2024

Scott

ECF Project Lead

[1] https://www.eclipse.org/lists/open-regulatory-compliance/msg00365.html

[2] https://www.eclipse.org/org/workinggroups/open-regulatory-compliance-charter.php

[3] https://about.gitlab.com/blog/2016/01/11/being-a-good-open-source-steward/

[4] https://gitlab.eclipse.org/eclipse-wg/ide-wg/ide-wg-dev-funded-efforts/ide-wg-dev-funded-program-planning-council-top-issues/-/issues/37
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top