Re: Restore write access for all EG members?


Will Hopkins
 

First of all, I'd like to say that I understand and appreciate the tremendous contributions from the EG and all contributors. I especially appreciate Arjan's contributions -- my understanding is that he contributed most of the original code, and he's contributed a great deal to the spec itself.

I would also like to acknowledge that I am new to the business of being a spec lead, and that I am new to this JSR in particular, having become spec lead after much of the work to define the APIs and build the RI had already been done. So there may be aspects of the spec lead role that I'm misinterpreting, or don't fully appreciate, and there are definitely aspects of JSR-375 that I don't understand as well as most of you.

That said, it's my understanding that I am ultimately responsible for delivering the spec, the API, the RI, and the TCK. I'm responsible for meeting the schedule, and for the quality of the resulting deliverables. While I will always strive for consensus and agreement, it's also my understanding that I have both the responsibility, and the authority, to make the final decision on any question affecting the technical content of the JSR.

In my experience, it's necessary to institute change control on any project that is nearing completion; to do otherwise is to invite disruption, churn, and instability. This is not a question of trust, or of enabling contributions from a diverse group. What worked well early in the JSR's history won't necessarily work well as we try to complete it. It's true that commits can be rolled back, but that's an inefficient -- and potentially contentious -- way to do change control. I'd like to see things discussed and agreed before a change is committed, rather than after.

I'm mindful of the potential for me to become a bottleneck if I have to approve every change, and I'll make every effort to ensure that doesn't happen. Ultimately, while this may slow things down slightly, it's a pretty small change from the existing process -- people were already submitting PRs, the only change is who approves them -- and it will be a net win if it keeps the code stable and moving in the right direction.

One last point -- I'm not sure exactly what the rules are for repos under the javaee organization at GitHub, but I believe that all commits must be done via PR, must be approved by the spec lead, or a designate who is a member of the javaee organization, and may also be made contingent on passing some suite of tests. So the process we're adopting now is pretty close to what we'll see when the repos are migrated.

Best Regards,

Will


On 05/31/2017 08:08 AM, Ivar Grimstad wrote:


On Wed, May 31, 2017 at 12:18 PM Arjan Tijms <arjan.tijms@...> wrote:
Will,

On Wed, May 31, 2017 at 3:11 AM, Will Hopkins <will.hopkins@...> wrote:
I plan to keep the spec and api repos locked down until we're done. 

I don't think this is wise. We still have a sizeable body of work to do.

JSR 372 (JSF) and JSR 375 flourished because the spec leads did exactly the opposite: give the EG or at least some members write access. That way the JSR could continue in both presence and absence of the spec leads.

I dare to say that both JSRs would not exist anymore at this point if it hadn't been for that single decision.

Totally agree! It is just to look at the commit history to see that there is a limited number of contributors. Shutting them off, Arjan in particular, will not benefit the progress of this JSR.
 

 
We'll probably need to establish change control for the soteria repo, too, in the not-too-distant future.

The Soteria repo is already under version control, as are the spec and api repos. Since its version control anything can be reverted anyway.

I strongly believe you should trust selected members of the EG (who have proved to commit well) for not doing any rash commits that haven't been discussed and for which there has not been any consensus.

+1
All EG members have signed the JSPA, and that should suffice for contributions to the spec.
And regarding Soteria, the CONTRIBUTING.md file require the OCA to be signed. 

What you could do is to restrict access to the the repo under the Java EE organization, but keep the secuity-spec org open to the EG members that have signed the agreements.
 

Kind regards,
Arjan Tijms



 

Will


On 05/30/2017 06:29 PM, Arjan Tijms wrote:
Hi,

I noticed that the PRD has been published (thanks for that!), but that write access has not been restored for the Java EE Security API and spec repos.

Would be great if that access can be restored before long ;)

Kind regards,
Arjan Tijms

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

--

Java Champion, JCP EC/EG Member, JUG Leader


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Join javaee-security-spec@javaee.groups.io to automatically receive all group messages.