Contribution Requirements Update #594
Comments
At least one, at least 4 months old, as mentioned in the PR template Any software project you are adding was first released more than 4 months ago. Edit: a "canned" response for projects that do not conform to this guideline was discussed in #33 , I just used it in #593
Just be accessible publicly (although you can ask the submitter why it is not under version control, it's not mandatory, there are no guidelines about this, it's just strange/out of the ordinary)
4 months before qualifying for inclusion in the list, 6-12 months without updates for removal, as mentioned in the guidelines above. How do you suggest we make this more explicit? (without cluttering the PR template which is already quite a long read) |
nodiscc
added
curation
|
I'd like to give my two cents on this as well where I feel like nodiscc overlooked a few points.
I think this aspect is somewhat lacking in documentation and heavily focused on the reviewer's standpoint (not good). As nodiscc mentions, there's a rule stating that software with no development activity for 6-12 months can be removed, essentially indicating a lack of "activity". As well as some common sense parts (which aren't documented (again not good)) such as no open security issues, maintained issues tab, and so on. However, the challenge lies in defining "active" since different types of projects naturally have different development cycles. For instance, a single-developer project built on PHP might only have a few commits over time (which could be acceptable), while a company using Node.js with numerous packages might require much more maintenance and, consequently, more commits. Thus, establishing a static metric is rather difficult.
I believe is this already well documented. The 4-month period is mentioned in every PR and needs to be checked by the person proposing an addition. Similarly, the 6-12 month removal timeframe is outlined in the Contributing Guidelines. |
Not a requirement, free support is not mandatory. However it's another useful indicator when a project also does not receive any maintenance for >6 months.
Which should fine by our criteria as long as the last activity is in the last 6 > 12 months
I agree, not good, should be explicitly mentioned in https://github.com/awesome-selfhosted/awesome-selfhosted-data/blob/master/CONTRIBUTING.md#other-guidelines |
|
thanks for the discussion, that is the entire point of this particular "issue".
To be fair to all of us, let's just try and get some of the common sense items written down (I am also adding this as an additional edit to the main "issue" at the top of this thread). In my eyes this boils down to the following questions.
@Rabenherz112 you mentioned security issues and a maintained issues tab. What do you think we should do to address the differences in support provided between larger open source contributors (generally in the form of companies) vs single devs vs smaller teams? Also are there other common sense items you wish for us to address? @nodiscc I think one common sense item I personally want to address is the open security issues. This is a challenging one however I think we need to get something more specific written down then "Unmaintained software without an active community and/or persistent security issues may be removed from the list" in I think that is a big enough block of security jargon (sorry about that). TLDR on the last paragraph: I think we should use more realistic words to describe that automated security scanning in any form is HIGHLY recommended, and that depending on the severity it needs to be fixed in a timely manner (whatever we define timely manner to mean). Let's keep the discussion going even if it takes time. Updating procedures is rarely a quick process especially with open source software. Fascinating Security Things (at least to me): |
I don't think we will, this is too much work and out of scope. Triaging CVEs is extremely time consuming, the CVSS system is broken (I mean look at this and this, should we all uninstall vim and drop JPEG support?), some vulnerabilities are only applicable in some configurations, the possibility of DoS/crashing the application counts as a security vulnerability in the CVE book, etc. What I personally consider important are vulnerabilities that affect confidentiality/integrity, allow Remote Code Execution, etc. But this is subjective. In the end, analyzing the security posture of each project is left as an exercise to the user/admin. The "Unmaintained software without an active community and/or persistent security issues may be removed from the list" guideline is one of the "common sense" items which is not worth detailing in the contribution documentation IMHO, it boils down to:
|
Agreed
Yep, I personally agree on CIA, and RCE vulnerabilities.
Is there a good reason we shouldn't just put the exact verbiage (with the bullet points) into |
|
It was mentioned in #837 that we should list somewhere what kind of software does not qualify. regular contributors have some notion of what does/does not qualify (off the top of my head, no desktop software even it produces files that can be synchronized by file sync solutions, no software which depends on a specific cloud provider, ...), but it should still be stated explicitely somewhere. |
|
|
Can there please be clarification made in the contribution doc to explain the following items:
I have just been helping out a bit more with contributing to this project and gotten confused a couple times. There are good points brought up in issue and PR discussions that is not listed in the contribution doc, sometimes leading to confusion…
I am more than willing to update the docs, just wanted to start the conversation about what goes into the
contribution.mdfile.The text was updated successfully, but these errors were encountered: