Review Core Committer policy

[maxime-rainville]

We haven't reviewed our policies on how they relate to Core Committers over several years. We also haven't put in place any process for making sure core committers stay abreast of updated polices.

Acceptance criteria

• The privileges and obligations of Core Committers are documented in the developer docs.
• There's a process for making sure Core Committers are familiar with those expectations and that they review them periodically.

[maxime-rainville]

@silverstripe/core-team For context this came up as part of a recent security process review. Many Core Committers haven't work for Silverstripe at all ... or haven't work for Silverstripe in several years.

We have some requirements in terms of meeting security audits. Some of those requirements have implicitly been extended to Core Committers. I'd be keen to make those explicit and to make sure that there's a process to make sure that they are periodically reviewed.

This will probably take the form of having to read a one page policy once a year and swearing on the holy book of your choice that you will abide by it.

But I'm keen to have a chat about what this look like in practice. I'm also mindful not to make it too long or bureaucratic.

[kinglozzer]

We’ve signed NDAs in the past to cover this kind of thing, I’m personally fine with doing that again. I can dig a copy out of my emails and send it over if that’d be helpful?

…

On Wed, 29 Nov 2023 at 21:34, Maxime Rainville ***@***.***> wrote: @silverstripe/core-team <https://github.com/orgs/silverstripe/teams/core-team> For context this came up as part of a recent security process review. Many Core Committers haven't work for Silverstripe at all ... or haven't work for Silverstripe in several years. We have some requirements in terms of meeting security audits. Some of those requirements have implicitly been extended to Core Committers. I'd be keen to make those explicit and to make sure that there's a process to make sure that they are periodically reviewed. This will probably take the form of having to read a one page policy once a year and swearing on the holy book of your choice that you will abide by it. But I'm keen to have a chat about what this look like in practice. I'm also mindful not to make it too long or bureaucratic. — Reply to this email directly, view it on GitHub <#166 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMUF7BPW763SK74DH6GDM3YG6S7LAVCNFSM6AAAAABAAEQUYOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZSG4ZTKMRQGY> . You are receiving this because you are on a team that was mentioned.Message ID: ***@***.***>

[maxime-rainville]

The NDA was specially about undisclosed security issue from memory. We were making people sign some agreement with PGP keys.

[michalkleiner]

No issue from me to read a one pager once a year and ✌️ on it.

[maxime-rainville]

I've inadvertently duplicate this card here #263