curl/docs/GOVERNANCE.md
Daniel Stenberg 86d33001e4
reuse: add copyright + license info to individual docs/*.md files
Instead of use 'docs/*.md' in dep5. For clarity and avoiding a wide-
matching wildcard.

+ Remove mention of old files from .reuse/dep5
+ add info to .github/dependabot.yml
+ make scripts/copyright.pl warn on non-matching patterns

Closes #13245
2024-03-31 12:01:18 +02:00

7.5 KiB

Decision making in the curl project

A rough guide to how we make decisions and who does what.

BDFL

This project was started by and has to some extent been pushed forward over the years with Daniel Stenberg as the driving force. It matches a standard BDFL (Benevolent Dictator For Life) style project.

This setup has been used due to convenience and the fact that it has worked fine this far. It is not because someone thinks of it as a superior project leadership model. It also only works as long as Daniel manages to listen in to what the project and the general user population wants and expects from us.

There is no legal entity. The curl project is just a bunch of people scattered around the globe with the common goal to produce source code that creates great products. We are not part of any umbrella organization and we are not located in any specific country. We are totally independent.

The copyrights in the project are owned by the individuals and organizations that wrote those parts of the code.

Decisions

The curl project is not a democracy, but everyone is entitled to state their opinion and may argue for their sake within the community.

All and any changes that have been done or are done are eligible to bring up for discussion, to object to or to praise. Ideally, we find consensus for the appropriate way forward in any given situation or challenge.

If there is no obvious consensus, a maintainer who's knowledgeable in the specific area takes an "executive" decision that they think is the right for the project.

Donations

Donating plain money to curl is best done to curl's Open Collective fund. Open Collective is a US based non-profit organization that holds on to funds for us. This fund is then used for paying the curl security bug bounties, to reimburse project related expenses etc.

Donations to the project can also come in the form of server hosting, providing services and paying for people to work on curl related code etc. Usually, such donations are services paid for directly by the sponsors.

We grade sponsors in a few different levels and if they meet the criteria, they can be mentioned on the Sponsors page on the curl website.

Commercial Support

The curl project does not do or offer commercial support. It only hosts mailing lists, runs bug trackers etc to facilitate communication and work.

However, Daniel works for wolfSSL and we offer commercial curl support there.

Key roles

User

Someone who uses or has used curl or libcurl.

Contributor

Someone who has helped the curl project, who has contributed to bring it forward. Contributing could be to provide advice, debug a problem, file a bug report, run test infrastructure or writing code etc.

Commit author

Sometimes also called 'committer'. Someone who has authored a commit in the curl source code repository. Committers are recorded as Author in git.

Maintainers

A maintainer in the curl project is an individual who has been given permissions to push commits to one of the git repositories.

Maintainers are free to push commits to the repositories at they see fit. Maintainers are however expected to listen to feedback from users and any change that is non-trivial in size or nature should be brought to the project as a Pull-Request (PR) to allow others to comment/object before merge.

Former maintainers

A maintainer who stops being active in the project gets their push permissions removed at some point. We do this for security reasons but also to make sure that we always have the list of maintainers as "the team that push stuff to curl".

Getting push permissions removed is not a punishment. Everyone who ever worked on maintaining curl is considered a hero, for all time hereafter.

Security team members

We have a security team. That is the team of people who are subscribed to the curl-security mailing list; the receivers of security reports from users and developers. This list of people varies over time but they are all skilled developers familiar with the curl project.

The security team works best when it consists of a small set of active persons. We invite new members when the team seems to need it, and we also expect to retire security team members as they "drift off" from the project or just find themselves unable to perform their duties there.

Core team

There is a curl core team. It currently has the same set of members as the security team. It can also be reached on the security email address.

The core team nominates and invites new members to the team when it sees fit. There is no open member voting or formal ways to be a candidate. Active participants in the curl project who want to join the core team can ask to join.

The core team is a board of advisors. It deals with project management subjects that need confidentiality or for other reasons cannot be dealt with and discussed in the open (for example reports of code of conduct violations). Project matters should always as far as possible be discussed on open mailing lists.

Server admins

We run a web server, a mailing list and more on the curl project's primary server. That physical machine is owned and run by Haxx. Daniel is the primary admin of all things curl related server stuff, but Björn Stenberg and Linus Feltzing serve as backup admins for when Daniel is gone or unable.

The primary server is paid for by Haxx. The machine is physically located in a server bunker in Stockholm Sweden, operated by the company Glesys.

The website contents are served to the web via Fastly and Daniel is the primary curl contact with Fastly.

BDFL

That is Daniel.

Maintainers

A curl maintainer is a project volunteer who has the authority and rights to merge changes into a git repository in the curl project.

Anyone can aspire to become a curl maintainer.

Duties

There are no mandatory duties. We hope and wish that maintainers consider reviewing patches and help merging them, especially when the changes are within the area of personal expertise and experience.

Requirements

  • only merge code that meets our quality and style guide requirements.
  • never merge code without doing a PR first, unless the change is "trivial"
  • if in doubt, ask for input/feedback from others

Recommendations

  • we require two-factor authentication enabled on your GitHub account to reduce risk of malicious source code tampering
  • consider enabling signed git commits for additional verification of changes

Merge advice

When you are merging patches/pull requests...

  • make sure the commit messages follow our template
  • squash patch sets into a few logical commits even if the PR did not, if necessary
  • avoid the "merge" button on GitHub, do it "manually" instead to get full control and full audit trail (GitHub leaves out you as "Committer:")
  • remember to credit the reporter and the helpers.

Who are maintainers?

The list of maintainers. Be aware that the level of presence and activity in the project vary greatly between different individuals and over time.

Become a maintainer?

If you think you can help making the project better by shouldering some maintaining responsibilities, then please get in touch.

You are expected to be familiar with the curl project and its ways of working. You need to have gotten a few quality patches merged as a proof of this.

Stop being a maintainer

If you (appear to) not be active in the project anymore, you may be removed as a maintainer. Thank you for your service.