WIP: [#] Add CONTRIBUTING.md #1691
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| # Contributing Guidelines | ||
|
|
||
| *Pull requests, bug reports, and all other forms of contribution are welcomed and highly encouraged!* | ||
|
|
||
| ### Contents | ||
|
|
||
| - [Code of Conduct](#code-of-conduct) | ||
| - [Asking Questions](#bulb-asking-questions) | ||
| - [Opening an Issue](#inbox_tray-opening-an-issue) | ||
| - [Feature Requests](#love_letter-feature-requests) | ||
| - [Triaging Issues](#mag-triaging-issues) | ||
| - [Code Contributions](#code-contributions) | ||
| - [Credits](#pray-credits) | ||
|
|
||
| > **This guide serves to set clear expectations for everyone involved with the project so that we can improve it together while also creating a welcoming space for everyone to participate. Following these guidelines will help ensure a positive experience for contributors and maintainers.** | ||
|
|
||
| ## Code of Conduct | ||
|
|
||
| Please review the Apache [Code of Conduct](https://www.apache.org/foundation/policies/conduct). It is in effect at all times. We expect it to be honored by everyone who contributes to this project. | ||
|
|
||
| ## Asking Questions | ||
|
|
||
| ## Opening an Issue | ||
|
|
||
| ### Reporting Security Issues | ||
|
|
||
| Review our Apache [Security Policy](https://www.apache.org/security/). **Do not** file a public issue for security vulnerabilities. | ||
|
|
||
| ### Bug Reports and Other Issues | ||
|
|
||
| ## Feature Requests | ||
|
|
||
| 1. Minor feature requests, such as adding a metric or configuration flag should be opened as an Issue. | ||
|
|
||
| 2. Major feature requests, such as replication, modernizing the boot process should be opened as an Issue tagged with 'propsoal'. | ||
|
|
||
| ## Triaging Issues | ||
|
|
||
| ## Code Contributions | ||
|
Member
There was a problem hiding this comment. We can have a GH Issue template to help there. |
||
|
|
||
| ### Submitting Pull Requests | ||
|
|
||
| 1. Pull Requests that need review or discussion should be created as a 'Draft' with the 'WIP:' prefix in the title. | ||
|
|
||
| ### Writing Commit Messages | ||
|
|
||
| ### Pull Request Review | ||
|
|
||
| ### Coding Style | ||
|
|
||
| ### Certification of origin | ||
|
|
||
| 1. Apache ActiveMQ committers should sign all commits using an SSH key tied to their apache.org email address | ||
|
Contributor
There was a problem hiding this comment. I configured mine because I agree this is a good practise. But I think you should bring the discussion to the dev@ mailing list and most likely to a vote. If you want to mention SSH, you should also mention GPG because most committers already have Apache signing keys for releases and it's pretty straight forward to reuse it to sign commits. (this is what I have done for instance).
Member
There was a problem hiding this comment. FYI, that's not strictly required from ASF standpoint. I don't want to see anything that can be seen as "limiting" the contributions.
Contributor
Author
There was a problem hiding this comment. This shouldn't be seen as limiting. The benefit of using SSH keys it that Github (or anyone else) never has the private secret. This is more secure all-around and starting to become the standard practice (and requirement!) for SOC2 and ISO security certifications used by enterprises (aka end users of ActiveMQ). As a project, ActveMQ can present a strong, and modern security stance by having committers sign commits vs relying on GH secrets or passkeys. edit: I'll make a ssh signing quick-start guide to accompany this to show how easy it is to use over passwords/tokens/passkeys.
Member
There was a problem hiding this comment. My point is that it should not be required, but recommanded.
Contributor
Author
There was a problem hiding this comment. I agree we can mark the statement as 'should' for now. I do think we should try to progress towards required. Perhaps we let the new processes settle in this year and review how its working.
Contributor
Author
There was a problem hiding this comment.
One benefit of using SSH keys over GPG as it allows one key for git id/authn/authz and code signing.
Contributor
There was a problem hiding this comment. GPG keys are used for Artifact signing. Github fully supports it for code signing as well. So in the end I don't see any benefit of using one over the other. That's why I suggested to mentioned both. |
||
|
|
||
| 2. Outside contributors are encouraged to sign commits using SSH keys | ||
|
|
||
| ## Software Supply Chain Security | ||
|
|
||
| Apache ActiveMQ secures the software supply chain | ||
|
|
||
| 1. Apache ActiveMQ committers sign every commit using an SSH key tied to their apache.org email address | ||
|
|
||
| 2. Apache ActiveMQ releases are monitored with reproducible builds to ensure published binaries match the source tree | ||
|
|
||
| ## Credits | ||
|
|
||
|
|
||
| Created by [@mattrpav](https://github.com/mattrpav). | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ASF header is missing here.