lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202306191247.3CA085BA64@keescook>
Date:   Mon, 19 Jun 2023 12:49:51 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Finn Thain <fthain@...ux-m68k.org>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jonathan Corbet <corbet@....net>,
        tech-board-discuss@...ts.linux-foundation.org,
        Theodore Ts'o <tytso@....edu>,
        Dan Williams <dan.j.williams@...el.com>,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Documentation: Linux Contribution Maturity Model and the
 wider community

On Mon, Jun 19, 2023 at 07:41:57PM +1000, Finn Thain wrote:
> The Linux Contribution Maturity Model methodology is notionally based on
> the Open source Maturity Model (OMM) which was in turn based on the
> Capability Maturity Model Integration (CMMI).
> 
> According to Petrinja et al., the goal of the OMM was to extend the CMMI
> so as to be useful both for companies and for communities [1][2]. However,
> the Linux Contribution Maturity Model considers only companies and
> businesses.
> 
> This patch addresses this bias as it could hinder collaboration with
> not-for-profit organisations and individuals, which would be a loss to
> any stakeholder.
> 
> Level 5 is amended to remove the invitation to exercise the same bias
> i.e. employees rewarded indirectly by other companies.
> 
> [1] Petrinja, E., Nambakam, R., Sillitti, A.: Introducing the
> OpenSource Maturity Model. In: 2nd Emerging Trends in FLOSS Research
> and Development Workshop at ICSE 2009, Vancouver, BC, Canada (2009)
> 
> [2] Wittmann, M., Nambakam, R.: Qualipso Deliverable A6.D1.6.3
> CMM-like model for OSS.
> 
> Cc: Theodore Ts'o <tytso@....edu>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Dan Williams <dan.j.williams@...el.com>
> Signed-off-by: Finn Thain <fthain@...ux-m68k.org>
> ---
>  Documentation/process/contribution-maturity-model.rst | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/Documentation/process/contribution-maturity-model.rst b/Documentation/process/contribution-maturity-model.rst
> index b87ab34de22c..863a2e4c22e2 100644
> --- a/Documentation/process/contribution-maturity-model.rst
> +++ b/Documentation/process/contribution-maturity-model.rst
> @@ -62,8 +62,8 @@ Level 3
>  =======
>  
>  * Software Engineers are expected to review patches (including patches
> -  authored by engineers from other companies) as part of their job
> -  responsibilities
> +  authored by contributors from outside of the organization) as part of
> +  their job responsibilities

This seems fine to me.

>  * Contributing presentations or papers to Linux-related or academic
>    conferences (such those organized by the Linux Foundation, Usenix,
>    ACM, etc.), are considered part of an engineer’s work.
> @@ -103,7 +103,6 @@ Level 5
>  
>  * Upstream kernel development is considered a formal job position, with
>    at least a third of the engineer’s time spent doing Upstream Work.
> -* Organizations will actively seek out community member feedback as a
> -  factor in official performance reviews.

This really cannot be dropped -- companies must factor upstream work
into performance reviews or it will continue to be seen as "free time"
work, and employees won't be recognized for their upstream contributions.
If an org has no perf reviews, this item is already nullified, IMO.

>  * Organizations will regularly report internally on the ratio of
> -  Upstream Work to work focused on directly pursuing business goals.
> +  Upstream Work to work focused on directly pursuing the organisation's
> +  other goals.

This seems fine to me.

-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ