search

CPAN-Security / security.metacpan.org

CPAN Security WG website
https://security.metacpan.org/
2 stars 9 forks source link

Decide for a Standards of Conduct #17

Open sjn opened 1 year ago

sjn commented 1 year ago

We need a standards of conduct that we can collectively stand for and enforce.

Suggestion: Use TPRC's SoC

sjn commented 3 months ago

We decided on using TPRF's Standard of Conduct during the 2024-04-10 meeting.

sjn commented 3 months ago

TPRF just posted their new ones, that are in effect from August 1st 2024: https://news.perlfoundation.org/post/new-standaards-of-conduct

These are not the one's we voted on, but still TPRF's SoC - even if the update is substantial.

Should we just say we adopt these after the final comment period is done, or have another vote then, or pick another one? We voted for the current one (pre Aug 1st), and didn't specify "or newer versions"...

garu commented 2 months ago

I strongly believe we should not depend on third parties for such an important matter. If we agree on their (original) SoC, we should make a copy, call it our own, and that's it. this way, whenever they update, we can discuss which parts we want to sync. And even if they don't update, we may still want to, to better suíte our values.

sjn commented 2 months ago

Hm. On the other end, there's a certain benefit to not having to spend time on developing our own SoC – and since there are plenty of good alternatives out there, we save quite a bit of effort from using "previous art" in this matter (this was the also the rationale behind picking TPRF's now "old" SoC).

I don't have strong opinions in either direction, though I do prefer easy-to-understand and simple instructions.

garu commented 2 months ago

My point is just that, for any SoC to be effective, it has to be taken seriously, it absolutely cannot be an afterthought after something happens. This means members need to carefully read and agree to it before joining - and that also ties to #20 .

As such, if it changes arbitrarily at any point, we immediately are in a state where we need to re-read and re-agree to those Standards or exit the org (or express our concerns and ask for a review). To either have a "copy" or abide to a specific version of an external SoC means we will never be in such a state, and be able to approach changes with the necessary scrutiny, in a scheduled meeting.

Tux commented 2 months ago

As the project is closed, should this issue be closed too?