balhar-jakub
commented
2 months ago The top-level dependencies must be analysed before every major release. The support needs to be treated in following way:
- There is an Active Lifecycle Management policy
- For every major release, we must use versions that are supported
- There is no Active Lifecycle Management policy (This in itself is a warning)
- Red flags
- 0 Committers
- No release for more than two years
- Orange flags
- Releasing once a year or less
- There is no place to discuss
- There is no webpage with information
- There are less than 5 contributors in last 12 years
- The score on scorecards is either unavailable or below 4
For every major release, approval by TSC is necessary for the following:
- Versions of libraries with Active Lifecycle Management policy that aren't supported at the time of release
- Versions without Active Lifecycle Management Policy that have
- one or more red flags
- three or more orange flags if there is no red flag
For every major release, the squad must accept risk for libraries without an Active Lifecycle Management Policy that have less than three orange flags. This must be documented in a searchable way.
adam-wolfe
Zowe should take into account when preparing for the release whether there are any components that are out of support or doesn't have community at all.
The top-level-dependencies should be reflected.
The supported components has few characteristics:
If there is at least one warning sign, the squad should for every release grant an exception to release with such component If there are two or more, the security workgroup needs to agree with the exception If there are four or more, the TSC needs to agree with the exception.
If there is an Active Lifecycle Management and the version is out of support, the TSC approval is necessary to ship with that component in the relevant version.