Present: Cornelius, Loic, Peter, Stephanie, Florian; Excused: Max
- Criteria for stage 2 of the incubation process (#78) (follow-up from last week, #83)
- REUSE (see also #80 (comment))
- DCO (see also #80 (comment))
- Signed Releases
- Onboarding of RCM OSS
- Onboarding of Netzgrafik-Editor
- SBOMs for OpenRail projects (https://github.com/OpenRailAssociation/compliance-assistant)
- Potential new project
- Onboarding of Netzgrafik-Editor
- Adrian will join next week
- Criteria for stage 2 of the incubation process (#78) (follow-up from last week, #83)
- REUSE (see also #80 (comment))
- Benefits we see from using REUSE
- Complete clarity about license situation in all projects on stage 2 of the incubation process, which is automatically checked
- For incoming code it is made sure that its license is properly declared and compatible with the expectations of the project
- For projects using the code it's clear what the terms are, even if files are put out of context (provided there are license headers)
- There is some initial effort to set up REUSE compliance (especially if license information is missing or unclear and projects have very diverse contributors; then the value of clarifying this information is also especially high)
- We will postpone a decision and give projects a bit more time to judge the effort (discuss next week)
- Benefits we see from using REUSE
- DCO (see also #80 (comment))
- We all agree that this is a good idea and decide to add this as a criteria for stage 2 of the incubation process
- We need documentation for contributors how to do it. This should be at the organization level (https://github.com/OpenRailAssociation/technical-committee/tree/main/project-handbook).
- Signed Releases
- If it's only done on GitHub in the CI and the key is on GitHub it does not add additional safety
- Release artifacts would need to be signed with an external key under exclusive control of the project to add safety
- Signing all commits with personal keys would be an option, but this adds quite some burden and limits available workflows
- It would be good to make the criteria for that in the incubation process clearer and document how to do it for projects in general
- REUSE (see also #80 (comment))
- SBOMs for OpenRail projects (https://github.com/OpenRailAssociation/compliance-assistant)
- There is a project by Max to create an SBOM in a uniform way. We can apply it to Netzgrafik-Editor.
- This is a project within the OpenRail Association org, but it's more of an internal tool, not something to offer to the railway sector for railway specific purposes. We label this kind of project as internal (using GitHub labels, documenting it somewhere, what it means).
- Questionnaire for new project
- libLRS (library for linear referencing systems) #87
- We will review the questionnaire and comment on the pull request and discuss it next week