WIP - governance ideas

[ghoneycutt]

No description provided.

[ghoneycutt]

This gives more time for decisions. 72 hours near a holiday can mean that people are left out.

[bastelfreak]

the 72 hours enabled us to be flexible. For changes with low impact we used the 72 hours, for bigger changes (e.g. dropping a major puppet version or ruby version) we waited longer. I think the flexibility helped a lot.

[ghoneycutt]

Perhaps we need to codify what requires a vote and what is normal business for a committee? Waiting a week to get input on dropping a puppet/ruby version makes sense whereas doing the same for a small module PR would not.

[bastelfreak]

Indeed, Right now we rely on the gut instinct for people to estimate a proper waiting period. In the past I tried to formalize it, but I wasn't able to come up with something that made sense.

[ekohl]

I like the idea. Should we say "at least a reasonable amount of time" and then gives some examples what is reasonable?

[binford2k]

I like having a number -- it reminds me to not be too hasty 😝

That said, I've always skipped holidays for this. For example, our last thing we did was 96 hours to account for the new years holiday in the middle.

[spotter-puppet]

Defining a "holiday" can also be an issue, so really need to be careful as to how this is defined. 72 hours seems reasonable in most cases, and the "at least" gives the ability for someone to say "hey... I think this needs more time, let's go another X hours/days." 7 days seems too long in the general sense.

[jstraw]

I would say we do something like:

Suggested change

	For lazy consensus to be effective, it is necessary to allow at least 7 days
	For lazy consensus to be effective, it is necessary to allow at least 72 hours. not including weekends. for minimally impacting changes. For any change with broader impact either a longer period should be used, or a non-lazy vote should be taken of the community via GitHub issues reactions.

Then we should include a few examples with notations on:

• What constitutes the start of a consensus period?
• How did we determine the length of the period?
• How/With whom do we communicate that a Lazy Consensus is being 'voted' on?
• When the period ends, how are votes tallied and the Consensus both announced and archived?

[bastelfreak]

can we maybe keep it flexible like "at least a reasonable amount of time"? And and a safeguard maybe "the PMC has the option to extend the discussion time or restart the discussion time when it thinks that the time was too short. the PMC has to provide an explanation when they act"?

[ghoneycutt]

Make it explicit that the mailing list is where things are decided.

[bastelfreak]

in the past we used the mailing list or github issues/pr. I think we used github more than the mailinglist, but that's really just a feeling and I don't have a strong preference here. I think it's slightly easier to count votes on github because there's a thums up/down option.

[ghoneycutt]

Right, we might use the mailing list to drive people to github or https://civs1.civs.us/ or wherever to get inputs, though the decisions should be conveyed in one place so that people understand what is happening without having to be on all the mediums.

[bastelfreak]

Yes, That's also how I used it in the past. Created a GitHub PR and requested feedback on the mailinglist and on IRC.

[jstraw]

I feel like GitHub is the place where we should ask people to record their thoughts (as we get permanent records of that data) and then we have communications to Slack/IRC and the ML.

I personally hate mailing lists and don't really use them, so anything going direct to ML has a high chance of getting missed for me.

[ghoneycutt]

People could indicate the subcommittees they are interested in for the election.

[jstraw]

It isn't clear here that we're talking about multiple elections., pretty much throughout

Are we looking at each PMC role being assigned to a subcommittee (so you apply to a specific PMC role?) Or should we just get the best PMC we can, and then they can work out who is going to go to which subs. (There shouldn't be any reason why the entire PMC can't show up to every sub meeting.

For subcommittee placement, is there any reason to vote on those, or should it just be an open meeting that folks can come to?

[ghoneycutt]

I did not mean to give the impression of multiple elections. I thought one election and you can specify the different committees you are interested in. If PMC stays at 5, not everyone will want to be in PMC and some may just want to be in certain subcommittees.

[ghoneycutt]

The use of subcommittees is to encourage more community involvement which can also increase transparency over five people doing everything. Sharing the work amongst more of the community also helps with burn out.

[ghoneycutt]

While we have a Security Officer, having a subcommittee means that we have backups when people are on vacation or otherwise not available. It also means we have more experience available, especially as the scope for Vox Pupuli grows to manage Puppet and related software.

[spotter-puppet]

There should be more detail on the relationship between the Security Officer and the Security Subcommittee. Is the SO part of the subcommittee, are they the "chair" of the SC? What happens when there is conflict between the SO and the subcommittee?

[ghoneycutt]

Great call out. I think if there is conflict within any subcommittee then PMC would be the arbitrators.

[cvquesty]

There should be more detail on the relationship between the Security Officer and the Security Subcommittee. Is the SO part of the subcommittee, are they the "chair" of the SC? What happens when there is conflict between the SO and the subcommittee?

Generally speaking, as per Robert's Rules, a chair of a committee is usually not a voting member of said committee (or board). Now, many committees choose to NOT do this and allow the chair a vote, but their vote is part of the overall vote, preventing them from dictatorial behavior without the full consent of the "governed"

[binford2k]

or the chair is only a tie-breaker

[ghoneycutt]

@binford2k highlighted this elsewhere and the actual committee would include Vox Pupuli, Perforce, community members and representatives from other companies that give paid support. This subcommittee is meant to identify who would represent Vox Pupuli.

[jstraw]

I agree, but the Language Reference should be wholly owned by the OSS project/not-for-profit and not a business making money on Puppet to prevent a takeover/messy divorce situation.

[ghoneycutt]

Good point. However that comes to be, Vox Pupuli will be involved, so this is to capture who those people are representing VP.

[binford2k]

the steering committee should never have a majority or veto power or anything such by any single for-profit company. It should always be community forward. That said, most of the people in our community do represent a company to one degree or another. Even myself (Overlook) and @bastelfreak (Betadots) work at least partially on behalf of companies.

As long as decision making leadership is shared equitably, it shouldn't really be an issue. If we want to be cautious about that, we could differentiate between company seats and personal seats and require attestations that people represent themselves only.

[ghoneycutt]

This section is just meant to convey who will represent VP. Make up of the PMC and subcommittees is being discussed below under Subcommittees heading.

[ekohl]

I think PostgreSQL has some rules about not too many people from the same company in certain positions and I like that. I recall they had to change things when people moved to a different company or an acquisition, but on my phone now and it's hard to find the reference

[ghoneycutt]

This is meant to separate the work from what Vox Pupuli already does with modules, plugins and the like with the new scope of tracking changes to upstream projects like puppet, facter and bolt and the testing and packaging around that.

[jstraw]

Do we want to call this Ecosystem or the Service/Application Committee. Ecosystem feels like it would be repos like beaker and modulesync, not the Puppet/PuppetDB/Facter/Bolt side.

[ghoneycutt]

Agree and open to name changes. Wanted to call out that there would be a subcommittee dedicated to these projects that are new to Vox Pupuli.

[cvquesty]

I think the addition of the security title was to give users confidence that security is being maintained, and is a priority. Neither for or against, just details.

[bastelfreak]

It's not yet clear to me what the committee should do.

[ghoneycutt]

What the current PMC does now in terms of working on puppet modules, linters, etc and the decisions around those.

[jstraw]

This should be fleshed out with specific tasks, my take on what those might be initially are below.

I feel that this is less about actual maintenance of the modules, but more the plumbing of that work. So, approving modules to be moved into Vox, ensuring modules have primary maintainers, maintaining modulesync.

[ghoneycutt]

It's both. My thoughts here were to capture what VP focuses on today.

[ghoneycutt]

Make it clear that the PMC is tasked with maintaining these things.

[bastelfreak]

for the PMC we've a maximum of five people and a maximum of 2 people from the same company. And it has to be an odd number. Should similar rules apply to the sub committees as well?

[jstraw]

Odd number I agree with, I'd say that no more then 1/4 of the members can be from any single organization (company or otherwise.) That way you'd have to reach 8 members to allow 2 people from the same company onto a sub.

[spotter-puppet]

Subcommittees don't need to have quite as stringent membership standards as a the PMC, as the PMC can always have an override responsibility. Rather than enforce an odd number, it might be better to have the PMC representative have a tie-breaker vote only.

[ghoneycutt]

Suggest we have five people always on the PMC. If someone leaves early, then we should have a process for filling the role. Perhaps not more than two from the same organization so one organization alone cannot have the majority of votes.

[bastelfreak]

That's not correct anymore, could you please update it? Some repositories require signed commits, they can be signed with an ssh key or a GPG key.

[ghoneycutt]

This seems unrelated to governance and just a practical part of onboarding for the type of key to access a repo. I just changed it for style.

[genebean]

This seems in conflict to the ### Specialized Roles section below

[genebean]

Should an Infrastructure Subcommittee also be a thing as there is bound to be more of that going forward?

[ghoneycutt]

What would that entail? I thought each subcommittee would deal with the relevant infra such as Module's handling modulesync, Ecosystem handling packaging and repos, etc.

[jstraw]

I'd describe the infrastructure subcommittee as for the packaging site, self-hosted runners, and any non-github based infrastructure that the project needs as well as managing mirroring and sponsorship around infrastructure.

We know we're going to need apt/yum/dnf/mac/windows package repositories that are not super easy to host in github, as well as more self-hosted runners for building and testing on various platforms.

[ekohl]

I'd argue GitHub itself is also infra. Today the PMC takes the admin role but if we're a larger org I don't see why a more dedicated infra team can't take ownership. We can discuss if there should be a strict boundary. Back in university I was part of an org where the rule was that the board wasn't doing operational infra things. Partly to keep focus and that argument may be irrelevant here but it can be