stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

license switch agpl -> busl1, sprints work, new product advisories

Browse Source
This commit is contained in:
master
2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

184
docs/GOVERNANCE.md
View File

@@ -1,92 +1,92 @@
# StellaOps ProjectGovernance
*Lazy Consensus • Maintainer Charter • Transparent Veto*
> **Scope** applies to **all** repositories under
> `https://git.stella-ops.org/stella-ops/*` unless a subproject overrides it
> with its own charter approved by the Core Maintainers.
---
## 1·Decisionmaking workflow 🗳
| Stage | Default vote | Timer |
|-------|--------------|-------|
| **Docs / noncode PR** | `+1` | **48h** |
| **Code / tests PR** | `+1` | **7×24h** |
| **Securitysensitive / breaking API** | `+1` + explicit **`securityLGTM`** | **7×24h** |
**Lazyconsensus** silence=approval once the timer elapses.
* **Veto `1`** must include a concrete concern **and** a path to resolution.
* After 3 unresolved vetoes the PR escalates to a **Maintainer Summit** call.
---
## 2·Maintainer approval thresholds 👥
| Change class | Approvals required | Example |
|--------------|-------------------|---------|
| **Trivial** | 0 | Typos, comment fixes |
| **Nontrivial** | **2Maintainers** | New API endpoint, feature flag |
| **Security / breaking** | Lazyconsensus **+`securityLGTM`** | JWT validation, crypto swap |
Approval is recorded via Git forge review or a signed commit trailer
`Signed-off-by: <maintainer>`.
---
## 3·Becoming (and staying) a Maintainer 🌱
1. **3+ months** of consistent, highquality contributions.
2. **Nomination** by an existing Maintainer via issue.
3. **7day vote** needs ≥ **⅔ majority** “`+1`”.
4. Sign `MAINTAINER_AGREEMENT.md` and enable **2FA**.
5. Inactivity>6months → automatic emeritus status (can be reactivated).
---
## 4·Release authority & provenance 🔏
* Every tag is **cosigned by at least one Security Maintainer**.
* CI emits a **signed SPDX SBOM** + **Cosign provenance**.
* Release cadence is fixed see [Release Engineering Playbook](RELEASE_ENGINEERING_PLAYBOOK.md).
* Security fixes may create outofband `x.y.zhotfix` tags.
---
## 5·Escalation lanes 🚦
| Situation | Escalation |
|-----------|------------|
| Technical deadlock | **Maintainer Summit** (recorded & published) |
| Security bug | Follow [Security Policy](SECURITY_POLICY.md) |
---
## 6·Contribution etiquette 🤝
* Draft PRs early CI linting & tests help you iterate.
* “There are no stupid questions” ask in **Matrix #dev**.
* Keep commit messages in **imperative mood** (`Fix typo`, `Add SBOM cache`).
* Run the `precommit` hook locally before pushing.
---
## 7·Licence reminder 📜
StellaOps is **AGPL3.0orlater**. By contributing you agree that your
patches are released under the same licence.
---
### Appendix A Maintainer list 📇
*(Generated via `scripts/gen-maintainers.sh` edit the YAML, **not** this
section directly.)*
| Handle | Area | Since |
|--------|------|-------|
| `@alice` | Core scanner • Security | 202504 |
| `@bob` | UI • Docs | 202506 |
---
# StellaOps ProjectGovernance
*Lazy Consensus • Maintainer Charter • Transparent Veto*
> **Scope** applies to **all** repositories under
> `https://git.stella-ops.org/stella-ops/*` unless a subproject overrides it
> with its own charter approved by the Core Maintainers.
---
## 1·Decisionmaking workflow 🗳
| Stage | Default vote | Timer |
|-------|--------------|-------|
| **Docs / noncode PR** | `+1` | **48h** |
| **Code / tests PR** | `+1` | **7×24h** |
| **Securitysensitive / breaking API** | `+1` + explicit **`securityLGTM`** | **7×24h** |
**Lazyconsensus** silence=approval once the timer elapses.
* **Veto `1`** must include a concrete concern **and** a path to resolution.
* After 3 unresolved vetoes the PR escalates to a **Maintainer Summit** call.
---
## 2·Maintainer approval thresholds 👥
| Change class | Approvals required | Example |
|--------------|-------------------|---------|
| **Trivial** | 0 | Typos, comment fixes |
| **Nontrivial** | **2Maintainers** | New API endpoint, feature flag |
| **Security / breaking** | Lazyconsensus **+`securityLGTM`** | JWT validation, crypto swap |
Approval is recorded via Git forge review or a signed commit trailer
`Signed-off-by: <maintainer>`.
---
## 3·Becoming (and staying) a Maintainer 🌱
1. **3+ months** of consistent, highquality contributions.
2. **Nomination** by an existing Maintainer via issue.
3. **7day vote** needs ≥ **⅔ majority** “`+1`”.
4. Sign `MAINTAINER_AGREEMENT.md` and enable **2FA**.
5. Inactivity>6months → automatic emeritus status (can be reactivated).
---
## 4·Release authority & provenance 🔏
* Every tag is **cosigned by at least one Security Maintainer**.
* CI emits a **signed SPDX SBOM** + **Cosign provenance**.
* Release cadence is fixed see [Release Engineering Playbook](RELEASE_ENGINEERING_PLAYBOOK.md).
* Security fixes may create outofband `x.y.zhotfix` tags.
---
## 5·Escalation lanes 🚦
| Situation | Escalation |
|-----------|------------|
| Technical deadlock | **Maintainer Summit** (recorded & published) |
| Security bug | Follow [Security Policy](SECURITY_POLICY.md) |
---
## 6·Contribution etiquette 🤝
* Draft PRs early CI linting & tests help you iterate.
* “There are no stupid questions” ask in **Matrix #dev**.
* Keep commit messages in **imperative mood** (`Fix typo`, `Add SBOM cache`).
* Run the `precommit` hook locally before pushing.
---
## 7·Licence reminder 📜
StellaOps is **BUSL-1.1**. By contributing you agree that your
patches are released under the same licence.
---
### Appendix A Maintainer list 📇
*(Generated via `scripts/gen-maintainers.sh` edit the YAML, **not** this
section directly.)*
| Handle | Area | Since |
|--------|------|-------|
| `@alice` | Core scanner • Security | 202504 |
| `@bob` | UI • Docs | 202506 |
---