Re: Core Infrastructure Initiative (CII) - PostgreSQL entry

On Mon, Oct 8, 2018 at 10:02 AM Andres Freund <andres(at)anarazel(dot)de> wrote:

> On 2018-10-08 09:58:35 +0200, Magnus Hagander wrote:
> > On Mon, Oct 8, 2018 at 9:51 AM Dave Page <dpage(at)pgadmin(dot)org> wrote:
> >
> > >
> > >
> > > On Sun, Oct 7, 2018 at 5:31 PM Andres Freund <andres(at)anarazel(dot)de>
> wrote:
> > >
> > >> Hi,
> > >>
> > >> On 2018-10-07 11:15:13 +0100, Dave Page wrote:
> > >> > > On 7 Oct 2018, at 07:47, Andres Freund <andres(at)anarazel(dot)de>
> wrote:
> > >> > > I noticed that our dear project wasn't among the projects that
> have
> > >> been
> > >> > > evaluated with the CII best practices guidelines. As I was
> curious I
> > >> > > made an initial attempt. The MUST requirements for the 'passing'
> > >> level
> > >> > > largely seem reasonable, there's a few less sane things in the
> > >> "higher"
> > >> > > grades.
> > >> > >
> > >> > > https://bestpractices.coreinfrastructure.org/en/projects/2268
> > >> > >
> > >> > > If anybody here wants to edit that entry, I apparently can add
> > >> > > additional users with edit rights.
> > >> > >
> > >> > > You can click on "Expand panels" and "Hide met & N/A" to quickly
> see
> > >> the
> > >> > > things where we don't quite meter up.
> > >> >
> > >> > Yes, we chose not to join CII after discussions with the Linux
> > >> > Foundation. I forget the reasons now - would have to check my
> archives
> > >> > when I’m back in the office.
> > >>
> > >> The above seems largely unrelated to actually joining the CII? It's
> > >> just a bunch of guidelines you can follow or not.
> > >>
> > >
> > > The fact that the project is now listed on their site and has been
> scored
> > > seems to indicate that someone signed us up.
> > >
> >
> > Yes, and the record pretty clearly shows it's Andres. And he also stated
> so
> > in the first message of this thread :)
>
> Right ;)
>
>
> Everyone can sign anything up, it's not an "project wide thing" unless
> we want to make it such. There could be multiple PG entries afaict. A
> friend pinged me, and the list of questions sounded reasonable, and
> e.g. reminded me that we should change the password encryption default,
> and that certain parts of our "new dev" information isn't great.
>
> If we decide that we do not want that, we can delete the entry, but
> somebody can just create it again. Since the list seems somewhat
> useful, I don't see much point in deleting however, especially because
> it makes it easier for wrong information to percolate.
>

I'd definitely say there is value in controlling the information there. At
least now we can ensure it is correct, which we cannot if somebody random
adds it. We may not agree with all of their criteria, but there's nothing
we can do about that other than to write that out in the comments (similar
to what you have done so far). That's still better than somebody else just
filling out that we don't fulfill something, without an explanation.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>