Thread: Core Infrastructure Initiative (CII) - PostgreSQL entry
Hi, I noticed that our dear project wasn't among the projects that have been evaluated with the CII best practices guidelines. As I was curious I made an initial attempt. The MUST requirements for the 'passing' level largely seem reasonable, there's a few less sane things in the "higher" grades. https://bestpractices.coreinfrastructure.org/en/projects/2268 If anybody here wants to edit that entry, I apparently can add additional users with edit rights. You can click on "Expand panels" and "Hide met & N/A" to quickly see the things where we don't quite meter up. Greetings, Andres Freund
On 2018-10-07 07:47, Andres Freund wrote: > Hi, > > I noticed that our dear project wasn't among the projects that have > been > evaluated with the CII best practices guidelines. As I was curious I > made an initial attempt. The MUST requirements for the 'passing' level > largely seem reasonable, there's a few less sane things in the "higher" > grades. > > https://bestpractices.coreinfrastructure.org/en/projects/2268 Excellent stuff Andres, that looks like a really good start. :) The "What programming language(s) are used to implement the project?" one shouldn't be too hard to fill out. The info for the question says that if there are many, then to include at least the first three (in descending order of most to least used). It'll definitely be C (of course), but what should come next? * Do we use SQL to *implement* the project? Kind of thinking "no" for the sense they're meaning. * Maybe the languages commonly used for stored procedures? * Should our build system pieces by considered as well? * That could be tricky, as several of the binary packages are created by external parties. Maybe better to not consider build system pieces atm. For the Security reporting item, it sounds like we need to add PGP key details to our Security issue reporting section. I don't remember any recent discussion (last few years) on the -www mailing list about it, hopefully it's not be a problem. ;) For the Security items re: implementing crypto (SCRAM) and depending on broken crypto (eg MD5), good question... not sure how to handle those. We may need to discuss with the CII people directly to get a sense for the right way forward. + Justin
> On 7 Oct 2018, at 07:47, Andres Freund <andres@anarazel.de> wrote: > > Hi, > > I noticed that our dear project wasn't among the projects that have been > evaluated with the CII best practices guidelines. As I was curious I > made an initial attempt. The MUST requirements for the 'passing' level > largely seem reasonable, there's a few less sane things in the "higher" > grades. > > https://bestpractices.coreinfrastructure.org/en/projects/2268 > > If anybody here wants to edit that entry, I apparently can add > additional users with edit rights. > > You can click on "Expand panels" and "Hide met & N/A" to quickly see the > things where we don't quite meter up. Yes, we chose not to join CII after discussions with the Linux Foundation. I forget the reasons now - would have to checkmy archives when I’m back in the office.
Hi, On 2018-10-07 11:15:13 +0100, Dave Page wrote: > > On 7 Oct 2018, at 07:47, Andres Freund <andres@anarazel.de> wrote: > > I noticed that our dear project wasn't among the projects that have been > > evaluated with the CII best practices guidelines. As I was curious I > > made an initial attempt. The MUST requirements for the 'passing' level > > largely seem reasonable, there's a few less sane things in the "higher" > > grades. > > > > https://bestpractices.coreinfrastructure.org/en/projects/2268 > > > > If anybody here wants to edit that entry, I apparently can add > > additional users with edit rights. > > > > You can click on "Expand panels" and "Hide met & N/A" to quickly see the > > things where we don't quite meter up. > > Yes, we chose not to join CII after discussions with the Linux > Foundation. I forget the reasons now - would have to check my archives > when I’m back in the office. The above seems largely unrelated to actually joining the CII? It's just a bunch of guidelines you can follow or not. Greetings, Andres Freund
On Sun, Oct 7, 2018 at 5:31 PM Andres Freund <andres@anarazel.de> wrote:
Hi,
On 2018-10-07 11:15:13 +0100, Dave Page wrote:
> > On 7 Oct 2018, at 07:47, Andres Freund <andres@anarazel.de> wrote:
> > I noticed that our dear project wasn't among the projects that have been
> > evaluated with the CII best practices guidelines. As I was curious I
> > made an initial attempt. The MUST requirements for the 'passing' level
> > largely seem reasonable, there's a few less sane things in the "higher"
> > grades.
> >
> > https://bestpractices.coreinfrastructure.org/en/projects/2268
> >
> > If anybody here wants to edit that entry, I apparently can add
> > additional users with edit rights.
> >
> > You can click on "Expand panels" and "Hide met & N/A" to quickly see the
> > things where we don't quite meter up.
>
> Yes, we chose not to join CII after discussions with the Linux
> Foundation. I forget the reasons now - would have to check my archives
> when I’m back in the office.
The above seems largely unrelated to actually joining the CII? It's
just a bunch of guidelines you can follow or not.
The fact that the project is now listed on their site and has been scored seems to indicate that someone signed us up.
I don't particularly care - just pointing out that we had previously decided not to do that.
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
On Mon, Oct 8, 2018 at 9:51 AM Dave Page <dpage@pgadmin.org> wrote:
On Sun, Oct 7, 2018 at 5:31 PM Andres Freund <andres@anarazel.de> wrote:Hi,
On 2018-10-07 11:15:13 +0100, Dave Page wrote:
> > On 7 Oct 2018, at 07:47, Andres Freund <andres@anarazel.de> wrote:
> > I noticed that our dear project wasn't among the projects that have been
> > evaluated with the CII best practices guidelines. As I was curious I
> > made an initial attempt. The MUST requirements for the 'passing' level
> > largely seem reasonable, there's a few less sane things in the "higher"
> > grades.
> >
> > https://bestpractices.coreinfrastructure.org/en/projects/2268
> >
> > If anybody here wants to edit that entry, I apparently can add
> > additional users with edit rights.
> >
> > You can click on "Expand panels" and "Hide met & N/A" to quickly see the
> > things where we don't quite meter up.
>
> Yes, we chose not to join CII after discussions with the Linux
> Foundation. I forget the reasons now - would have to check my archives
> when I’m back in the office.
The above seems largely unrelated to actually joining the CII? It's
just a bunch of guidelines you can follow or not.The fact that the project is now listed on their site and has been scored seems to indicate that someone signed us up.
Yes, and the record pretty clearly shows it's Andres. And he also stated so in the first message of this thread :)
On 2018-10-08 09:58:35 +0200, Magnus Hagander wrote: > On Mon, Oct 8, 2018 at 9:51 AM Dave Page <dpage@pgadmin.org> wrote: > > > > > > > On Sun, Oct 7, 2018 at 5:31 PM Andres Freund <andres@anarazel.de> wrote: > > > >> Hi, > >> > >> On 2018-10-07 11:15:13 +0100, Dave Page wrote: > >> > > On 7 Oct 2018, at 07:47, Andres Freund <andres@anarazel.de> wrote: > >> > > I noticed that our dear project wasn't among the projects that have > >> been > >> > > evaluated with the CII best practices guidelines. As I was curious I > >> > > made an initial attempt. The MUST requirements for the 'passing' > >> level > >> > > largely seem reasonable, there's a few less sane things in the > >> "higher" > >> > > grades. > >> > > > >> > > https://bestpractices.coreinfrastructure.org/en/projects/2268 > >> > > > >> > > If anybody here wants to edit that entry, I apparently can add > >> > > additional users with edit rights. > >> > > > >> > > You can click on "Expand panels" and "Hide met & N/A" to quickly see > >> the > >> > > things where we don't quite meter up. > >> > > >> > Yes, we chose not to join CII after discussions with the Linux > >> > Foundation. I forget the reasons now - would have to check my archives > >> > when I’m back in the office. > >> > >> The above seems largely unrelated to actually joining the CII? It's > >> just a bunch of guidelines you can follow or not. > >> > > > > The fact that the project is now listed on their site and has been scored > > seems to indicate that someone signed us up. > > > > Yes, and the record pretty clearly shows it's Andres. And he also stated so > in the first message of this thread :) Right ;) Everyone can sign anything up, it's not an "project wide thing" unless we want to make it such. There could be multiple PG entries afaict. A friend pinged me, and the list of questions sounded reasonable, and e.g. reminded me that we should change the password encryption default, and that certain parts of our "new dev" information isn't great. If we decide that we do not want that, we can delete the entry, but somebody can just create it again. Since the list seems somewhat useful, I don't see much point in deleting however, especially because it makes it easier for wrong information to percolate. Greetings, Andres Freund
Hi, On 2018-10-08 08:51:03 +0100, Dave Page wrote: > I don't particularly care - just pointing out that we had previously > decided not to do that. Where? I saw a mention of the project, but no plan of action in any direction? Greetings, Andres Freund
On Mon, Oct 8, 2018 at 10:02 AM Andres Freund <andres@anarazel.de> wrote:
On 2018-10-08 09:58:35 +0200, Magnus Hagander wrote:
> On Mon, Oct 8, 2018 at 9:51 AM Dave Page <dpage@pgadmin.org> wrote:
>
> >
> >
> > On Sun, Oct 7, 2018 at 5:31 PM Andres Freund <andres@anarazel.de> wrote:
> >
> >> Hi,
> >>
> >> On 2018-10-07 11:15:13 +0100, Dave Page wrote:
> >> > > On 7 Oct 2018, at 07:47, Andres Freund <andres@anarazel.de> wrote:
> >> > > I noticed that our dear project wasn't among the projects that have
> >> been
> >> > > evaluated with the CII best practices guidelines. As I was curious I
> >> > > made an initial attempt. The MUST requirements for the 'passing'
> >> level
> >> > > largely seem reasonable, there's a few less sane things in the
> >> "higher"
> >> > > grades.
> >> > >
> >> > > https://bestpractices.coreinfrastructure.org/en/projects/2268
> >> > >
> >> > > If anybody here wants to edit that entry, I apparently can add
> >> > > additional users with edit rights.
> >> > >
> >> > > You can click on "Expand panels" and "Hide met & N/A" to quickly see
> >> the
> >> > > things where we don't quite meter up.
> >> >
> >> > Yes, we chose not to join CII after discussions with the Linux
> >> > Foundation. I forget the reasons now - would have to check my archives
> >> > when I’m back in the office.
> >>
> >> The above seems largely unrelated to actually joining the CII? It's
> >> just a bunch of guidelines you can follow or not.
> >>
> >
> > The fact that the project is now listed on their site and has been scored
> > seems to indicate that someone signed us up.
> >
>
> Yes, and the record pretty clearly shows it's Andres. And he also stated so
> in the first message of this thread :)
Right ;)
Everyone can sign anything up, it's not an "project wide thing" unless
we want to make it such. There could be multiple PG entries afaict. A
friend pinged me, and the list of questions sounded reasonable, and
e.g. reminded me that we should change the password encryption default,
and that certain parts of our "new dev" information isn't great.
If we decide that we do not want that, we can delete the entry, but
somebody can just create it again. Since the list seems somewhat
useful, I don't see much point in deleting however, especially because
it makes it easier for wrong information to percolate.
I'd definitely say there is value in controlling the information there. At least now we can ensure it is correct, which we cannot if somebody random adds it. We may not agree with all of their criteria, but there's nothing we can do about that other than to write that out in the comments (similar to what you have done so far). That's still better than somebody else just filling out that we don't fulfill something, without an explanation.
On Mon, Oct 8, 2018 at 9:05 AM Andres Freund <andres@anarazel.de> wrote:
Hi,
On 2018-10-08 08:51:03 +0100, Dave Page wrote:
> I don't particularly care - just pointing out that we had previously
> decided not to do that.
Where? I saw a mention of the project, but no plan of action in any
direction?
Yeah, I can't find that now either. I know we ran into some technical issues when we first looked into it around their authentication system; I wonder if it was just Magnus and I that came to the conclusion it wasn't something we could reasonably pursue at the time because of that.
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
On 08/10/2018 10:02, Andres Freund wrote: > Everyone can sign anything up, it's not an "project wide thing" unless > we want to make it such. There could be multiple PG entries afaict. A > friend pinged me, and the list of questions sounded reasonable, and > e.g. reminded me that we should change the password encryption default, > and that certain parts of our "new dev" information isn't great. I agree. After reading through your responses, they highlight a few areas for possible improvements. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services