> On Nov 4, 2025, at 6:50 AM, Piotr P. Karwasz <[email protected]>
> wrote:
>
> Hi all,
>
>> On 27.10.2025 11:47, Gary Gregory wrote:
>> This is a poll to gauge the waters for CTR.
>
>
> To summarize the discussion so far: most PMC members seem comfortable
> with our current policy, which allows trusted users to commit code
> directly, even though this leaves us without a clear, auditable review
> trail.
>
> However, unlike Log4j, Commons projects publicly publish OpenSSF
> Scorecard results (e.g. [1]), which implies that we’re paying attention
> to them: otherwise, why publish them at all?
>
> One of the key Scorecard checks is “Code-Review,” which (contrary to its
> brief documentation) is calculated as the ratio of *approved commits to
> total commits*, excluding Dependabot merges (see [2] and [3] for
> details). Would it make sense to define a minimum acceptable score for
> Commons projects in this category, say, at least 20% of commits provably
> reviewed?
>
> Currently, the check doesn’t distinguish between users with write access
> and others, it simply looks for approval from any *human* other than the
> author and ignores commits made by bots.
>
> Since Scorecard is open source, we could consider contributing
> improvements, for example, teaching it to recognize post-merge approvals
> in the form of “LGTM” comments on commits.
>
> What do you think?
The score will be settled when help is granted, for that is what we have begged
for and been missing.
-Tompkins
>
> Piotr
>
> [1] https://scorecard.dev/viewer/?uri=github.com/apache/commons-lang
> [2]
> https://github.com/ossf/scorecard/blob/main/probes/codeApproved/impl.go
> [3]
> https://github.com/ossf/scorecard/blob/main/checks/evaluation/code_review.go
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
