Project curl governance

Over time, we've slowly been adjusting the curl project and its documentation so that we might at some point actually qualify to the CII open source Best Practices at silver level.

We qualified at the base level a while ago as one of the first projects which did that.

Recently, one of those issues we fixed was documenting the governance of the curl project. How exactly the curl project is run, what the key roles are and how decisions are made. That document is now in our git repo.

curl

The curl project is what I would call a fairly typical smallish open source project with a quite active and present project leader (me). We have a small set of maintainers who independently are allowed to and will merge commits to git (via pull-requests).

Any decision or any code change that was done or is about to be done can be brought up for questioning or discussion on the mailing list. Nothing is ever really seriously written in stone (except our backwards compatible API). If we did the wrong decision in the past, we should reconsider now.

Oh right, we also don't have any legal entity. There's no company or organization behind this or holding any particular rights. We're not part of any umbrella organization. We're all just individuals distributed over the globe.

Contributors

No active contributor or maintainer (that I know of) gets paid to work on curl regularly. No company has any particular say or weight to decide where the project goes next.

Contributors fix bugs and add features as part of our daily jobs or in their spare time. We get code submissions for well over a hundred unique authors every year.

Dictator

As a founder of the project and author of more than half of all commits, I am what others call, a Benevolent Dictator. I can veto things and I can merge things in spite of objections, although I avoid that as far as possible.

I feel that I generally have people's trust and that the community expects me to be able to take decisions and drive this project in an appropriate direction, in a fashion that has worked out fine for the past twenty years.

I post all my patches (except occasional minuscule changes) as pull-requests on github before merge, to allow comments, discussions, reviews and to make sure they don't break any tests.

I announce and ask for feedback for changes or larger things that I want to do, on the mailing list for wider attention. To bring up discussions and fish for additional ideas or for people to point out obvious mistakes. May times, my calls for opinions or objections are met with silence and I will then take that as "no objections" and more forward in a way I deem sensible.

Every now and then I blog about specific curl features or changes we work on, to highlight them and help out the user community "out there" to discover and learn what curl can do, or might be able to do soon.

I'm doing this primarily on my spare time. My employer also lets me spend some work hours on curl.

Long-term

One of the prime factors that has made curl and libcurl successful and end up one of the world's most widely used software components, I'm convinced, is that we don't break stuff.

By this I mean that once we've introduced functionality, we struggle hard to maintain that functionality from that point on and into the future. When we accept code and features into the project, we do this knowing that the code will likely remain in our code for decades to come. Once we've accepted the code, it becomes our responsibility and now we'll care for it dearly for a long time forward.

Since we're so few developers and maintainers in the project, I can also add that I'm very much aware that in many cases adopting code and merging patches mean that I will have to fix the remaining bugs and generally care for the code the coming years.

Changing governance?

I'm dictator of the curl project for practical reasons, not because I consider it an ideal way to run projects. If there were more people involved who cared enough about what and how we're doing things we could also change how we run the project.

But until I sense such an interest, I don't think the current model is bad - and our conquering the world over the recent years could also be seen as a proof that the project at least sometimes also goes in a direction that users approve of. And we are after all best practices certified.

I realize I come off sounding like a real-world dictator when I say things like this, but I genuinely believe that our governance is based on necessity and what works, not because we have to do it this way.

I've run the project since its inception 1998. One day I'll get bored or get run over by a bus. Then at the very least will the project need another way to run...

Silver level?

We're only two requirements away from Best Practices Silver level compliance and we've been discussing a bit lately (or perhaps: I've asked the question) whether the last criteria are actually worth the trouble for us or not.

  1. We need to enforce "Signed-off-by" lines in commits to maintain Developers Certificate of origin. This is easy in itself and I've only held this off this long because we've had zero interest or requirements for this from contributors and users. Added administration for little gain.
  2. We're asked to provide an assurance case: "a description of the threat model, clear identification of trust boundaries, an argument that secure design principles have been applied, and an argument that common implementation security weaknesses have been countered." - This is work we haven't done and a document we don't have. And again: nobody has actually ever asked for this outside of this certificate form.

Do you think we should put in the extra effort and check off the final two requirements as well? Do you think they actually make the project better?

7 thoughts on “Project curl governance”

  1. *Without* changing the actual governance model (BDFL is fine for now), have you considered joining an umbrella organization like Software Freedom Conservancy?

    1. Oh yes! We even ask users about this in our annual user survey, but so far a majority of respondents, and general people involved, have not seen that as something to do.

      I will of course not rule out that we still might do that one day. If nothing else, that would offer a neat way to get a “legal entity” that for example could hold on to money we receive and help out with similar practical matters…

  2. Regarding your dictator-like assertion


    I am what others call, a Benevolent Dictator. I can veto things and I can merge things in spite of objections, although I avoid that as far as possible.

    There should be at least one team member on your side to make the merge if there is an objection from another team member. You may get a supervote but our objections can’t be hollow. Someone other than you should have to agree with the way you see things on contentious issues, it is for your own good.

    You have a markedly larger time commitment than any of us which is *part* of what puts you in the best position to make decisions but those decisions may be wrong anyway. Objections should have an accountable weight for the health of the project.


    May (sic) times, my calls for opinions or objections are met with silence and I will then take that as “no objections” and more forward in a way I deem sensible.

    This is due to the time commitment. You move fast (or “faster than”). I think it is hard for team members to keep up but things have to keep moving. I used to be able to match you last year (at least 30 min I’m guessing a day with curl) but recently I haven’t had time to that. Putting a minimum amount of time on a PR seems like a hindrance for potentially not much gain (ie team members so rarely object), so I don’t have any good improvements here, things have to keep moving.


    Silver level?

    Signed-off-by is unnecessary in my opinion because the guidelines we set we have the person who makes the commit listed as committer and the person who authors the commit listed as the author. Simple. (I have also used Co-authored-by: once or twice). It is *implied* that anyone who submits work is doing it legally. It reminds me of the unnecessary popups now on most websites saying oh by the way we use cookies click OK so that you legally know that and I’ve got to click that at least once a day now on a site I’ve never been to. Or how about those people that put at the end of each email a legal paragraph that the e-mail was only intended for the recipient.

    1. > There should be at least one team member on your side to make the merge if there is an objection from another team member.

      That would be great and I agree. But unfortunately, in a lot of cases where I discuss a matter with a single other person and we disagree, I have to make a decision and go either way. If there’s no third person involved, I often make that decision on my own.

      > I think it is hard for team members to keep up but things have to keep moving.

      Sure, I have the utmost respect for the fact that others do not spend as much time or effort on this project as I do. That’s also why I give people ample time to respond when I ask or announce things. At least days, and for bigger decisions such much longer time than so. Note however that lots of my questions get no response even after days, so I’m not sure “we can’t keep up with you” is always a valid argument…

  3. > If there’s no third person involved, I often make that decision on my own.

    Yes but what I’m saying is get one involved. If you can’t find at least one person that agrees with you over an objection then maybe you’re wrong (you may be wrong anyway =P). In my opinion this is important for the health of the project. Just because things have been working fine (much to your credit) doesn’t mean changes over an objection will not affect some aspect of the health such as morale.

    > That’s also why I give people ample time to respond when I ask or announce things.

    To your credit you give time however:

    > I’m not sure “we can’t keep up with you” is always a valid argument…

    I disagree. Try 10 minutes a day with curl and see how you fare. What could you really do in 10 minutes? (I’m sure it took me 10 minutes to write this.) Could you make it through just the e-mails in that amount of time? Do you ever clock yourself? As I said though I really don’t have a solution for this, things have to keep moving.

    Also suggestion please enable e-mail notifications to comment replies so if there are replies I can keep this up 🙂

    1. > but what I’m saying is get one involved

      So you honestly want me to wait with acting on every decision I do until I can force someone to speak up on the topic? At the current level of attention from the curl community that would be a serious blocker for progress.

      No I really can’t do that, I demand that if people are interested and want to have opinions on what goes on, they need to actually spend a few minutes and energy on their own will and communicate their views.

      > I disagree. Try 10 minutes a day with curl and see how you fare. What could you really do in 10 minutes?

      I know what it means to only have 10 minutes curl a day. I do that during vacations and during periods of intense loads at work.

      10 minutes per day might be enough to have and speak up about one opinion on one subject that is dear to you. We’re hundreds of people hanging around the project, it’s good enough if we all just would cover a part of the project. Maybe the part we care about or like.

      10 minutes per day might not be enough to debate with me about the merits and pros and cons on how we should design an API or how to solve a complicated technical problem. A problem I might have spent 300 minutes on the last week.

      I don’t think its fair to ask that I should slow down and sit idle while hoping that someone will appear to debate with me (at least not much more than I already do). Or just agree. I much rather plunge ahead and allow people to tell me later that I did wrong two weeks ago.

      Besides, I can’t force anyone to come out from the shadows. I already, often and frequently, post questions and ask for feedback on the mailing lists. And many a time all that I get back is crickets. No matter how long I wait.

      > please enable e-mail notifications to comment replies

      Unfortunately those broke a long while ago and I haven’t yet spent the required effort to bring them back…

      1. > So you honestly want me to wait with acting on every decision I do until I can force someone to speak up on the topic?

        Not what I said.

        > I don’t think its fair to ask that I should slow down and sit idle while hoping that someone will appear to debate with me (at least not much more than I already do).

        Also not what I said.

        Your reply is in response to an argument I’m *not* making. I’d encourage you to re-read my last reply.

Comments are closed.