gettext icon indicating copy to clipboard operation
gettext copied to clipboard
verified publisher icon elixir-gettext

Add legalese

Open maennchen opened this issue 1 year ago • 6 comments

I just saw that the project did not include the full license. (besides the hint in the README)

I though this would be a good time to add some legalese to the project:

  • LICENSE - Apache 2.0
  • CODE_OF_CONDUCT - Reference to the Elixir Code of Conduct
  • SECURITY - Copied & adapted from EEF
  • CONTRIBUTING - Copied & adapted from EEF

TODO

  • [ ] Enable private vulnerability reporting in project
  • [ ] Set correct email for disclosures in SECURITY - which one?
  • [ ] Apply the same documents to expo (Add credo & dialyzer to CONTRIBUTING)

maennchen avatar Nov 13 '24 22:11 maennchen

Pull Request Test Coverage Report for Build 679a004b8b901f8e86b8461b321aa5dfba82ba17-PR-403

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 91.884%
Totals Coverage Status
Change from base Build 3a6e81ce64ae580af300c2abf825fef310314b2c: 0.0%
Covered Lines: 634
Relevant Lines: 690
💛 - Coveralls

coveralls avatar Nov 13 '24 22:11 coveralls

  • I’m ok with the license (great actually!) and CONTRIBUTING.
  • Code of conduct is good, but can you pick it from https://github.com/elixir-lang/elixir/blob/main/CODE_OF_CONDUCT.md or Phoenix? We don't really follow EEF conventions.
  • I don't think we need SECURITY.md in a project like Gettext.

Thanks!

whatyouhide avatar Nov 14 '24 07:11 whatyouhide

I can adapt the elixir code of conduct for sure. Do you want to copy it and just adapt the scope & email address or would you just like to refer to it?

While I agree that we will probably not have security issues with this project, I would still like to include a security policy. The reason for this is mainly that there’s tool out there like the OpenSSF Scorecard project, which is used by corporates to check their dependencies. Having a security policy defined is a good sign for compliance departments and will also result in higher scores in those tools. If this was a small and barely used library, I probably wouldn’t bother. But with the popularity, I think it’s worth to set it up.

maennchen avatar Nov 14 '24 08:11 maennchen

Btw: Phoenix also uses the Contributors Covenant, just an older version. While the EEF uses it as well, that’s not the reason I chose it. I believe it’s one of the most prevalent codes of conduct. Elixir is also based on it.

maennchen avatar Nov 14 '24 08:11 maennchen

I can adapt the elixir code of conduct for sure. Do you want to copy it and just adapt the scope & email address or would you just like to refer to it?

Referring is great for now, we don't need a specific one here. There is no active "community" around Gettext.

Ok, let's go with the security doc too.

whatyouhide avatar Nov 14 '24 10:11 whatyouhide

@whatyouhide I changed the reference to the elixir code of conduct.

For the security report email I would offer to receive the emails myself.

(In case I would get something that actually matters I would then just create an entry with GitHub Vulnerability Reporting and coordinate with all maintainers from there.)

maennchen avatar Nov 14 '24 12:11 maennchen