[Esapi-dev] Governance process for adding ESAPI Providers

[Kevin W. Wall]

David Sklarew wrote:
> In reference to where we should locate contributions in svn, 
> 
> Jim said:
>>> I'd like to call it ...
>>> src/contrib/java/org/owasp.esapi/authentication/ldap/
> 
> Perhaps we should consider our requirements a little more first to make sure
> this will support them?
> 
> imho, the ones I have identified so far are:
<...snip...>

Some additional points besides the ones David brings up...

I think David brings up a good point. Before just opening this wide open,
I think we should lay out the "rules of the game". Once we decide on that,
those should be posted somewhere (on either the OWASP or Google owasp-esapi-java
wikis perhaps?).

For example, something that Jim and I discussed last fall was possibly sealing
& signing the ESAPI jars. If we do that, it means no 'contrib' classes in
'org.owasp.esapi' package or subpackages. (We used to seal the ESAPI jar for the
development Maven builds, but have never introduced it to the official
or release candidate builds.) So this is probably something that we would
want to mention. Otherwise we end up with contributors adding classes to
packages where they shouldn't.

If we wish to require a specific FOSS license (or choose from a set of licenses)
we should mention something like that as well.

Also things like do we require any kind of specific documentation (e.g.,
Javadoc, any external HOW-TO docs, etc.), JUnit tests, etc.

So I don't think we want to rush into this. First we need some ground rules,
don't we? I think so, not anything too burdensome, but we don't want to allow
just anything if we expect the 'contrib' source to be useful.

Just my $.02,
-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME