Annvix:Documentation/Dev/Maintainer

Developer's Reference: Becoming a Developer

Initially, Annvix is looking for developers so the application process will not be as restrictive as it should be, based on the idea that a number of interested developers have already established a proven "track record" by working on Mandriva Linux.

To become an Annvix developer, some criteria must be met. This is primarily due to the fact that Annvix is a fairly small project and will not require hundreds of developers, and also due to the fact that for Annvix to remain a secure project, contributors must have proven experience and an understanding of certain principles.

The first step in becoming an Annvix developer is to be an Annvix user. This does not mean you need to run a publically-accessible server, but it does mean that you should have an Annvix installation (be it a dedicated machine, chroot, VMWare, etc.) and you should be familiar with the system. You should also be subscribed to some of the mailing lists, notably the users mailing list and the dev mailing list.

If you want to become a developer, you should make your intentions known and find someone willing to mentor you. If you are interested in building packages for Annvix or taking over maintainership of a particular package, your mentor should be able and willing to review your work and ensure that you are adhering to the Annvix packaging principles.

Starting the Application

The next step is to actually apply to become a developer. In order to become a developer you must have a GnuPG key signed by another Annvix developer or a Mandriva developer. Because the initial pool of development will likely be duplicated somewhat, and because the goal of Annvix is to do server development that is 100% compatible with Mandriva Linux, it makes sense that a developer trusted by Mandriva would likewise be trusted by Annvix.

Before an existing developer will sign your key, however, you must prove a few things. The first is that you are competent in the area in which you are attempting to gain maintainership; i.e. if wish to maintain PostgreSQL, you must have some experience with and use PostgreSQL. Things a developer will look at are quality bug reports, patch submissions, previous development tasks, etc. Developers must be interested in the project as a whole; a developer who wishes to maintain PostgreSQL but has no interest in the rest of the project is not a suitable candidate.

In order to have your key signed by an Annvix or Mandriva developer, you should meet physically with the developer. Because signing a key signifies that the person doing the signing trusts that the person belonging to the key being signed is in fact that person, a measure of responsibility falls on the signer to verify that the person is in fact who they claim to be. To do this, the signer must meet with the "signee" and see valid proof that the person is who they claim to be (driver's license or something else with picture ID such as a passport). Only once you have been verified in person should anyone sign your key. If it is not possible to meet with a developer in person, other arrangements may be made that can verify your validity, such as scanning photo ID and creating a detached GPG signature of the image with your GPG key and verifying the key fingerprint by phone.

Once your key is signed you should in turn sign the Annvix GPG key, which will strengthen the web of trust.

If you do not have a GPG key, create one. Steps for doing so and other information pertaining to GPG can be found on the Using_GnuPG page. Every developer is required to have a valid GPG key due to the nature of handling commits to the repository and the build process in general. If you are generating a key, ensure that it is no less than 1024 bits in length. Also, be aware that you do not create an ElGamal key due to insecurities. The recommended key algorithm to use is DSA. Finally, your key must be signed by your own user ID (gpg does this automatically).

Finally, once all these steps are completed, cut and paste the Annvix Application Form below and fill it out. This document discusses the expectations required of you as a developer and what you will be held accountable for. This application form must be filled out completely and accurately. Once it is complete, you must sign it with your GPG key. Signing this document with your GPG key constitutes your understanding of and compliance with the contents of the document. This application form also provides us with information we need in case we need to reach via means other than email. Every individual who wishes to participate in Annvix development is required to fill out and sign the document; there are no exceptions.

Annvix Application Form

The purpose of this document is for the application of an individual to
become an Annvix developer and/or contributor.  Individuals who wish to
contribute to Annvix in any official capacity (whether it be development,
documentation, website management, etc.) must complete and submit this
application.

The document does two things.  It provides the core development team with
information concerning you, the applicant, such as means to contact you. 
This is important because everyone who is a part of the Annvix effort is
accountable for what they contribute to the project.  It also provides
alternate means of communication and contact in the event that email is not
desirable or feasible.

The information you provide gives the Annvix team an understanding of you
and your skills to help us determine what may be required of us to help you
contribute.

Finally, this document provides your agreement to some basic rules and
principles associated with Annvix development.  Developers need to trust
each other and users need to trust the developers.  By having every
developer bound by a certain "code of ethics" we can ensure that no part of
the project is compromised; at least by those officially affiliated with the
project.

Annvix developers and contributors are expected to adhere to the following
"code of ethics".  If you cannot agree to each item stipulated, please do
not apply to become a developer.  There is no room for negotiation and
anyone signing this document clearly agrees to each point.

1) Any access granted to any systems provided to Annvix developers for the
   purpose of development or testing may be revoked at any time. 
   Developers are expected to treat their access, and the systems they are
   granted access to, with respect.  There will be no attempts, malicious or
   otherwise, to subvert the access granted (i.e. attempts to elevate
   privileges) or to compromise the system in any way.

2) Developers are to be respectful to other developers and users.  There
   will always be disagreements, however resolution should always be sought
   in a professional and respectful manner.

3) Developers will, to the best of their ability, ensure that any package
   commits work properly.  Developers will not simply create a new or
   updated package and submit it without prior testing.

4) Developers understand that the core development team is in charge of
   Annvix development and direction.  While there may be room for
   discussion, the core development team is responsible for making final,
   and perhaps arbitrary, decisions.

5) Developers will not use any Annvix systems for private personal gain or
   commercial purposes.  The use of any Annvix systems will strictly be for
   the use of Annvix development.

6) Developers will keep their contact information current and notify any one
   of the core development members on any pertinent changes (addresses,
   phone numbers, etc.) with the understanding that all information will be
   kept in the strictest confidence.

7) Developer has read, understood, and agrees to adhere to the policies
   stated in the Resource Policy
   (http://annvix.org/dev-reference/ch_policy.php).

The following section is for you to provide information to the core
development team.  This information will be held in the strictest confidence
and will not be available for any developer outside of the core team to
access.

Please send the completed application to vdanen__at__annvix.org (GPG
encrypted is preferred; use key id 0xFE6F2AFD).  Any application that is not
filled out completely will be ignored.  Any application that is not signed
by the applicant's GPG key will be ignored.  Before sending your application
in, ensure that you public key exists on a public keyserver.  Do not send
your public key in with this application.

To sign the document, execute "gpg --clearsign <file>" and send the
resulting .asc file.

Full Name            :
Email Address        :
Address Line 1       :
Address Line 2       :
City                 :
Province/State       :
Country              :
Postal/ZIP Code      :
Phone Number         :
GnuPG Key Fingerprint:

By signing this document with your GPG private key with the above-noted
fingerprint, the applicant agrees to abide by the rules stated above with
the understanding that they may be modified at any time and that their
continued use of Annvix facilities (be it machine access, commit access,
etc.) constitutes agreement to any amendments published by the Annvix core
development team.

$Id: annvix-applicant.txt,v 1.2 2004/08/26 01:03:24 vdanen Exp $