OPeNDAP Development and Security Policies
Development Policies All of our software uses LGPL or GPL –LGPL is used by most of the code –We want it to be easy for others to use the software –We don’t care if they make money from it –GPL is more appropriate for end products like user interfaces
Participating in Development All are welcome Source code is available for read to anyone Write access is limited to a small number of people –Patches - easier for most people because… –SVN write comes with some strings attached Writers must take care to ‘do no harm’ But we know people are not perfect
SVN for source code control - Trac for management Trac is fairly tightly coupled to SVN Trac provides milestones and ‘tickets’ Tickets are used for features, bugs as well as tasks –That is, it is used for both software issues and group management issues Other Trac features: –Wiki for design documents and plans –Roadmap for lists of milestones –SVN browse
Developer’s Wiki We run a Wiki for developers - separate from the Trac Wiki –It uses TWiki It serves as a scratchpad for ideas A place to refine ideas before making more formal versions (e.g., we worte the DAP spec there first before preparing a version in LateX for NASA)
Two Wiki’s are not enough… We are moving all of our documentation to a MediaWiki –Both Programmer documentation –And User documentation We used to use LaTeX for all of our docs and it was easy to make both PDF and HTML versions from the LaTeX sources The Wiki based docs will be much easier for most people to edit
Nightly builds We run nightly builds on several machines There is a web service system we use to collect the results of those builds and the logs they generate The results of the builds are available from Trac - take a look now (scm.opendap.org:8090/trac) The builds are building code from svn using a fresh checkout. We have a svn project which is used to stage a new nightly build
Who can get write access? Anyone who asks can get write access to our Wikis (Developers and Docs) Trac access is more restricted, but we are not too worried about giving out access Both Trac and SVN are database systems and both are backed up every night Nightly builds are limited to specific IP addresses
Development Security Policies Source code review using an expert system Use US Cert guidelines When is source code ready for release? –All changes must be examined by the expert system –And by a designated ‘Security Officer’ –In addition to the original author
Security Release notes In addition to the regular release notes These notes will detail fixes and known issues They will be encrypted and available to security personnel at sites running our code To receive these notes you must provide us with your public key - we will used GPG to encrypt the notes