PAR revamp underway - meanwhile, projects languish in the queue

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
kattekrab's picture
Posted by kattekrab on March 31, 2016 at 6:38am

The Project Applications Review process revamp is now a community initiative awaiting progress
https://www.drupal.org/node/2666584

After a year of discussion at
https://www.drupal.org/node/2453587

And 5 years of attempting to improve the situation for people wanting to contribute modules to Drupal.org.

While we continue to wait for a solution for the underlying problem, we still have people waiting.

Can we rally some effort to either approve or close won't fix these? The PAR review bonus scheme has become a defacto requirement, not a bonus, so for those who haven't done the review, would it be fairer, and more transparent to simply tell them their modules will not be approved without the bonus?

I've been told the security team have effectively vetoed another mass approval, as @cweagans did some months back.

So - what should we do to address the backlog? I'm personally very frustrated by this issue and am keen to see progress, but I feel utterly powerless to do anything. Everything seems too hard, or too risky, or too tedious, or too many hoops to jump through. I just don't know what to do about it anymore.

What can we do? Can we have some compassion for these people?

Here's the RTBC queue ordered by oldest creation date

Here's a screengrab of those waiting for almost 2 years or more.

AttachmentSize
PAR-waiting-2years.png99.09 KB
Categories:

Comments

The single biggest affect can

Posted by davidhernandez on March 31, 2016 at 11:47am
davidhernandez's picture

The single biggest affect can come from changing the security team process. https://www.drupal.org/node/2532062

If advisories are limited to projects above a certain usage limit, I assume that would exclude new projects automatically.

Thanks @davidhernandez - but

Posted by kattekrab on April 1, 2016 at 2:44am
kattekrab's picture

Thanks @davidhernandez - but as far as I can see that's still under debate?

Meanwhile, we still have a massive backlog.

@webchick clearly articulated this problem in 2010 at DrupalCon Copenhagen.
Slides: http://webchick.net/files/drupal_core_summit/cvs_application_process.pdf
Video: http://www.archive.org/details/AngieByronwebchickSpeaksInCopenhagenDrupa...

We've been in the process of "fixing" it since then. Some stuff has actually gotten better since then, but the underlying problem of too many applications and not enough people willing to review and let people in the door remains.

Rome continues to burn.

Come on!

Donna Benjamin
Former Board Member Drupal Association (2012-2018)
@kattekrab

2nd side of the coin

Posted by pingwin4eg on April 1, 2016 at 7:25am
pingwin4eg's picture

If advisories are limited to projects above a certain usage limit, I assume that would exclude new projects automatically.

IMHO that's a road to hell (especially for the security team in future). Leaving newcomers without a security review of their projects (and without any tips and explanations on how to make their projects safe) may lead to the huge amount of insecure projects.

Hi kattekrab, thanks for

Posted by klausi on April 2, 2016 at 10:10am
klausi's picture

Hi kattekrab,

thanks for pushing forward this whole process :-)

Can we recruit you as reviewer so that you can approve applications yourself? How are your security skills, are you interested in being mentored like we do with others like https://groups.drupal.org/node/460583 ?

To rally an effort of approving applications: get in touch with the people that are currently listed as code review admins at https://groups.drupal.org/node/142454 . Most of them are inactive, so it would be helpful to get them back :-)

@klausi - I'd love to help

Posted by kattekrab on April 2, 2016 at 10:22am
kattekrab's picture

@klausi - I'd love to help with reviews and approve applications, but I'm not a developer so can't do code review. I'll see if I can reach out to a few people on the list at https://groups.drupal.org/node/142454 to help.

Donna Benjamin
Former Board Member Drupal Association (2012-2018)
@kattekrab

I just discovered it IS

Posted by kattekrab on April 4, 2016 at 12:23am
kattekrab's picture

I just discovered it IS possible to review sandbox modules via simplytest.me! That's awesome, so I will commit to doing manual reviews of modules :-)

Donna Benjamin
Former Board Member Drupal Association (2012-2018)
@kattekrab

Ok. I've been silent long

Posted by almaudoh on April 4, 2016 at 9:45am
almaudoh's picture

Ok. I've been silent long enough and I wince each time I hear about the Project Application Process.

I recently went through the process myself (even though I've been on d.o for a while, co-maintain a project and contributed to D8 core), so I can say I've seen both sides.

Let me commit to doing code reviews specifically for security issues. @klausi, you can recruit me as a reviewer, even though I'm only really free on weekends.

Sure, please start a wiki

Posted by klausi on April 4, 2016 at 11:03am
klausi's picture

Sure, please start a wiki page where you collect your review comments, I'll look them over. Feel free to ask any questions here in this group or in IRC in #drupal-codereview.

Can I get approval?

Posted by Dave Bagler on April 20, 2016 at 12:28am
Dave Bagler's picture

I submitted a project application (https://www.drupal.org/node/2668062) back in February. It's been reviewed multiple times and was set to RBTC in early March. It was bumped from normal priority to critical by kattekrab at the end of March. I've already gone though this process once before with a module that ended up being a single project promotion.

I'm hoping to be able to provide a full release of the module by the end of April.