Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Define a guideline/policy for handling accounts of deceased or incapacitated user #3755

Closed
xavierdecoster opened this issue Apr 6, 2017 · 6 comments

Comments

@xavierdecoster
Copy link
Member

Currently, nuget.org does not have a documented policy to handle e.g. the following situation:

Imagine a popular product with packages on nuget.org managed and owned by account A. The community around this product contributes additional packages to nuget.org that enrich this product's ecosystem. These packages are not owned by account A.

When one of the owners of these contribution packages, e.g. .account B, passes away or is incapable for whatever reason to continue this package, but the community at large, including account A, wants to continue supporting and maintaining them, they are blocked as they can't do that without transferring package ownership. However, the original package owner, account B, is incapable of responding to these ownership transfer requests.

There are other, similar scenarios that may lead to the above problem, and I feel we should provide some guidance or have a policy in place to help resolve this issue.

@gep13
Copy link

gep13 commented Apr 7, 2017

As a maintainer of a project that is currently in this situation, I wanted to add some notes on this from our point of view...

The Cake project hosts 6 packages on NuGet. These are the core components of the Cake Build project. In addition to the core functionality of Cake, we have an addin architecture that means that the Cake Community can easily extend the functionality. We have been truly delighted with the response from the Cake Community, and I am aware of over 130 addins that have been created for Cake. You can find these by searching for Cake on NuGet.org.

Back in August last year, after a discussion with our community on Gitter, we identified that there was a potential issue with our addin eco-system (which we documented here). The problem at the time was that if a Community Member walked away from a project, then other community members who relied on a particular addin would not be in a position to get any further updates to the package hosted on NuGet.org. We decided that this was less than desirable, and we set about doing something about this (you can see this being tracked here. This took the form of the cake-contrib user on NuGet.org. This user has now been made the co-owner of 117 of the cake addin's on NuGet.org. For most packages, this has no impact on the original owner of the package. They continue in exactly the same way as before. The addition of the cake-contrib user is simply a fail safe. In the event of an owner no longer being interested in maintaining a project (or in the more serious situation of a death), members of the Cake Team can step in, and continue to push new versions of the package to the same package id. This means that the package itself can continue. If we didn't have the cake-contrib user in place, it would mean that we would have to push new package versions to an alternative package id, which dilutes the eco-system, and doesn't make it clear which package is the correct one to use.

We were in the process of trying to get the cake-contrib user added to another package when we learned that the package owner had sadly passed away. This leaves the package in question in limbo. We are obviously hopeful that the decision that is made here will allow us to continue the excellent work that the original owner made, without having to create another package id.

We were in a similar situation with regard to the GitHub Repository which held the source code for the package. We got a response from GitHub stating that nothing could be done without involvement from the next of kin, or business partner. We decided to fork the repository and move it under the cake-contrib GitHub Organisation. This decision was made because we didn't want to/or have no real way, to contact the next of kin (which would potentially cause additional sadness), and also due to the fact that the forked repository is still "linked" to the original, so credit to the original source code is still in tact. NuGet.org has no real concept of "linking" to an original package. Over on chocolatey.org when we have a need to what we call "deprecate" a package, we follow this process so that people consuming the original package automatically get the new one. However, this process would still require access rights to the original package,

@gep13
Copy link

gep13 commented Apr 11, 2017

@anangaur @karann-msft @xavierdecoster just wanted to follow up to see if there had been any further discussions about this. Thanks.

@gep13
Copy link

gep13 commented Apr 14, 2017

@anangaur @karann-msft @xavierdecoster just checking in again... Any updates?

@shaneray
Copy link

This sounds like a completely legit situation. I am not sure of any legal situations this may cover or if said "property" would need to be assigned in a will or something similar to be legal (at least in the US). However, this is a real life thing that happens and should be covered by law or at least GitHub policy to make sure something some one or many people have spent a lot of time to develop does not disappear because someone has passed away. Maybe in the report and confirmation of death the ownership gets passed to the person with the most commits and latest active time (if they accept) would keep the project in the hands of someone that has a vested interest.

@jongalloway
Copy link

I'll check on this. I agree it's important, and it would be good to get a policy in place.

This is similar to the goals of .NET Foundation stewardship for member projects, but we need to solve this problem for NuGet packages at large, the huge majority of which won't be members of a software foundation.

@karann-msft
Copy link
Contributor

karann-msft commented May 5, 2017

First off, thank you all so much for the feedback. We absolutely are committed to maintaining the continuity of the ecosystem when an unfortunate situation like this happens.

We have been working with our legal team on this issue, and have now posted a policy update at the location below. This policy has been written to ensure confidence in the claim of ownership, before the NuGet.org administrators intervene to manually add any additional owners to a package.

Package succession under special circumstances

While we were working on defining the policy we also worked with the the Cake project to resolve their immediate concern, but going forward we will be acting as per the policy above.

Thanks again on behalf of the NuGet team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants