1# Decision making in the curl project
2
3A rough guide to how we make decisions and who does what.
4
5## BDFL
6
7This project was started by and has to some extent been pushed forward over
8the years with Daniel Stenberg as the driving force. It matches a standard
9BDFL (Benevolent Dictator For Life) style project.
10
11This setup has been used due to convenience and the fact that is has worked
12fine this far. It is not because someone thinks of it as a superior project
13leadership model. It will also only continue working as long as Daniel manages
14to listen in to what the project and the general user population wants and
15expects from us.
16
17## Legal entity
18
19There is no legal entity. The curl project is just a bunch of people scattered
20around the globe with the common goal to produce source code that creates
21great products. We are not part of any umbrella organization and we are not
22located in any specific country. We are totally independent.
23
24The copyrights in the project are owned by the individuals and organizations
25that wrote those parts of the code.
26
27## Decisions
28
29The curl project is not a democracy, but everyone is entitled to state their
30opinion and may argue for their sake within the community.
31
32All and any changes that have been done or will be done are eligible to bring
33up for discussion, to object to or to praise. Ideally, we find consensus for
34the appropriate way forward in any given situation or challenge.
35
36If there is no obvious consensus, a maintainer who's knowledgeable in the
37specific area will take an "executive" decision that they think is the right
38for the project.
39
40## Donations
41
42Donating plain money to curl is best done to curl's [Open Collective
43fund](https://opencollective.com/curl). Open Collective is a US based
44non-profit organization that holds on to funds for us. This fund is then used
45for paying the curl security bug bounties, to reimburse project related
46expenses etc.
47
48Donations to the project can also come in form of server hosting, providing
49services and paying for people to work on curl related code etc. Usually, such
50donations are services paid for directly by the sponsors.
51
52We grade sponsors in a few different levels and if they meet the criteria,
53they can be mentioned on the Sponsors page on the curl website.
54
55## Commercial Support
56
57The curl project does not do or offer commercial support. It only hosts
58mailing lists, runs bug trackers etc to facilitate communication and work.
59
60However, Daniel works for wolfSSL and we offer commercial curl support there.
61
62## Key roles
63
64### Maintainers
65
66A maintainer in the curl project is an individual who has been given
67permissions to push commits to one of the git repositories.
68
69Maintainers are free to push commits to the repositories at their own will.
70Maintainers are however expected to listen to feedback from users and any
71change that is non-trivial in size or nature *should* be brought to the
72project as a PR to allow others to comment/object before merge.
73
74### Former maintainers
75
76A maintainer who stops being active in the project will at some point get
77their push permissions removed. We do this for security reasons but also to
78make sure that we always have the list of maintainers as "the team that push
79stuff to curl".
80
81Getting push permissions removed is not a punishment. Everyone who ever worked
82on maintaining curl is considered a hero, for all time hereafter.
83
84### Security team members
85
86We have a security team. That's the team of people who are subscribed to the
87curl-security mailing list; the receivers of security reports from users and
88developers. This list of people will vary over time but should be skilled
89developers familiar with the curl project.
90
91The security team works best when it consists of a small set of active
92persons. We invite new members when the team seems to need it, and we also
93expect to retire security team members as they "drift off" from the project or
94just find themselves unable to perform their duties there.
95
96### Server admins
97
98We run a web server, a mailing list and more on the curl project's primary
99server. That physical machine is owned and run by Haxx. Daniel is the primary
100admin of all things curl related server stuff, but Björn Stenberg and Linus
101Feltzing serve as backup admins for when Daniel is gone or unable.
102
103The primary server is paid for by Haxx. The machine is physically located in a
104server bunker in Stockholm Sweden, operated by the company Portlane.
105
106The website contents are served to the web via Fastly and Daniel is the
107primary curl contact with Fastly.
108
109### BDFL
110
111That's Daniel.
112
113# Maintainers
114
115A curl maintainer is a project volunteer who has the authority and rights to
116merge changes into a git repository in the curl project.
117
118Anyone can aspire to become a curl maintainer.
119
120### Duties
121
122There are no mandatory duties. We hope and wish that maintainers consider
123reviewing patches and help merging them, especially when the changes are
124within the area of personal expertise and experience.
125
126### Requirements
127
128- only merge code that meets our quality and style guide requirements.
129- *never* merge code without doing a PR first, unless the change is "trivial"
130- if in doubt, ask for input/feedback from others
131
132### Recommendations
133
134- we require two-factor authentication enabled on your github account to
135  reduce risk of malicious source code tampering
136- consider enabling signed git commits for additional verification of changes
137
138### Merge advice
139
140When you're merging patches/PRs...
141
142- make sure the commit messages follow our template
143- squash patch sets into a few logical commits even if the PR didn't, if
144  necessary
145- avoid the "merge" button on github, do it "manually" instead to get full
146  control and full audit trail (github leaves out you as "Committer:")
147- remember to credit the reporter and the helpers!
148
149## Who are maintainers?
150
151The [list of maintainers](https://github.com/orgs/curl/people). Be aware that
152the level of presence and activity in the project vary greatly between
153different individuals and over time.
154
155### Become a maintainer?
156
157If you think you can help making the project better by shouldering some
158maintaining responsibilities, then please get in touch.
159
160You will be expected to be familiar with the curl project and its ways of
161working. You need to have gotten a few quality patches merged as a proof of
162this.
163
164### Stop being a maintainer
165
166If you (appear to) not be active in the project anymore, you may be removed as
167a maintainer. Thank you for your service!
168