Add guidance regarding tracking requirements for service releases of third party content
Submitted by Wayne Beaton
During the Eclipse Foundation's Board of Directors meeting in June 2015 , the following resolution was passed:
RESOLVED, that previously approved dependencies of Eclipse projects can be reviewed and approved by the EMO as follows: a) Service releases (e.g. x.y., bug fixes, security fixes) will require no review. b) Minor revisions (e.g. x..) will require a reduced review by the EMO. c) Major revisions (e.g. ..) will require a full review by the EMO.
At the time the resolution was passed, we decided to interpret this as still requiring that the project team create CQs for service releases that the IP Team approve without (significant) scrutiny. After some reflection, we're dubious of the value of having a CQ for service releases and have decided that--for pure bug-fix-only "service releases"--no CQ is required.
- This only applies for bug-fix releases that follow a minor release that's been approved by the IP Due Diligence Process
- Onus is on the project team to determine whether or not a release qualifies.
- Only patch versions greater than what's already been approved apply.
e.g., if we assume that semantic versioning is used, and that version 4.5.0 of some third party content has been approved by the IP team, a project can assume that this approval applies to versions 4.5.1, 4.5.2, ..., 4.5.n (n>0); any new version that changes either the major or minor version, e.g. 4.6.4, must be reviewed.
We need to update the documentation. The section on Third Party Content  is probably a good place for it.