[gentoo-dev] Re: GLEP 38: Status of forum moderators in the Gentoo project

[gentoo-dev] Re: GLEP 38: Status of forum moderators in the Gentoo project

[Duncan]

Diego 'Flameeyes' Pettenò posted
<200506281255.41021@enterprise.flameeyes.is-a-geek.org>, excerpted below,
on Tue, 28 Jun 2005 12:55:35 +0200:

> And until you don't figure on roll-call after taking a quiz, you can't
> be considered "Official Staff/Developers", so you can't just say "we're
> official", also ATs getting developers must take the quiz, so you see
> that the quiz *is* a fundamental part of it.

FWIW as a prospective AT myself...  The current amd64 AT requirements, at
least, require taking not only the "staff" quiz, but the full ebuild quiz,
so it's NOT just ATs becoming devs, but ALL (at least amd64) ATs, AND
it's the full ebuild quiz the devs must pass. (I can't say about other
archs, but there's only one such non-amd64 AT so far, on ppc64, and I
wouldn't be surprised if he had to take the full ebuild quiz as well.)

>From the amd64 AT documentation:
http://www.gentoo.org/proj/en/base/amd64/tests/index.xml?part=1&chap=1

<quote>
Prospective AT's will have to pass the ebuild quiz, currently here.
</quote>

("Here" points to the ebuild quiz
http://www.gentoo.org/proj/en/devrel/quiz/ebuild-quiz.txt )

Further to the point made elsewhere, but without the source reference,
further quote from the first link above:

<quote>
A note about arch testers "status": Gentoo/AMD64 Arch Testers are not
official Gentoo developers. They are, however, a recognized part of the
Gentoo/AMD64 arch team. I ask that all AT's keep this in mind when
selecting email signatures or other forms of communication.
</quote>

So, yes, ATs take not only the staff quiz, but the full ebuild quiz. 
Further, the expectation is clear that they will be held to "professional"
conduct standards.  For me, that will probably mean giving up my
references to "MSWormOS", at least if and when I choose to identify
myself as an AT.

On the thread subject...

It seems to me there's really not a lot of controversy, only the sides
keep talking past each other and making it more than it is.

Both sides seem to agree that moderators of individual forums shouldn't
have to take the quiz, eliminating the problem of the i11l forums ESL
(English-second-language) mods.

Only the global mods and admins would have to take it, and they all know
English pretty well as a defining characteristic of their job, so the
requirement to take the quiz (and know English well enough to communicate
decently in the Gentoo staff community) shouldn't be an issue.

Further, many of the global mods are already staff/devs, and of those that
aren't, there are only three who haven't said they plan on taking it
anyway, and two of those are inactive.

Thus, the whole debate is over one person, who has expressed a reluctance
to take it but has said (s)he will if necessary.

IMO, that makes it pretty much a non-issue.  If the global mods wish to
make that position official Gentoo staff, and vote among themselves to do
so, there should be no exceptions.  If the one (or either inactive)
global-mod who has concerns chooses not to take the quiz, simply make that
person a individual forum moderator, but just list every forum in the list
of forums they get mod rights in, thus effectively making them a global
mod in all but name, which, if global-mod is to now mean Gentoo staff and
they haven't become Gentoo staff yet, is effectively what they'd be anyway.

OTOH, the global mods, now seeing what it would mean, and that many
already have staff/dev status anyway, could actually decide they don't
want or need Gentoo staff status as part of the global mod description
after all.  They could remain as they are.  It would be perfectly
reasonable for one or more global mods to change their vote out of respect
for the single individual that has expressed reluctance, and to rescind
the GLEP before official vote of the existing Gentoo staff and devs on it.
Things would continue as they are now, and any individual global mod, as
anyone else, could still become a Gentoo dev or Gentoo staff member
independently.

So...  I don't have a vote, but I'd vote yes on a GLEP that made the
forums a Gentoo project and required the global moderators to become
Gentoo staff -- assuming of course they didn't decide they didn't want
that, after all.  No exemptions for individual global mods, but no
exemptions needed, because most are or have expressed an intention to
become staff anyway, with only one person expressing reservations, and if
that person chooses not to, they effectively simply become an individual
forum mod, who happens to have mod rights in /every/ individual forum, so
nothing's lost but the name, IMO a fair sacrifice to the democratic vote
to become staff, considering there's always the choice to take the test
and get back or keep the global mod label as well, if (s)he so chooses.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman in
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html


-- 
gentoo-dev@gentoo.org mailing list

[gentoo-dev] Re: GLEP 38: Status of forum moderators in the Gentoo project

[Duncan]

Lance Albertson posted <1120000451.26017.7.camel@pursuit>, excerpted
below,  on Tue, 28 Jun 2005 18:14:11 -0500:

> Ok, after talking with a few folks I want to retract my comment about no
> shell access. I didn't think about the other groups (docs) that already
> have shell access and retain a simliar status as forum mods do in
> Gentoo. I'm just getting ansty about all these new people we're bringing
> on and the security behind it. Thats my main concern at this point, not
> whether your work is more or less than a regular developer. I just
> wanted to make that point before I had a flamewar directed at me :)

OK, I'm with you on the security thing (being one that would prefer a
USE=clientonly flag, remember, tho I understand the reasons behind not
doing it), but I DO know there's quite the occasional use for someplace to
host scripts, patchlets, and sample config files for reference from
forums/news/lists/irc, that I've personally found useful, that others
would like to see as well.

One particular example is my xorg.conf file, which I seem to get
requests for from time to time, when I mention that I have xorg running
xinerama on a dual-out Radeon 9200SE.  It seems many have trouble getting
that to work, and an annotated working config can help tremendously.  I've
been considering doing it up right and putting it on my web page.  Sure, I
can put it on my ISP's page, but folks do change ISPs from time to time,
and for forum mods that are already staff, having a "staffspace" available
to make such things a bit more publicly available, could be /quite/ useful.

The form of the URLs such resources get make it quite clear that while
hosted on a gentoo server, they are in personal devspace/staffspace on
that server, so there should be little chance of confusion with "official"
packages, particularly if there's a policy in place (I haven't seen one
but that doesn't mean it doesn't exist) to clearly mark any HTML formatted
anchor tags with non-obfuscated descriptions and URLs.  (The forum
software may or may not make obfuscated URLs impossible, I don't know.)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman in
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html


-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Re: GLEP 38: Status of forum moderators in the Gentoo project

[Andrea Barisani]

On Tue, Jun 28, 2005 at 05:45:26PM -0700, Duncan wrote:
> Lance Albertson posted <1120000451.26017.7.camel@pursuit>, excerpted
> below,  on Tue, 28 Jun 2005 18:14:11 -0500:
> 
> > Ok, after talking with a few folks I want to retract my comment about no
> > shell access. I didn't think about the other groups (docs) that already
> > have shell access and retain a simliar status as forum mods do in
> > Gentoo. I'm just getting ansty about all these new people we're bringing
> > on and the security behind it. Thats my main concern at this point, not
> > whether your work is more or less than a regular developer. I just
> > wanted to make that point before I had a flamewar directed at me :)
> 
> OK, I'm with you on the security thing (being one that would prefer a
> USE=clientonly flag, remember, tho I understand the reasons behind not
> doing it), but I DO know there's quite the occasional use for someplace to
> host scripts, patchlets, and sample config files for reference from
> forums/news/lists/irc, that I've personally found useful, that others
> would like to see as well.

Would devwiki (or something like that) access for hosting files be acceptable? 
Seriously security_wise and admin_wise I don't see shell access useful neither 
appropriate imho.

Btw how many forums moderators are we talking about?

Cheers

-- 
Andrea Barisani <lcars@gentoo.org>                            .*.
Gentoo Linux Infrastructure Developer                          V
                                                             (   )
GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc   (   )
    0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E        ^^_^^
      "Pluralitas non est ponenda sine necessitate"
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Re: GLEP 38: Status of forum moderators in the Gentoo project

[christian.hartmann]

Lance Albertson:
> > I'm just getting ansty about all these new people we're bringing
> > on and the security behind it. Thats my main concern at this point, not
> > whether your work is more or less than a regular developer.

Andrea Barisani:
> Seriously security_wise and admin_wise I don't see shell access useful neither 
> appropriate imho.
> Btw how many forums moderators are we talking about?

I know what you're talking about. I usually don't like to give ppl shell access to boxes I'm in charge of. I'm kinda paranoid on this one. ;)
But it's just about 10 more accounts. Knowing that toucan and all the other infrastructure servers are pretty locked down and knowing that most of us are really aware of security (keeping your ssh-keys in a secure place; use stong passwords; lock down boxes; don't run weird scripts on servers, etc.) I don't see a problem here. We are very careful about whom to give the permissions to moderate the forum. Before granting them access to moderate (as in moving, deleting, editing etc) the forum we have a close look at the ppl so that we can make sure they don't do something nasty with their permissions.

If anybody does something nasty on toucan just lock his/her account. - But that should be a rule for everyone having shell access.

> OK, I'm with you on the security thing (being one that would prefer a
> USE=clientonly flag, remember, tho I understand the reasons behind not
> doing it), but I DO know there's quite the occasional use for someplace to
> host scripts, patchlets, and sample config files for reference from
> forums/news/lists/irc, that I've personally found useful, that others
> would like to see as well.

That is what I had in mind. Hosting sample configuration files etc.

Andrea Barisani:
> Would devwiki (or something like that) access for hosting files be acceptable? 

It's not yet made public, is it? I don't really care about having shell access on toucan. I usually prefer hosting stuff on my server so that I've got it all in one place. All I'd like to bring up is that I'd like to have a real mailbox rather than just a mail forwarder.

> Btw how many forums moderators are we talking about?
~10

Thanks for your feedback btw,
Christian Hartmann (ian!)

ps: webmailers suck ;)


-- 
gentoo-dev@gentoo.org mailing list

[gentoo-dev] Re: Re: GLEP 38: Status of forum moderators in the Gentoo project

[Duncan]

christian.hartmann posted <790333825@web.de>, excerpted below,  on Wed, 29
Jun 2005 09:54:35 +0200:

> Lance Albertson:
>> > I'm just getting ansty about all these new people we're bringing on
>> > and the security behind it. Thats my main concern at this point, not
>> > whether your work is more or less than a regular developer.
> 
> Andrea Barisani:
>> Seriously security_wise and admin_wise I don't see shell access useful
>> neither appropriate imho.
>> Btw how many forums moderators are we talking about?
> 
> I know what you're talking about. I usually don't like to give ppl shell
> access to boxes I'm in charge of. I'm kinda paranoid on this one. ;) But
> it's just about 10 more accounts. Knowing that toucan and all the other
> infrastructure servers are pretty locked down and knowing that most of us
> are really aware of security (keeping your ssh-keys in a secure place; use
> stong passwords; lock down boxes; don't run weird scripts on servers,
> etc.) I don't see a problem here. We are very careful about whom to give
> the permissions to moderate the forum. Before granting them access to
> moderate (as in moving, deleting, editing etc) the forum we have a close
> look at the ppl so that we can make sure they don't do something nasty
> with their permissions.

I don't blame anyone for being antsy about a whole group getting new
access at one point, I'd be antsy too.  However, keep in mind that these
/are/ /global/ moderators we are talking about, that have demonstrated
their worth to Gentoo over multiple forums over a long enough time to have
already been made /global/ mods.  CVS access is an entirely different
story, of course, but for general shell access -- it should be pretty
clear by now what their intentions are on Gentoo, and given their position
in /very/ public view as Gentoo global mods, IMO they could do /far/ more
damage to Gentoo in a few minutes or hours on the forums than they could
with a single shell account on a single machine (assuming proper internal
firewalling between that box and others, and proper administrative
supervision of a box with that many folks having shell accounts on it) in
any case.

Not only do we trust them with the highly publicly visible position of
global mods, but now we are making them staff.  If there's any reasonable
doubt security-wise, there's something wrong with the whole situation we
find ourselves in in the first place.

Also, as someone else pointed out in the earlier thread, in a year, when
they get full Foundation voting rights, they'll need shell accounts
anyway, to be able to properly vote, unless of course some other
arrangements are to be made by then.  That does give us a year to work
with on activating the accounts, true, but they've got to be activated
sooner or later, and if we're already trusting them to the degree we are
in the global mod position and now as staff, it might as well be now.

All that said, the more people with accounts on a box, the lower the "mean
time before failure", just in general terms, even if each individual is
100% trusted.  That's just the way things work.  So, yeah, ten new in what
amounts to one shot... it SHOULD be giving people a bit of the shivers. 
If it's not, those folks must either not be concerned about security, or
they've lost their edge.

All IMO of course.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman in
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html


-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Re: GLEP 38: Status of forum moderators in the Gentoo project

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 2557 bytes --]

On Tue, 2005-06-28 at 17:45 -0700, Duncan wrote:
> OK, I'm with you on the security thing (being one that would prefer a
> USE=clientonly flag, remember, tho I understand the reasons behind not
> doing it), but I DO know there's quite the occasional use for someplace to
> host scripts, patchlets, and sample config files for reference from
> forums/news/lists/irc, that I've personally found useful, that others
> would like to see as well.

Honestly, we need a *mirrored and distributed* location for such things.
It could easily be accessible from the shell box, but anything that
resides on /home on toucan can not be considered safe.  While the
infrastructure staff does their best to ensure the data there, it is
*our* responsibility to keep our own backups of everything there.

In fact, there is GLEP15, which deals with this, specifically.

> One particular example is my xorg.conf file, which I seem to get
> requests for from time to time, when I mention that I have xorg running
> xinerama on a dual-out Radeon 9200SE.  It seems many have trouble getting
> that to work, and an annotated working config can help tremendously.  I've
> been considering doing it up right and putting it on my web page.  Sure, I
> can put it on my ISP's page, but folks do change ISPs from time to time,
> and for forum mods that are already staff, having a "staffspace" available
> to make such things a bit more publicly available, could be /quite/ useful.

Again, toucan is *not* this place, as has been said many times by
infrastructure.  Anything on dev.gentoo.org should be considered
transitive, as it can disappear at any time.  A more permanent solution
to this should be done, rather than relying on something that we have
been told time and time again that we should *not* rely on.

This being said, I'm pretty guilty of this myself, with one minor
exception.  I keep my own backups.  :P

> The form of the URLs such resources get make it quite clear that while
> hosted on a gentoo server, they are in personal devspace/staffspace on
> that server, so there should be little chance of confusion with "official"
> packages, particularly if there's a policy in place (I haven't seen one
> but that doesn't mean it doesn't exist) to clearly mark any HTML formatted
> anchor tags with non-obfuscated descriptions and URLs.  (The forum
> software may or may not make obfuscated URLs impossible, I don't know.)

-- 
Chris Gianelloni
Release Engineering - Strategic Lead/QA Manager
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]