On Sun, 2018-08-19 at 14:42 -0400, Aaron Bauman wrote:
> Gentoo-bug: https://bugs.gentoo.org/659620
> 
> All, this email will serve as a comparison between the two vendors which
> have provided quotes to the Foundation. This does not include Alice's
> proposal as U2FZero is currently out of stock in the United States and
> does not seem to offer any availability in Asia. Alice did suggest that
> we split vendors across geographical markets, but I find this will make
> the situation become very difficult to handle. It would also put the
> burden on individuals to receive and disperse the tokens and increase
> shipping costs, burden the treasurer for reimbursements to be processed,
> and possibly cause delays.
>  
> Yubikey:
> 
> Quote received for (150) Yubikey FIPS tokens.
> 
> Unit Price: $44.16 USD
> Total: $6,624 USD
> Discount: 4% (already available to anyone ordering in bulk)
> 
> Shipping costs can be found at [1] and the lowest cost projections
> given. They do not offer any standard costs for shipping and cannot
> discount it.
> 
> Open source: Several products are no longer open sourced and tracking
> which is/is not can be difficult [4].
>  
> Nitrokey:
>  
> Quote received based on (150) Nitrokey Pro tokens.
> 
> Unit Price: 27,59 € ($31.58 USD at the time of this email)
> Total: 4,138.50 € ($4737.06 USD at the time of this email)
> Discount: 33% (With sponsorship agreement on gentoo.org)
>  
> All prices are already inclusive of VAT.
> 
> Shipping times can be found here [2]. Shipping costs can be found here
> [3]. The most expensive shipping is worldwide starting at 7,40 €
> ($8.47 USD at the the time of this email).
> 
> Nitrokey has also offered several unique options for Gentoo. They will
> provide a custom portal which allows each developer to request their
> security token. This is done via a Foundation (infra really) provided
> list of valid gentoo.org email addresses. Additionally, they will
> provide monthly billing of all purchased devices and the Foundation is
> not obligated to purchase all (150) tokens. This can be a standing
> agreement until the Foundation decides to remove financial support.
>  
> Considering both vendors, we can estimate shipping at the highest cost
> in order to best prepare for potential expenses.
>  
> Open source: All products are considered open [4].
>  
> -----
>  
> Motion: I move that the board vote to accept the offer from Yubico or
> Nitrokey and begin our agreement with the accepted vendor beginning 1
> September 2018. This motion will provide security tokens to all current
> developers listed in Gentoo's LDAP infrastructure as of 31 August 2018.
> 
> Motion: I move that the board vote to maintain the aforementioned
> agreement in order to support future Gentoo developers with security
> tokens. This motion includes the right to terminate future purchases
> based on the Foundation's financials.
>  
> [1]: https://www.yubico.com/support/shipping-and-buying-information/
> [2]: https://www.nitrokey.com/documentation/frequently-asked-questions#how-long-does-the-shipping-take
> [3]: https://shop.nitrokey.com/shop/product/nitrokey-pro-2-3
> [4]: https://old.lwn.net/Articles/736231/

1. Should we include all developers or only developers with gentoo.git
commit access?

2. Shouldn't we set some minimal time-as-a-dev for this?

What I'm concerned about are people joining Gentoo only to get the free
token and then stopping to contribute.  We historically had both cases
of people joining and then disappearing shortly afterwards, and people
trying to join just to gain the developer status and not to contribute.

Alternatively, require developers to return the token upon termination
of developer status, with allowance that after X years as a dev
the token is considered scrapped and does not need to be returned.

-- 
Best regards,
Michał Górny