[gentoo-nfp] Developer Crypto Hardware (AGM)

[Aaron Bauman <bman@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 3095 bytes --]

Gentoo-bug: https://bugs.gentoo.org/659620

All, this email will serve as a comparison between the two vendors which
have provided quotes to the Foundation. This does not include Alice's
proposal as U2FZero is currently out of stock in the United States and
does not seem to offer any availability in Asia. Alice did suggest that
we split vendors across geographical markets, but I find this will make
the situation become very difficult to handle. It would also put the
burden on individuals to receive and disperse the tokens and increase
shipping costs, burden the treasurer for reimbursements to be processed,
and possibly cause delays.
 
Yubikey:

Quote received for (150) Yubikey FIPS tokens.

Unit Price: $44.16 USD
Total: $6,624 USD
Discount: 4% (already available to anyone ordering in bulk)

Shipping costs can be found at [1] and the lowest cost projections
given. They do not offer any standard costs for shipping and cannot
discount it.

Open source: Several products are no longer open sourced and tracking
which is/is not can be difficult [4].
 
Nitrokey:
 
Quote received based on (150) Nitrokey Pro tokens.

Unit Price: 27,59 € ($31.58 USD at the time of this email)
Total: 4,138.50 € ($4737.06 USD at the time of this email)
Discount: 33% (With sponsorship agreement on gentoo.org)
 
All prices are already inclusive of VAT.

Shipping times can be found here [2]. Shipping costs can be found here
[3]. The most expensive shipping is worldwide starting at 7,40 €
($8.47 USD at the the time of this email).

Nitrokey has also offered several unique options for Gentoo. They will
provide a custom portal which allows each developer to request their
security token. This is done via a Foundation (infra really) provided
list of valid gentoo.org email addresses. Additionally, they will
provide monthly billing of all purchased devices and the Foundation is
not obligated to purchase all (150) tokens. This can be a standing
agreement until the Foundation decides to remove financial support.
 
Considering both vendors, we can estimate shipping at the highest cost
in order to best prepare for potential expenses.
 
Open source: All products are considered open [4].
 
-----
 
Motion: I move that the board vote to accept the offer from Yubico or
Nitrokey and begin our agreement with the accepted vendor beginning 1
September 2018. This motion will provide security tokens to all current
developers listed in Gentoo's LDAP infrastructure as of 31 August 2018.

Motion: I move that the board vote to maintain the aforementioned
agreement in order to support future Gentoo developers with security
tokens. This motion includes the right to terminate future purchases
based on the Foundation's financials.
 
[1]: https://www.yubico.com/support/shipping-and-buying-information/
[2]: https://www.nitrokey.com/documentation/frequently-asked-questions#how-long-does-the-shipping-take
[3]: https://shop.nitrokey.com/shop/product/nitrokey-pro-2-3
[4]: https://old.lwn.net/Articles/736231/
 
-- 
Cheers,
Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]