[gentoo-nfp] infra agenda item

[gentoo-nfp] infra agenda item

[Daniel Robbins]

[-- Attachment #1: Type: text/plain, Size: 1549 bytes --]

Hi All,

An agenda item for next meeting. I would like trustees to have official
control of all Gentoo infrastructure. Gentoo infrastructure is a critical
part of project assets and it is essential that access to such
infrastructure by the -infra lead or -infra members cannot be used as
leverage to gain influence on the project. While I have no reason to
believe we are in this situation, so I don't want to alarm or upset anyone,
I just want to make sure we are protected from this issue and make sure
that appropriate safeguards are in place.

This is an issue that I am quite sensitive to, as I have experienced it
personally with Gentoo. I actually set up the Foundation and resigned when
-infra was co-opted by an -infra lead who removed all my access and pushed
me to set up the Foundation rapidly. Since I was basically a kid, I didn't
know how to handle this situation (person who did this was an IT Manager at
Goldman Sachs and much more versed in playing 'hardball' with people, and I
had limited experience in dealing with it) so I tried to handle it
privately and failed. I now know that I could have simply posted to any
public forum and said "Hey, this person has taken over -infra and I no
longer have access to it. Please ask him to leave the project and return
the keys to me instead of using it as leverage to get what he wants."

To me, it is very clear that the Foundation should have full control of all
assets, including infra (this includes control of mirrors, etc.) on behalf
of the larger Gentoo community.

Best,

Daniel

[-- Attachment #2: Type: text/html, Size: 5812 bytes --]

Re: [gentoo-nfp] infra agenda item

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 3076 bytes --]

On Tue, Apr 10, 2018 at 12:27 PM, Daniel Robbins <drobbins@funtoo.org>
wrote:

> Hi All,
>
> An agenda item for next meeting. I would like trustees to have official
> control of all Gentoo infrastructure. Gentoo infrastructure is a critical
> part of project assets and it is essential that access to such
> infrastructure by the -infra lead or -infra members cannot be used as
> leverage to gain influence on the project. While I have no reason to
> believe we are in this situation, so I don't want to alarm or upset anyone,
> I just want to make sure we are protected from this issue and make sure
> that appropriate safeguards are in place.
>

I'm working on a policy on how Infra makes changes at the direction of the
Foundation (the board) and the community (via Comrel and Council projects.)
The Foundation currently has control over its assets. The vast majority of
Gentoo's Infrastructure are Foundation assets (there are like edge cases
where chain of ownership of specific assets is unclear, but I think we have
good paper on the majority.) Speaking as someone on Infra, I would be
against any use of infra for the purposes outlined in your proposal (Infra
acts in good faith to meet th needs of the community.) I think the policy
will help address some of your concerns. The Infra team and the board have
a liaison and a good relationship today (and I suspect will continue to
have one provided Infra funding remains a priority for the board.)

Specifically regarding your proposal, I'm not sure what outcome you are
actually expecting. Explicitly stating that the Foundation owns and
controls assets that it literally owns and controls seems a bit
tautological (and thus of little value.) It might be useful to state that
in that event of a 'hostile takeover' type situation the board will pursue
all legal remedies; but this too seems somewhat tautological (but I'm open
to more leeway here.)


>
> This is an issue that I am quite sensitive to, as I have experienced it
> personally with Gentoo. I actually set up the Foundation and resigned when
> -infra was co-opted by an -infra lead who removed all my access and pushed
> me to set up the Foundation rapidly. Since I was basically a kid, I didn't
> know how to handle this situation (person who did this was an IT Manager at
> Goldman Sachs and much more versed in playing 'hardball' with people, and I
> had limited experience in dealing with it) so I tried to handle it
> privately and failed. I now know that I could have simply posted to any
> public forum and said "Hey, this person has taken over -infra and I no
> longer have access to it. Please ask him to leave the project and return
> the keys to me instead of using it as leverage to get what he wants."
>

> To me, it is very clear that the Foundation should have full control of
> all assets, including infra (this includes control of mirrors, etc.) on
> behalf of the larger Gentoo community.
>

Many mirrors are run by third parties and neither the Foundation nor Infra
have control over them; just as an FYI.

-A


>
> Best,
>
> Daniel
>
>

[-- Attachment #2: Type: text/html, Size: 8500 bytes --]

Re: [gentoo-nfp] infra agenda item

[Daniel Robbins]

[-- Attachment #1: Type: text/plain, Size: 858 bytes --]

On Tue, Apr 10, 2018 at 10:43 AM, Alec Warner <antarus@gentoo.org> wrote:

>
> Specifically regarding your proposal, I'm not sure what outcome you are
> actually expecting. Explicitly stating that the Foundation owns and
> controls assets that it literally owns and controls seems a bit
> tautological (and thus of little value.) It might be useful to state that
> in that event of a 'hostile takeover' type situation the board will pursue
> all legal remedies; but this too seems somewhat tautological (but I'm open
> to more leeway here.)
>

Yes, it is unclear as to how specifically this is protected against, and if
it is the case that sufficient safeguards are in place, and that everyone
involved in -infra is aware that the Foundation essentially is ultimately
'in charge' of the servers, then this issues, as far as I can tell, is
resolved.

-Daniel

[-- Attachment #2: Type: text/html, Size: 1309 bytes --]

Re: [gentoo-nfp] infra agenda item

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 1502 bytes --]

On Tue, Apr 10, 2018 at 12:48 PM, Daniel Robbins <drobbins@funtoo.org>
wrote:

> On Tue, Apr 10, 2018 at 10:43 AM, Alec Warner <antarus@gentoo.org> wrote:
>
>>
>> Specifically regarding your proposal, I'm not sure what outcome you are
>> actually expecting. Explicitly stating that the Foundation owns and
>> controls assets that it literally owns and controls seems a bit
>> tautological (and thus of little value.) It might be useful to state that
>> in that event of a 'hostile takeover' type situation the board will pursue
>> all legal remedies; but this too seems somewhat tautological (but I'm open
>> to more leeway here.)
>>
>
> Yes, it is unclear as to how specifically this is protected against, and
> if it is the case that sufficient safeguards are in place, and that
> everyone involved in -infra is aware that the
>
Foundation essentially is ultimately 'in charge' of the servers, then this
> issues, as far as I can tell, is resolved.
>

I think for now its the general culture from the current infrastructure
lead (robbat2) and the draft policy that tries to clearly describe the
situation. At least the current infra team is aware of a number of past
incidents (one being the one you mentioned, but there are others) and IMHO
avoiding impropriety (and avoiding even the appearance of impropriety) is
pretty high upon our list.

I'll try to aim for the policy to be out by the next meeting; but the infra
lead is pretty busy with work so it might not be finalized.

-A


>
> -Daniel
>

[-- Attachment #2: Type: text/html, Size: 2801 bytes --]

Re: [gentoo-nfp] infra agenda item

[Raymond Jennings]

For what it's worth, I personally think that the Foundation being the
legal owner of its own assets (axiomatic but true) is reason enough
for the Trustees, as legal representatives of the Foundation, to have
oversight of whoever is responsible for managing it.  This, in my
opinion, is a good reason for the infra lead to be directly
accountable to the Foundation because infra is maintaining assets that
the Foundation legally owns.

As for mirrors, I would like to make the following comment:

Mirrors may not be legally owned by the foundation, however, the
foundation is (or should be) in charge of the distfiles.gentoo.org
domain name and I presume has some sort of administrative control over
which mirrors are "official" and which ones are not.

Presumably the mirrors themselves are pulling (through however many
layers) from hardware that IS owned or operated by the foundation, and
I'm assuming that the foundation ought to be in a position to set
policy that mirrors would be required to comply with if they want the
foundation's cooperation in being listed as an official mirror.

TLDR: if a mirror is a private residence, it's still the phone
company's job to say what their phone number is, and mirrors who
misbehave (just in theory, like for example serving corrupt files)
ought to be subject to the foundation being able to revoke their
credentials that make them a mirror.

On Tue, Apr 10, 2018 at 9:56 AM, Alec Warner <antarus@gentoo.org> wrote:
>
>
> On Tue, Apr 10, 2018 at 12:48 PM, Daniel Robbins <drobbins@funtoo.org>
> wrote:
>>
>> On Tue, Apr 10, 2018 at 10:43 AM, Alec Warner <antarus@gentoo.org> wrote:
>>>
>>>
>>> Specifically regarding your proposal, I'm not sure what outcome you are
>>> actually expecting. Explicitly stating that the Foundation owns and controls
>>> assets that it literally owns and controls seems a bit tautological (and
>>> thus of little value.) It might be useful to state that in that event of a
>>> 'hostile takeover' type situation the board will pursue all legal remedies;
>>> but this too seems somewhat tautological (but I'm open to more leeway here.)
>>
>>
>> Yes, it is unclear as to how specifically this is protected against, and
>> if it is the case that sufficient safeguards are in place, and that everyone
>> involved in -infra is aware that the
>>
>> Foundation essentially is ultimately 'in charge' of the servers, then this
>> issues, as far as I can tell, is resolved.
>
>
> I think for now its the general culture from the current infrastructure lead
> (robbat2) and the draft policy that tries to clearly describe the situation.
> At least the current infra team is aware of a number of past incidents (one
> being the one you mentioned, but there are others) and IMHO avoiding
> impropriety (and avoiding even the appearance of impropriety) is pretty high
> upon our list.
>
> I'll try to aim for the policy to be out by the next meeting; but the infra
> lead is pretty busy with work so it might not be finalized.
>
> -A
>
>>
>>
>> -Daniel
>
>