[gentoo-nfp] Social contract and its effect on vendors and service delivery.

[gentoo-nfp] Social contract and its effect on vendors and service delivery.

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 871 bytes --]

Hi,

The infrastructure team often receives feedback that services are slow. One
idea we have to improve service delivery for users is to offer edge
connectivity closer to users. We generally have two choices here:
  - We can build out an edge by buying machines in various data centers;
installing a reverse proxy on them, and then backhauling the traffic to our
service origin.
 - We can buy these services from many different CDN providers who have
already done the first step; for a nominal fee[0].

Is it against the social contract to purchase these CDN services?
Is it against the social contract to purchase these CDN services, even if
the services are provided via open source software?

-A

[0] I'm not intending to have a fiscal argument; there are obvious
tradeoffs between buy / build and money. I'm interested in the social
contract only for the moment.
-A

[-- Attachment #2: Type: text/html, Size: 1040 bytes --]

Re: [gentoo-nfp] Social contract and its effect on vendors and service delivery.

[Rich Freeman]

On Fri, Jun 26, 2020 at 4:17 PM Alec Warner <antarus@gentoo.org> wrote:
>
> Is it against the social contract to purchase these CDN services?
> Is it against the social contract to purchase these CDN services, even if the services are provided via open source software?
>

IMO the obvious answer to the second question is that purchasing
services that are provided using FOSS is absolutely permitted by the
social contract.  Obviously we should be careful with money, but we're
allowed to spend money on services and in fact have done so in other
cases (like paying for a bug bounty, for accounting services, etc -
generally all using FOSS where it exists).

The first question is more of a grey area.  IMO something like a
mirror/CDN network is really not something we're "depending" on in the
spirit of the social contract.  They're just providing extremely
commoditized services based on completely open protocols, so if the
whole thing were to go away overnight the main thing we'd see is a
lower level of service, and replicating the network with another
provider would be trivial.  For our distfiles/rsync mirrors we don't
audit to make sure every one of those providers is using 100% FOSS,
and I doubt most of their servers are running coreboot.  Those mirrors
are just http/etc and nobody is going to notice if one is running IIS
for some reason.

Now, if we were going to host bugzilla or email or some other core
infra on non-FOSS software I think it would be a much larger concern.
I think the key is that the authoritative source is FOSS, and we're
just using vendors to mirror data using a black box mechanism and open
protocols.

But, I'll be the first to ack that this second bit is a grey area, and
I'm sure there will be others that disagree.  I think it is ok if a
social contract has a bit of grey around the edges, and ultimately the
community can decide how they feel about it.

I realize that you didn't want to get into the fiscal argument, but
I'd toss in my two cents here: it seems like we have a lot of orgs
that donate servers/etc and I know we're always getting requests on
pr@ for "sponsors" (usually cash for SEO, but maybe some could offer
actual hosting).  I actually like depending on donations in kind a lot
more than money because it tends to keep the org rooted in what serves
the broader FOSS/etc community vs being an org that handles a lot of
cash which can sometimes lose perspective.

-- 
Rich

RE: [gentoo-nfp] Social contract and its effect on vendors and service delivery.

[Thomas Deutschmann]

[-- Attachment #1: Type: text/plain, Size: 574 bytes --]

Hi,

> Is it against the social contract to purchase these CDN services?

Not from my P.O.V when the origin itself is under full control.

Also, would you plan to block direct access once you set up a CDN service, i.e. forcing everyone to use CDN services or would you still allow people to hit services directly? For the latter it's just an additional offer so I wouldn't expect any problems (isn't it the same like being present on GitHub?).


-- 
Regards, 
Thomas Deutschmann / Gentoo Linux Developer 
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 

[-- Attachment #2: openpgp-digital-signature.asc --]
[-- Type: application/pgp-signature, Size: 619 bytes --]

Re: [gentoo-nfp] Social contract and its effect on vendors and service delivery.

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

On Fri, Jun 26, 2020 at 1:38 PM Thomas Deutschmann <whissi@gentoo.org>
wrote:

> Hi,
>
> > Is it against the social contract to purchase these CDN services?
>
> Not from my P.O.V when the origin itself is under full control.
>
> Also, would you plan to block direct access once you set up a CDN service,
> i.e. forcing everyone to use CDN services or would you still allow people
> to hit services directly? For the latter it's just an additional offer so I
> wouldn't expect any problems (isn't it the same like being present on
> GitHub?).
>

I don't believe we have any rationale for restricting traffic in the way
you describe, so no we would not force traffic to transit the CDN to the
origin.

-A


>
>
> --
> Regards,
> Thomas Deutschmann / Gentoo Linux Developer
> fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
>

[-- Attachment #2: Type: text/html, Size: 1334 bytes --]

Re: [gentoo-nfp] Social contract and its effect on vendors and service delivery.

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 2932 bytes --]

On Fri, Jun 26, 2020 at 01:51:06PM -0700, Alec Warner wrote:
> On Fri, Jun 26, 2020 at 1:38 PM Thomas Deutschmann <whissi@gentoo.org>
> wrote:
> 
> > Hi,
> >
> > > Is it against the social contract to purchase these CDN services?
> >
> > Not from my P.O.V when the origin itself is under full control.
> >
> > Also, would you plan to block direct access once you set up a CDN service,
> > i.e. forcing everyone to use CDN services or would you still allow people
> > to hit services directly? For the latter it's just an additional offer so I
> > wouldn't expect any problems (isn't it the same like being present on
> > GitHub?).
> >
> 
> I don't believe we have any rationale for restricting traffic in the way
> you describe, so no we would not force traffic to transit the CDN to the
> origin.
The wording here will matter I feel.

The _default_ hostname for the service might involve the CDN, but
alternate hostnames exist to bypass the CDN.

The non-CDN version of these can already be accessed at:
(service)-cdn-origin.gentoo.org

The CDN version of these can be explicitly selected at:
(service)-cdn.gentoo.org

Infra reserves the right to change the above pattern, but that's what it
is today (and is visible in the SSL certs).

For transparency, the following read-only services are already using CDN
today, via sponsors: CDN77 & AWS [1 site]:
------------------------------------------
api.gentoo.org
assets.gentoo.org
devmanual.gentoo.org
infra-status.gentoo.org
planet.gentoo.org
archives.gentoo.org (disabled, use archives-cdn.gentoo.org)
packages.gentoo.org (disabled, use packages-cdn.gentoo.org) [AWS]

Other read-only services likely to move to CDN in future:
---------------------------------------------------------
archives.gentoo.org [already testing]
cgit.gentoo.org
distfiles.gentoo.org
glsa.gentoo.org
mirrorstats.gentoo.org
packages.gentoo.org [already testing]
projects.gentoo.org
qa-reports.gentoo.org
repos.gentoo.org
security.gentoo.org
www.gentoo.org
anongit.gentoo.org ** (requires some special sauce)

Read-write services that we'd like to improve to a localized
reverse-proxy to improve service (via lower latency):
-----------------------------------------------------
wiki.gentoo.org
bugs.gentoo.org
sso.gentoo.org
glsamaker.gentoo.org
keys.gentoo.org

Services unlikely to move:
--------------------------
*test.gentoo.org (test versions of many sites above, would default to non-CDN)
dev.gentoo.org (would have to detangle HTTPS from SSH hostnames)
forums.gentoo.org (depends heavily on the migration efforts that are already very behind)
infrawiki.gentoo.org (not enough demand, low priority)

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

Re: [gentoo-nfp] Social contract and its effect on vendors and service delivery.

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 2401 bytes --]

On Fri, Jun 26, 2020 at 04:32:24PM -0400, Rich Freeman wrote:
> On Fri, Jun 26, 2020 at 4:17 PM Alec Warner <antarus@gentoo.org> wrote:
> >
> > Is it against the social contract to purchase these CDN services?
> > Is it against the social contract to purchase these CDN services, even if the services are provided via open source software?
> >
> 
> IMO the obvious answer to the second question is that purchasing
> services that are provided using FOSS is absolutely permitted by the
> social contract.  Obviously we should be careful with money, but we're
> allowed to spend money on services and in fact have done so in other
> cases (like paying for a bug bounty, for accounting services, etc -
> generally all using FOSS where it exists).
How much of the CDN provider's stack must be FOSS?
- Just the CDN software?
- The billing stack?
- everything in the company?

> I realize that you didn't want to get into the fiscal argument, but
> I'd toss in my two cents here: it seems like we have a lot of orgs
> that donate servers/etc and I know we're always getting requests on
> pr@ for "sponsors" (usually cash for SEO, but maybe some could offer
> actual hosting).  I actually like depending on donations in kind a lot
> more than money because it tends to keep the org rooted in what serves
> the broader FOSS/etc community vs being an org that handles a lot of
> cash which can sometimes lose perspective.
Speaking as treasurer, In-kind donations require different handling than
Cash Donations; they're actually somewhere I feel we have some exposure
in case of future audit, because past in-kind sponsors generally did not
provide us with a good statement of the value of those in-kind services,
that might be needed for tax purposes.

However, I'd like to ask: What about donations of CDN services specifically?
CDN77 is one of the present sponsors (see my other mail in this thread).

I've been trying to reach out to Fastly (unsucessfully) to get a
sponsorship from them: their stack is based on Varnish, and offers
functionality that CDN77 doesn't: lots more endpoints, IPv6, API for
uploading certs

> 
> -- 
> Rich
> 

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

Re: [gentoo-nfp] Social contract and its effect on vendors and service delivery.

[Roy Bamford]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

On 2020.06.26 21:17, Alec Warner wrote:
> Hi,
> 
> The infrastructure team often receives feedback that services are
> slow. One
> idea we have to improve service delivery for users is to offer edge
> connectivity closer to users. We generally have two choices here:
>   - We can build out an edge by buying machines in various data
> centers;
> installing a reverse proxy on them, and then backhauling the traffic
> to our
> service origin.
>  - We can buy these services from many different CDN providers who
> have
> already done the first step; for a nominal fee[0].
> 
> Is it against the social contract to purchase these CDN services?
> Is it against the social contract to purchase these CDN services, even
> if
> the services are provided via open source software?
> 
> -A
> 
> [0] I'm not intending to have a fiscal argument; there are obvious
> tradeoffs between buy / build and money. I'm interested in the social
> contract only for the moment.
> -A
> 


Alec,

As with other things, the key concept is dependency.

Perform the thought experiment oy adding these services to Gentoo,
and asking how does Gentoo work now?

Now take them away again and ask the question again.
If Gentoo still works, there is clearly no "dependency".

That test must pass but its not sufficient.
We also need to ensure that Gentoo does not become dependant
accidentality due to other subsequent changes in Gentoo.

In the case of CDN, its an add on extra for our users. Nothing
goes away. Its difficult to see how Gentoo could  become dependant
accidentality too.


-- 
Regards,

Roy Bamford
(Neddyseagoon) a member of
elections
gentoo-ops
forum-mods
arm64

[-- Attachment #2: Type: application/pgp-signature, Size: 488 bytes --]