| 1 |
On Sun, 2018-08-19 at 22:01 +0000, Robin H. Johnson wrote: |
| 2 |
> On Sun, Aug 19, 2018 at 02:42:23PM -0400, Aaron Bauman wrote: |
| 3 |
> > Gentoo-bug: https://bugs.gentoo.org/659620 |
| 4 |
> |
| 5 |
> I have some discussion items & questions regarding the details of the |
| 6 |
> proposal. The questions are explicitly marked with 'Question:' so that |
| 7 |
> they stand out. I have asked questions in both roles I hold: Treasurer |
| 8 |
> of the Foundation & lead of the Infrastructure team. |
| 9 |
> |
| 10 |
> 1. Quantity: |
| 11 |
> (this is mostly to answer other people asking on the lists) |
| 12 |
> The Foundation has specified 150 units as the quantity for price |
| 13 |
> quoting, despite 176 developers being listed as active in LDAP. There |
| 14 |
> are multiple factors here: |
| 15 |
> - The Foundation did not want to commit to buying more keys than needed |
| 16 |
> - This may be an impetus for inactive developers to retire |
| 17 |
> - 151 developers have access to repo/gentoo.git |
| 18 |
> - 140 unique developers committed to any gentoo.org Git/CVS in the last |
| 19 |
> 6 months (123 in the last 3 months). |
| 20 |
|
| 21 |
Also note that some developer have hardware tokens already, or stated |
| 22 |
that they will get one themselves once GF selects the type. |
| 23 |
|
| 24 |
> 4. Functionality: |
| 25 |
> Infra discussions about a potential single-sign-on system for |
| 26 |
> authentication (not commit signing) seems to be converging around OATH & |
| 27 |
> U2F systems, or the upcoming FIDO2 standard [expect new keys to be |
| 28 |
> available later this year or early next year]. The Nitrokey Pro will |
| 29 |
> offer OpenPGP only, while the YubiKey FIPS will offer both OpenPGP & |
| 30 |
> U2F. |
| 31 |
|
| 32 |
For the record, I'm not convinced about using a single device for both |
| 33 |
purposes. Given that some developers are using OpenPGP to encrypt |
| 34 |
password stores, and that we are testing support for 2-step |
| 35 |
authentication for SSH, having the same device provide both elements |
| 36 |
might defeat the purpose of the exercise. |
| 37 |
|
| 38 |
> 5. Ownership: |
| 39 |
> As Treasurer, I would like to point out that this hardware will remain |
| 40 |
> the property of the Foundation for 6 years. This is the relevant |
| 41 |
> depreciation lifespan permitted by IRS regulations. The shipping cost |
| 42 |
> however to return an individual unit will exceed the remaining value |
| 43 |
> after 2 years (depending on the purchasing quarter, by the end of the |
| 44 |
> second financial year, 43-61% of the unit value will be depreciated). |
| 45 |
> |
| 46 |
> 5.1 Question (as Treasurer): As part of accepting the motions to purchase, |
| 47 |
> the Board must implement written requirements for developers to return |
| 48 |
> the keys, at their own cost, if the developer retires within 2.5 years |
| 49 |
> of ordering the unit. |
| 50 |
|
| 51 |
As mentioned in the other mail, should we account for financial |
| 52 |
reimbursement in case developer doesn't return / loses the device? |
| 53 |
Furthermore, should we permit developers to keep it if they reimburse |
| 54 |
the Foundation? I'm not sure how far this is legally feasible. |
| 55 |
|
| 56 |
> (snip parts of quotes) |
| 57 |
> > All, this email will serve as a comparison between the two vendors which |
| 58 |
> > have provided quotes to the Foundation. This does not include Alice's |
| 59 |
> > proposal as U2FZero is currently out of stock in the United States and |
| 60 |
> > does not seem to offer any availability in Asia. |
| 61 |
> |
| 62 |
> 6. Question: Other Vendors |
| 63 |
> Are there other vendors we wish to consider or specifically exclude, |
| 64 |
> such as Feitan? Not saying we should include them, just cover that |
| 65 |
> people are aware of them. |
| 66 |
|
| 67 |
I've asked the same on IRC. I think it might have been a better idea to |
| 68 |
first officially announce that we're looking for the hardware with some |
| 69 |
basic requirements, and let people reply with suggestions/offers. |
| 70 |
|
| 71 |
> 8. As noted on IRC, please include VAT in the estimation for Yubikey. |
| 72 |
> For Nitrokey it's covered in their FAQ: |
| 73 |
> https://www.nitrokey.com/documentation/frequently-asked-questions#pricing-and-vat |
| 74 |
|
| 75 |
Is anyone aware if Gentoo eV is capable of getting a VAT return for |
| 76 |
this? If that were the case, it might be a better idea to pass it over |
| 77 |
to them. |
| 78 |
|
| 79 |
-- |
| 80 |
Best regards, |
| 81 |
Michał Górny |
Archives