1 |
On Sun, 2018-08-19 at 22:01 +0000, Robin H. Johnson wrote: |
2 |
> On Sun, Aug 19, 2018 at 02:42:23PM -0400, Aaron Bauman wrote: |
3 |
> > Gentoo-bug: https://bugs.gentoo.org/659620 |
4 |
> |
5 |
> I have some discussion items & questions regarding the details of the |
6 |
> proposal. The questions are explicitly marked with 'Question:' so that |
7 |
> they stand out. I have asked questions in both roles I hold: Treasurer |
8 |
> of the Foundation & lead of the Infrastructure team. |
9 |
> |
10 |
> 1. Quantity: |
11 |
> (this is mostly to answer other people asking on the lists) |
12 |
> The Foundation has specified 150 units as the quantity for price |
13 |
> quoting, despite 176 developers being listed as active in LDAP. There |
14 |
> are multiple factors here: |
15 |
> - The Foundation did not want to commit to buying more keys than needed |
16 |
> - This may be an impetus for inactive developers to retire |
17 |
> - 151 developers have access to repo/gentoo.git |
18 |
> - 140 unique developers committed to any gentoo.org Git/CVS in the last |
19 |
> 6 months (123 in the last 3 months). |
20 |
|
21 |
Also note that some developer have hardware tokens already, or stated |
22 |
that they will get one themselves once GF selects the type. |
23 |
|
24 |
> 4. Functionality: |
25 |
> Infra discussions about a potential single-sign-on system for |
26 |
> authentication (not commit signing) seems to be converging around OATH & |
27 |
> U2F systems, or the upcoming FIDO2 standard [expect new keys to be |
28 |
> available later this year or early next year]. The Nitrokey Pro will |
29 |
> offer OpenPGP only, while the YubiKey FIPS will offer both OpenPGP & |
30 |
> U2F. |
31 |
|
32 |
For the record, I'm not convinced about using a single device for both |
33 |
purposes. Given that some developers are using OpenPGP to encrypt |
34 |
password stores, and that we are testing support for 2-step |
35 |
authentication for SSH, having the same device provide both elements |
36 |
might defeat the purpose of the exercise. |
37 |
|
38 |
> 5. Ownership: |
39 |
> As Treasurer, I would like to point out that this hardware will remain |
40 |
> the property of the Foundation for 6 years. This is the relevant |
41 |
> depreciation lifespan permitted by IRS regulations. The shipping cost |
42 |
> however to return an individual unit will exceed the remaining value |
43 |
> after 2 years (depending on the purchasing quarter, by the end of the |
44 |
> second financial year, 43-61% of the unit value will be depreciated). |
45 |
> |
46 |
> 5.1 Question (as Treasurer): As part of accepting the motions to purchase, |
47 |
> the Board must implement written requirements for developers to return |
48 |
> the keys, at their own cost, if the developer retires within 2.5 years |
49 |
> of ordering the unit. |
50 |
|
51 |
As mentioned in the other mail, should we account for financial |
52 |
reimbursement in case developer doesn't return / loses the device? |
53 |
Furthermore, should we permit developers to keep it if they reimburse |
54 |
the Foundation? I'm not sure how far this is legally feasible. |
55 |
|
56 |
> (snip parts of quotes) |
57 |
> > All, this email will serve as a comparison between the two vendors which |
58 |
> > have provided quotes to the Foundation. This does not include Alice's |
59 |
> > proposal as U2FZero is currently out of stock in the United States and |
60 |
> > does not seem to offer any availability in Asia. |
61 |
> |
62 |
> 6. Question: Other Vendors |
63 |
> Are there other vendors we wish to consider or specifically exclude, |
64 |
> such as Feitan? Not saying we should include them, just cover that |
65 |
> people are aware of them. |
66 |
|
67 |
I've asked the same on IRC. I think it might have been a better idea to |
68 |
first officially announce that we're looking for the hardware with some |
69 |
basic requirements, and let people reply with suggestions/offers. |
70 |
|
71 |
> 8. As noted on IRC, please include VAT in the estimation for Yubikey. |
72 |
> For Nitrokey it's covered in their FAQ: |
73 |
> https://www.nitrokey.com/documentation/frequently-asked-questions#pricing-and-vat |
74 |
|
75 |
Is anyone aware if Gentoo eV is capable of getting a VAT return for |
76 |
this? If that were the case, it might be a better idea to pass it over |
77 |
to them. |
78 |
|
79 |
-- |
80 |
Best regards, |
81 |
Michał Górny |