1 |
On Fri, Jun 26, 2020 at 4:17 PM Alec Warner <antarus@g.o> wrote: |
2 |
> |
3 |
> Is it against the social contract to purchase these CDN services? |
4 |
> Is it against the social contract to purchase these CDN services, even if the services are provided via open source software? |
5 |
> |
6 |
|
7 |
IMO the obvious answer to the second question is that purchasing |
8 |
services that are provided using FOSS is absolutely permitted by the |
9 |
social contract. Obviously we should be careful with money, but we're |
10 |
allowed to spend money on services and in fact have done so in other |
11 |
cases (like paying for a bug bounty, for accounting services, etc - |
12 |
generally all using FOSS where it exists). |
13 |
|
14 |
The first question is more of a grey area. IMO something like a |
15 |
mirror/CDN network is really not something we're "depending" on in the |
16 |
spirit of the social contract. They're just providing extremely |
17 |
commoditized services based on completely open protocols, so if the |
18 |
whole thing were to go away overnight the main thing we'd see is a |
19 |
lower level of service, and replicating the network with another |
20 |
provider would be trivial. For our distfiles/rsync mirrors we don't |
21 |
audit to make sure every one of those providers is using 100% FOSS, |
22 |
and I doubt most of their servers are running coreboot. Those mirrors |
23 |
are just http/etc and nobody is going to notice if one is running IIS |
24 |
for some reason. |
25 |
|
26 |
Now, if we were going to host bugzilla or email or some other core |
27 |
infra on non-FOSS software I think it would be a much larger concern. |
28 |
I think the key is that the authoritative source is FOSS, and we're |
29 |
just using vendors to mirror data using a black box mechanism and open |
30 |
protocols. |
31 |
|
32 |
But, I'll be the first to ack that this second bit is a grey area, and |
33 |
I'm sure there will be others that disagree. I think it is ok if a |
34 |
social contract has a bit of grey around the edges, and ultimately the |
35 |
community can decide how they feel about it. |
36 |
|
37 |
I realize that you didn't want to get into the fiscal argument, but |
38 |
I'd toss in my two cents here: it seems like we have a lot of orgs |
39 |
that donate servers/etc and I know we're always getting requests on |
40 |
pr@ for "sponsors" (usually cash for SEO, but maybe some could offer |
41 |
actual hosting). I actually like depending on donations in kind a lot |
42 |
more than money because it tends to keep the org rooted in what serves |
43 |
the broader FOSS/etc community vs being an org that handles a lot of |
44 |
cash which can sometimes lose perspective. |
45 |
|
46 |
-- |
47 |
Rich |