1 |
On 07/03/19 07:13, Rich Freeman wrote: |
2 |
> On Wed, Jul 3, 2019 at 12:31 AM desultory <desultory@g.o> wrote: |
3 |
>> |
4 |
>> You based your argument on your preference, as opposed to reality. |
5 |
> |
6 |
> This entire thread is about preference. The reality is that you need |
7 |
> to use your real name to contribute to Gentoo right now. You would |
8 |
> prefer that it be otherwise. There is no harm in expressing that. |
9 |
> |
10 |
That "reality" is, once again, not real. Sure, there is the (practically |
11 |
unverifiable) requirement for signing off commits, but that is hardly |
12 |
the only way to contribute to Gentoo right now. |
13 |
|
14 |
>> Accepting and providing payments are fairly basic operations |
15 |
>> for legal entities to engage in, even if the foundation were to be |
16 |
>> dissolved there would still be financial transactions apropos Gentoo. |
17 |
> |
18 |
> If we were operating under an umbrella org, Gentoo would not be |
19 |
> legally responsible for these activities. |
20 |
> |
21 |
> Also, I believe that these activities should STILL be minimized, |
22 |
> ideally towards zero. Physical servers and bank accounts are |
23 |
> vulnerabilities that can be disrupted. The less you depend on them, |
24 |
> the more resilient you are. |
25 |
> |
26 |
Again, I ask: how? |
27 |
|
28 |
> If Gentoo were nothing more than a git repo it would be almost |
29 |
> impossible to disrupt its operations as these are trivially |
30 |
> replicated. If the services it did run were entirely open they would |
31 |
> be trivially mirrored (I mean open everything - not just the upstream |
32 |
> code, but all our configs/etc - obviously short of the credentials). |
33 |
> |
34 |
If Gentoo were nothing more than a git repo it would be almost useless. |
35 |
No bug tracking, no integrated communications channels beyond various |
36 |
forms of repo abuse, no user support, no mailing lists, no bespoke |
37 |
package manager, no non-trivial analogs of e.g. eselect, not even |
38 |
documentation outside of a git repo. On the plus side, there would |
39 |
likely be next to no pesky users either. |
40 |
|
41 |
> Yes, I'm obviously speaking aspirationally, but the principle is still |
42 |
> valid. IMO FOSS solutions for replacing some of the infra-heavy |
43 |
> existing solutions like bugzilla are lacking, so this could be a long |
44 |
> road. However, anytime we deploy something new we should be asking |
45 |
> whether any Gentoo user can trivially replicate the entire service |
46 |
> based on our documentation and published data (ideally with a few |
47 |
> lines), ideally including even authentication (no reason a Gentoo |
48 |
> credential shouldn't work on a non-Gentoo site in a world where |
49 |
> federation is common). If the answer is no, then we're creating a |
50 |
> dependency on some black box that could be taken away from us. |
51 |
> |
52 |
As with most principles, what validity it has only extends to a point |
53 |
and that point s far and away exceeded by what could loosely be termed |
54 |
your proposals (given that there are no details beyond handwaving away |
55 |
all practical considerations). By your argument, virtually everything |
56 |
hosted on Gentoo controlled infra is a liability, not just bugzilla, but |
57 |
the mailing lists (especially -core), developer mail in general, the |
58 |
forums, the wiki, even your reductive case of gentoo.git would bear some |
59 |
"black box". |
60 |
|
61 |
>> In that case, you are advocating for having no: passwords, password |
62 |
>> hashes, private e-mail (including security related correspondence), no |
63 |
>> encryption keys, no signing keys, no pre-release code, no closed source |
64 |
>> code, no code not meant for release for any reason at all, no |
65 |
>> confidential data at all, and probably other things that I neglected to |
66 |
>> list. |
67 |
> |
68 |
> None of those are really PII. However, we should certainly be |
69 |
> minimizing our dependence on all of these. We should depend on actual |
70 |
> PII even less, and I'm skeptical that we need to retain this at all if |
71 |
> we stop operating a legal entity. |
72 |
> |
73 |
Having "nothing to steal" means having nothing that other people value, |
74 |
not just not having one specific class of things other people might value. |
75 |
|
76 |
Bearing in mind that none of the things I listed are at all specific to |
77 |
the foundation; how, exactly, would not having a legal entity (good luck |
78 |
with enforcing and defending licensing and the use of marks, among |
79 |
other things) remove the need to have any of the things I listed? Any |
80 |
given one, your choice, how would an existing need for it go away |
81 |
without a legal entity? |
82 |
|
83 |
> I'm not saying that we'll ever reach zero, but anytime we can |
84 |
> accomplish our goals without resorting to using the laundry list of |
85 |
> stuff you just provided, we should. |
86 |
> |
87 |
While having preferences for lighter and more open systems is, to an |
88 |
extent, something toward which one can work, the degree of purity |
89 |
testing that you are implying is a virtually guaranteed path to extinction. |