| 1 |
On 07/03/19 07:13, Rich Freeman wrote: |
| 2 |
> On Wed, Jul 3, 2019 at 12:31 AM desultory <desultory@g.o> wrote: |
| 3 |
>> |
| 4 |
>> You based your argument on your preference, as opposed to reality. |
| 5 |
> |
| 6 |
> This entire thread is about preference. The reality is that you need |
| 7 |
> to use your real name to contribute to Gentoo right now. You would |
| 8 |
> prefer that it be otherwise. There is no harm in expressing that. |
| 9 |
> |
| 10 |
That "reality" is, once again, not real. Sure, there is the (practically |
| 11 |
unverifiable) requirement for signing off commits, but that is hardly |
| 12 |
the only way to contribute to Gentoo right now. |
| 13 |
|
| 14 |
>> Accepting and providing payments are fairly basic operations |
| 15 |
>> for legal entities to engage in, even if the foundation were to be |
| 16 |
>> dissolved there would still be financial transactions apropos Gentoo. |
| 17 |
> |
| 18 |
> If we were operating under an umbrella org, Gentoo would not be |
| 19 |
> legally responsible for these activities. |
| 20 |
> |
| 21 |
> Also, I believe that these activities should STILL be minimized, |
| 22 |
> ideally towards zero. Physical servers and bank accounts are |
| 23 |
> vulnerabilities that can be disrupted. The less you depend on them, |
| 24 |
> the more resilient you are. |
| 25 |
> |
| 26 |
Again, I ask: how? |
| 27 |
|
| 28 |
> If Gentoo were nothing more than a git repo it would be almost |
| 29 |
> impossible to disrupt its operations as these are trivially |
| 30 |
> replicated. If the services it did run were entirely open they would |
| 31 |
> be trivially mirrored (I mean open everything - not just the upstream |
| 32 |
> code, but all our configs/etc - obviously short of the credentials). |
| 33 |
> |
| 34 |
If Gentoo were nothing more than a git repo it would be almost useless. |
| 35 |
No bug tracking, no integrated communications channels beyond various |
| 36 |
forms of repo abuse, no user support, no mailing lists, no bespoke |
| 37 |
package manager, no non-trivial analogs of e.g. eselect, not even |
| 38 |
documentation outside of a git repo. On the plus side, there would |
| 39 |
likely be next to no pesky users either. |
| 40 |
|
| 41 |
> Yes, I'm obviously speaking aspirationally, but the principle is still |
| 42 |
> valid. IMO FOSS solutions for replacing some of the infra-heavy |
| 43 |
> existing solutions like bugzilla are lacking, so this could be a long |
| 44 |
> road. However, anytime we deploy something new we should be asking |
| 45 |
> whether any Gentoo user can trivially replicate the entire service |
| 46 |
> based on our documentation and published data (ideally with a few |
| 47 |
> lines), ideally including even authentication (no reason a Gentoo |
| 48 |
> credential shouldn't work on a non-Gentoo site in a world where |
| 49 |
> federation is common). If the answer is no, then we're creating a |
| 50 |
> dependency on some black box that could be taken away from us. |
| 51 |
> |
| 52 |
As with most principles, what validity it has only extends to a point |
| 53 |
and that point s far and away exceeded by what could loosely be termed |
| 54 |
your proposals (given that there are no details beyond handwaving away |
| 55 |
all practical considerations). By your argument, virtually everything |
| 56 |
hosted on Gentoo controlled infra is a liability, not just bugzilla, but |
| 57 |
the mailing lists (especially -core), developer mail in general, the |
| 58 |
forums, the wiki, even your reductive case of gentoo.git would bear some |
| 59 |
"black box". |
| 60 |
|
| 61 |
>> In that case, you are advocating for having no: passwords, password |
| 62 |
>> hashes, private e-mail (including security related correspondence), no |
| 63 |
>> encryption keys, no signing keys, no pre-release code, no closed source |
| 64 |
>> code, no code not meant for release for any reason at all, no |
| 65 |
>> confidential data at all, and probably other things that I neglected to |
| 66 |
>> list. |
| 67 |
> |
| 68 |
> None of those are really PII. However, we should certainly be |
| 69 |
> minimizing our dependence on all of these. We should depend on actual |
| 70 |
> PII even less, and I'm skeptical that we need to retain this at all if |
| 71 |
> we stop operating a legal entity. |
| 72 |
> |
| 73 |
Having "nothing to steal" means having nothing that other people value, |
| 74 |
not just not having one specific class of things other people might value. |
| 75 |
|
| 76 |
Bearing in mind that none of the things I listed are at all specific to |
| 77 |
the foundation; how, exactly, would not having a legal entity (good luck |
| 78 |
with enforcing and defending licensing and the use of marks, among |
| 79 |
other things) remove the need to have any of the things I listed? Any |
| 80 |
given one, your choice, how would an existing need for it go away |
| 81 |
without a legal entity? |
| 82 |
|
| 83 |
> I'm not saying that we'll ever reach zero, but anytime we can |
| 84 |
> accomplish our goals without resorting to using the laundry list of |
| 85 |
> stuff you just provided, we should. |
| 86 |
> |
| 87 |
While having preferences for lighter and more open systems is, to an |
| 88 |
extent, something toward which one can work, the degree of purity |
| 89 |
testing that you are implying is a virtually guaranteed path to extinction. |
Archives