diff options
-rw-r--r-- | 2018/20180915.log.txt | 318 |
1 files changed, 318 insertions, 0 deletions
diff --git a/2018/20180915.log.txt b/2018/20180915.log.txt new file mode 100644 index 0000000..7f3e1f3 --- /dev/null +++ b/2018/20180915.log.txt @@ -0,0 +1,318 @@ +[07:06:41] <antarus> #startmeeting "Foundation 2018-09" +[07:06:41] <trusteeBot> Meeting started Sat Sep 15 22:06:41 2018 UTC and is due to finish in 60 minutes. The chair is antarus. Information about MeetBot at http://wiki.debian.org/MeetBot. +[07:06:41] <trusteeBot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. +[07:06:41] <trusteeBot> The meeting name has been set to '_foundation_2018_09_' +[07:06:44] <dwfreed> heh +[07:07:11] <antarus> rollcall prometheanfire robbat2 antarus alicef b-man +[07:07:17] <prometheanfire> o/ +[07:07:41] <robbat2> present but late +[07:08:30] <antarus> #info Rollcall: antarus, prometheanfire, robbat2 +[07:08:44] <prometheanfire> well, quorum at least +[07:08:50] <antarus> yes quite :) +[07:08:55] <antarus> the bot is logging, supposedly +[07:08:59] <prometheanfire> itnis +[07:09:01] <prometheanfire> it is +[07:09:02] <antarus> I neglected to test that bit +[07:09:14] <dwfreed> I have text logs if you need them +[07:09:19] <antarus> #info old business +[07:09:39] <antarus> Updating the foundation address; I'm waiting until we update the NM filing +[07:09:45] <antarus> I expect to have it all done by next month +[07:10:02] <antarus> I need b-man's address to update the filing; I sent him an email abou tit +[07:10:17] <prometheanfire> ack, and also seen via cc +[07:10:32] <NeddySeagoon> Our registered addr has to stay in NM +[07:10:36] <antarus> (I may try to update ones I don't think I need the filing for) +[07:10:50] <antarus> NeddySeagoon: yes, we are updating other addresses +[07:10:52] <antarus> (not that one) +[07:10:53] <prometheanfire> robbat2: should we update the bank info? or since I stayed on are we still good (iirc dabbott was the other person on the account) +[07:11:00] <NeddySeagoon> antarus: :) +[07:11:18] <antarus> NeddySeagoon: its https://bugs.gentoo.org/show_bug.cgi?id=613950 if you are curious +[07:11:30] <robbat2> one sec, checking the latest statemnets to confirm bank addresses +[07:11:48] <prometheanfire> robbat2: and account 'holders'? +[07:13:01] <robbat2> Money market #3246 definetly has the new mailing address +[07:13:55] <robbat2> prometheanfire: can you login to the spark business account and confirm mailing address on there? it only has the registered agent addr +[07:14:00] <robbat2> on the statements +[07:14:10] <prometheanfire> ok +[07:14:11] <antarus> robbat2: can we just do this OOB and update teh bugs accordingly? +[07:14:24] <robbat2> antarus: continue in the meantime +[07:14:44] <antarus> The question of who to keep on the accounts is an interesting one +[07:14:54] <antarus> i'm not familiar enough wth business accounts to say +[07:15:24] <robbat2> the president & treasurer if possible is best-practice I've had elsewhere from research; +[07:15:37] <robbat2> failing that, president & secretary +[07:15:46] <antarus> ack +[07:15:53] <robbat2> either way, antarus should be added +[07:16:07] <robbat2> question is also if b-man should be added; and when to remove dabbott +[07:16:36] <antarus> #action Change account holders to be [antarus,robbat2,b-man] +[07:16:38] <prometheanfire> expand then contract +[07:16:45] <antarus> bot, I hope you are doing stuff ;) +[07:16:53] <robbat2> you can't add me: because the bank won't add non us-resident +[07:17:20] <robbat2> presently on the spark is prometheanfire, dabbott +[07:17:38] <robbat2> presently on the moneymarket#3246 is tsunam (we were trying to close this one) +[07:17:43] <antarus> I aspire to add all 3, lets see how far we get +[07:18:00] <prometheanfire> antarus: robbat2 we can talk offline and work on it +[07:18:02] <antarus> I think there is a branch in NY i can go to to hopefully get that MM one taken +[07:18:10] <antarus> #info votes +[07:18:11] <prometheanfire> that'd be nice +[07:18:17] <prometheanfire> they closed satx branches... +[07:18:42] <antarus> https://bugs.gentoo.org/645192 - Staff quiz and gpg competence should be required for foundation membership +[07:19:09] <antarus> any thoughts on this one? +[07:19:16] <prometheanfire> I don't think the 'staff quiz' (now called the developer quiz) is fully suited as a foundation membership quiz +[07:19:22] <prometheanfire> it's a good base though +[07:19:28] <prometheanfire> https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt +[07:19:32] <prometheanfire> #link https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt +[07:19:45] <NeddySeagoon> What is 'gpg competence' ? +[07:20:08] <antarus> I think the real challenge is that the community doesn't understand what qualifies people to be members, or not +[07:20:15] <antarus> and this reduces credibility of membership +[07:20:40] <antarus> (and just of the foundation in general) +[07:21:31] <prometheanfire> sure, I do think a quiz is a good idea (to ensure knowlege about what membership means and requires) +[07:22:41] <antarus> any other comments? otherwise we can vote? +[07:23:19] <robbat2> i want a clear definition of the gpg competence for the implementation; but i'd like to vote now +[07:23:28] <antarus> please vote aye or nay +[07:23:44] <prometheanfire> suggestion for a quiz to be adopted (give us something to vote on, rather than a concept) +[07:24:39] <antarus> I believe the current proposal is the staff quiz +[07:24:50] <antarus> Lets start with that then +[07:24:51] <prometheanfire> ok +[07:25:00] <robbat2> the proposal says staff quiz + gpg competence +[07:25:07] <robbat2> on the staff quiz: aye +[07:25:10] <antarus> propose that new foundation members take the "developer quiz" +[07:25:20] <antarus> (as linked above) +[07:25:37] <prometheanfire> nay +[07:26:06] <robbat2> antarus: your vote is going to decide ;-) +[07:26:14] <antarus> I know, its terrible +[07:26:16] <antarus> I vote aye +[07:26:19] <prometheanfire> lol +[07:26:43] -*- prometheanfire would like to see the questions updated to be more applicable to foundation membership +[07:27:02] <antarus> happy to iterate on content there +[07:27:06] <prometheanfire> k +[07:27:12] <antarus> I generally prefer some kind of concrete criteria over nothing +[07:27:14] <NeddySeagoon> who will asess quizzes ? +[07:27:16] <antarus> whichi is why I voted aye +[07:27:28] <antarus> trustees@, clearly ;) +[07:27:29] <prometheanfire> NeddySeagoon: the proposal states that the trustees do +[07:27:48] <prometheanfire> #link https://bugs.gentoo.org/645192 +[07:28:02] <NeddySeagoon> That works. So no @gentoo.org for members from that. +[07:28:12] <antarus> #agreed that new foundation members take the "developer quiz" +[07:28:29] <antarus> #info https://bugs.gentoo.org/536668 - Change grammar of social contract to be clearer +[07:29:15] <antarus> in particular I think we should vote on the update prometheanfire just added to the bug +[07:29:15] <prometheanfire> do we have a proposal of the actual change to be made? +[07:29:40] <antarus> #link https://bugs.gentoo.org/536668#c5 +[07:29:53] -*- prometheanfire will vote last on that +[07:30:20] <antarus> I thought i had to vote last as a matter of procedure ;p +[07:30:24] <robbat2> to give another concrete example of something we do & must hide: PII as part of treasurer reimbursement process +[07:30:29] <antarus> any comments before voting? +[07:30:44] <prometheanfire> antarus: nice to have, not needed, doesn't really mater much imo +[07:30:47] <prometheanfire> for this at least +[07:31:03] <prometheanfire> robbat2: ack +[07:31:18] <prometheanfire> I wrote the update as I did to allow us leeway in what we decide to hide +[07:31:24] <prometheanfire> chaned will to may as well +[07:31:27] <antarus> in general I prefer a culture where we assume people act in good faith +[07:32:04] <antarus> that means allowing them to actually act on their own and not have enumeration; within reason +[07:33:02] <antarus> please vote yay or nay +[07:33:06] <antarus> or aye or nay +[07:33:10] <antarus> ;) +[07:33:46] <robbat2> aye +[07:33:49] <antarus> aye +[07:33:50] <prometheanfire> aye +[07:33:55] <robbat2> (afk, brb) +[07:34:09] <antarus> #agreed The social contract will be amended as per https://bugs.gentoo.org/536668#c5 +[07:34:29] <antarus> #info https://bugs.gentoo.org/642072 - Vote on new DCO +[07:34:33] <antarus> #link https://bugs.gentoo.org/642072 +[07:35:04] <prometheanfire> before the meeting we talked about implimentation timeline +[07:35:55] <antarus> my opinion is that we delegate to council for implementation timeline +[07:35:55] <prometheanfire> 2 weeks for interpreting it, 2 more weeks for enforcing +[07:36:24] <prometheanfire> that's fine too +[07:36:51] <antarus> I want to see it happen, I'm not sure it matters if it happens tomorrow or 30 days from now, or whatever +[07:36:57] <antarus> I assume the council will do the right thing +[07:37:12] <antarus> robbat2: we can vote when you return +[07:37:24] <prometheanfire> I don't quite like 'The term "open source" has been replaced by "free software" throughout. +[07:37:33] <prometheanfire> because that's less exact imo +[07:37:42] <prometheanfire> then again, open source isn't exactly great +[07:38:05] <prometheanfire> The term "free software" is used for consistency with the language of the Gentoo Social Contract [1]. +[07:38:10] <prometheanfire> but still... +[07:38:14] <antarus> hrm, https://dev.gentoo.org/~ulm/glep-copyrightpolicy.html is also 404 +[07:38:27] <antarus> https://www.gentoo.org/glep/glep-0076.html is I guess what we are voting on +[07:38:28] <ulm> it's at https://www.gentoo.org/glep/glep-0076.html +[07:38:30] <antarus> #link https://www.gentoo.org/glep/glep-0076.html +[07:38:39] <ulm> yep :) +[07:38:46] <prometheanfire> yes, I'm looking at https://www.gentoo.org/glep/glep-0076.html +[07:38:59] <prometheanfire> I'm fine to vote now +[07:41:40] <robbat2> back +[07:41:52] <antarus> robbat2: any comments on glep 76 before voting? +[07:42:19] <robbat2> i also disagree w/ open source vs free software, but understand why the change for consistency +[07:43:00] <robbat2> esp that the social contract definition invokes OSI +[07:43:10] <robbat2> so what it calls 'free software' is really what OSI calls open source +[07:43:27] <prometheanfire> yep +[07:44:17] <antarus> so noted +[07:44:28] <antarus> please vote aye / nay on glep 76 +[07:44:44] <prometheanfire> aye +[07:45:58] <robbat2> aye +[07:46:38] <antarus> #agreed Glep 76 is accepted +[07:46:53] <robbat2> antarus: did you vote? +[07:46:54] <antarus> ulm: congratulations on your hard work driving this process +[07:46:56] <robbat2> i don't see it above +[07:46:58] <antarus> do I need to vote? +[07:47:01] <prometheanfire> I didn't see a vote +[07:47:03] <ulm> thanks +[07:47:04] <prometheanfire> it'd be good +[07:47:07] <antarus> aye +[07:47:10] <prometheanfire> :D +[07:47:30] <antarus> much cats were herded +[07:47:53] <antarus> #info Bug 659620 - Please look into possibilities of providing crypto/enhanced security hardware to developers +[07:47:55] <willikins> antarus: https://bugs.gentoo.org/659620 "Please look into possibilities of providing crypto/enhanced security hardware to developers"; Gentoo Foundation, Proposals; IN_P; mgorny:trustees +[07:47:56] <prometheanfire> ulm: the fun is just starting, now changes get to be implimented :P +[07:47:58] <antarus> #link https://bugs.gentoo.org/659620 +[07:48:06] <antarus> oh thanks willikins +[07:48:18] <ulm> prometheanfire: yeah, that will take some time +[07:48:28] <ulm> repoman, mainly +[07:48:35] <prometheanfire> sure +[07:48:56] <prometheanfire> antarus: my main comment for the token, is I'm not sure the use case +[07:49:09] <prometheanfire> do we want it for gpg, or 2fa? (or both) +[07:49:09] <robbat2> b-man's two motion texts were only in trustees email +[07:49:25] <robbat2> i'd like them copied here for the record +[07:49:33] <robbat2> (i'll paste if no objections) +[07:49:42] <prometheanfire> please do (aye) +[07:49:53] <robbat2> Motion: I move that the board vote to accept the offer from Yubico or +[07:49:53] <robbat2> Nitrokey and begin our agreement with the accepted vendor beginning 1 +[07:49:54] <robbat2> September 2018. This motion will provide security tokens to all current +[07:49:54] <robbat2> developers listed in Gentoo's LDAP infrastructure as of 31 August 2018. +[07:49:54] <robbat2> Motion: I move that the board vote to maintain the aforementioned +[07:49:56] <robbat2> agreement in order to support future Gentoo developers with security +[07:49:58] <robbat2> tokens. This motion includes the right to terminate future purchases +[07:50:01] <robbat2> based on the Foundation's financials. +[07:50:25] <antarus> we could change the dates, I supposed +[07:50:28] <prometheanfire> ya +[07:50:44] <prometheanfire> but I'm still not sure what problem it's an attempt to solve +[07:51:21] <robbat2> it's just trying to encourge better GPG practice +[07:51:23] <prometheanfire> I know mgorny was testing 2fa +[07:51:29] <robbat2> not trying to solve general 2FA requirement +[07:51:31] <antarus> The yubico keys were approximately 6600$, the nitrokeys were 4700 (both for a count of 150) +[07:51:33] <prometheanfire> ok +[07:51:39] <antarus> (sorry both in USD) +[07:51:48] <prometheanfire> nitrokey would dropship too +[07:52:15] <robbat2> dropship and we're not on the hook for all of them, incremental billing +[07:52:21] <prometheanfire> for gpg only purposes I have my vote ready on the two motions +[07:52:32] <robbat2> (i'm going to have to go in a moment) +[07:52:44] <antarus> #info: We will publish the actual agreements, if possible, post meeting +[07:53:33] <antarus> I propose 3 votes +[07:53:51] <antarus> 1) Should we spend foundation funds to buy keys for Gentoo developers? +[07:54:00] <antarus> 2) Yubico or Nitrokey? +[07:54:11] <antarus> 3) the second b-man motion, essentially +[07:54:17] <robbat2> i have a 4th vote to add +[07:54:24] <antarus> (as the first motion is only for existing developers) +[07:54:30] <robbat2> or rather, it's a clarification of vote text +[07:54:34] <antarus> shoot +[07:54:39] <antarus> Trying to wrap this up in the next 5 minutes ;) +[07:54:57] <robbat2> 1) Should we spend foundation funds to buy keys for Gentoo developers, for GPG signing? +[07:55:03] <antarus> ack, sgtm +[07:55:06] <robbat2> 4) Should we spend foundation funds to buy keys for Gentoo developers, general 2FA? +[07:55:18] <prometheanfire> k +[07:55:29] <robbat2> antarus: you good with that #4? +[07:55:35] <antarus> Yes +[07:55:40] <antarus> Please vote on the first motion. +[07:55:48] <robbat2> aye on #1 +[07:55:53] <prometheanfire> aye to the ammended first motion +[07:55:56] <antarus> aye +[07:56:10] <antarus> #agreed We shall spend foundation funds to buy keys for Gentoo developers, for GPG signing. +[07:56:49] <antarus> 2) Given the two vendor options as secured by b-man, please vote by saying "yubico" or "nitrokey" +[07:57:04] <robbat2> #2: nitrokey +[07:57:05] <antarus> #info vendor selection: Yubico or Nitrokey? +[07:57:19] <prometheanfire> aye for nitrokey +[07:57:24] <antarus> nitrokey +[07:57:34] <antarus> #agreed We will more forward with the Nitrokey agreement +[07:57:49] <robbat2> (yubico is better hardware choice I feel, but cannot ship to some of our developers and has other non-hardware downsides like open source concerns) +[07:58:19] <antarus> #info Do we agree to maintain the nitrokey agreement for potential future developers? +[07:58:26] <antarus> please vote aye or nay +[07:58:29] <prometheanfire> robbat2: ack +[07:58:37] <prometheanfire> aye +[07:58:48] <robbat2> aye, for 12 months subject to renewal by later trustees +[07:59:08] <antarus> aye +[07:59:23] <antarus> #agreed The agreement shall cover potential future developers and will require annual renewal +[07:59:30] <prometheanfire> sgtm +[07:59:43] <antarus> #info (4) Should the foundatoin spend funds to purchase hardware tokens for 2FA purposes? +[07:59:57] <prometheanfire> nay, needs more clarification on usage / need +[08:00:19] <prometheanfire> infra input there would be helpful +[08:00:36] <antarus> The only existing 2FA is blogs, github, and d.g.o (but not git.g.o) +[08:00:39] <antarus> (iirc) +[08:00:47] <robbat2> nay, because the hardware options aren't solidified enough yet (no FIDO2 options per my other email) +[08:01:00] <antarus> nay for basically the same reasons +[08:01:10] <antarus> hopefully some tokens covering the new standards come out soon +[08:01:13] <robbat2> gitolite has 2FA support, but no SSO-like integration which makes it really painful +[08:01:32] <robbat2> specifically it's NOT SSH 2FA, it's a seperate layer +[08:01:54] <prometheanfire> ya, I would like fido2 + gpg +[08:01:55] <antarus> #info Motion 4 failed to be accepted +[08:02:31] <antarus> #info prometheanfire update on wiki copy? +[08:02:41] <antarus> #link https://bugs.gentoo.org/662182 +[08:02:47] <prometheanfire> sure +[08:02:47] <robbat2> re the keys, I have a statement as treasurer I'd like on record +[08:03:12] <antarus> robbat2: go +[08:03:35] <robbat2> if devs retire less than 6 months after having the key, i'm going to ask they wipe & ship it back to (exact locations to be decided later, to avoid international shipping) +[08:03:43] <robbat2> after that, i intend to write off the cost +[08:04:04] <antarus> ok +[08:04:17] <robbat2> if the return shipping cost is too high, it's an writeoff already +[08:04:36] <robbat2> (because it's cheaper to ship a new unit to somebody else) +[08:04:46] <NeddySeagoon> Return and ship out again cost +[08:04:54] <prometheanfire> I emailed the whois contact (best I could find), reply was automated to go to a web form for contact, I did that, have not recieved a response, I think we need to escelate next, though I just checked and 404 https://www.linuxsecrets.com/gentoo-wiki/ +[08:05:07] <antarus> prometheanfire: excellent +[08:05:38] <antarus> I'm goign to skip jmbsvicetto for robbat2; any treasurer updates? +[08:05:47] <prometheanfire> so they didn't respond but did act, I cc'd the trustees for my email, but I pointed to the name/usage guidelines for how they could come in compliance (and to the wayback machine as an example) +[08:05:54] <antarus> #info Treasurer updates +[08:06:15] <robbat2> treasurer: thanks to NeddySeagoon for his work collecting in-kind history from wiki+public cvs +[08:06:16] <antarus> prometheanfire: that is similar to my experience when sending out these notifications +[08:06:34] <robbat2> further collection is needed from infra inventory emails, infra cvs&git history [cfengine/puppet] +[08:06:41] <robbat2> and old infra logs +[08:06:52] <robbat2> on the assignment of value to machines +[08:07:18] <robbat2> i have spoken to several sponsors so far, and they ask that I come up with a consistent form request for them to pass to their accountants/finance people +[08:07:48] <robbat2> so far that's packet.net, OSL, bytemark, SevenL +[08:07:55] <robbat2> that I asked about it +[08:08:21] <robbat2> all of those were verbal discussion; packet & OSL were in person +[08:08:35] <robbat2> (during open source summit conference) +[08:08:59] <robbat2> that's all on the treasurer front +[08:09:07] <robbat2> are we having a motion on the RFP? +[08:09:31] <prometheanfire> my suggestion these is to use robbat2's suggestions with it +[08:09:36] <antarus> My preference is to send it out before the next board meeting +[08:09:42] <antarus> I was going to ask where it was at ;) +[08:09:52] <prometheanfire> atm it's on K_F's site +[08:10:19] <antarus> #link https://dev.gentoo.org/~k_f/irs-rfp-wip2.pdf +[08:10:19] <robbat2> there's latex source for it +[08:10:24] <antarus> was the last copy I have available +[08:10:29] <prometheanfire> #link https://download.sumptuouscapital.com/gentoo/irs-rfp.pdf +[08:10:37] <prometheanfire> that's 'current' +[08:10:53] <prometheanfire> ya, latex is in get, somewhere +[08:11:13] <Shentino> Original proposer here in regards to bug 645192. By "GPG competence" I mean that the prospective new member knows enough about GPG to actually sign the quiz when submitting it as part of their application. +[08:11:15] <willikins> Shentino: https://bugs.gentoo.org/645192 "Staff quiz and gpg competence should be required for foundation membership"; Gentoo Foundation, Proposals; CONF; shentino:trustees +[08:11:45] <antarus> robbat2: basically I think we need to amend the RFP with your draft comments, check the RFP in somewhere we know +[08:11:56] <prometheanfire> sgtm +[08:11:57] <antarus> and we can do the motion over email on the nfp list +[08:12:05] <robbat2> copy git history to our own repos +[08:12:09] <robbat2> edit, publish +[08:12:24] <prometheanfire> wfm +[08:12:25] <robbat2> that other RFP that I saw during the week may have some further improvements too +[08:12:36] <antarus> who is owning that set of work +[08:12:41] <antarus> robbat2: do you have bandwidth for it? +[08:13:07] <antarus> (feel free to say no) +[08:13:27] <robbat2> i do not have time presently +[08:13:35] <robbat2> and I have to leave the meeting now +[08:13:39] <robbat2> for kids +[08:13:40] <robbat2> bye +[08:13:48] <antarus> ok +[08:13:51] <antarus> cya ;) +[08:14:04] <robbat2> (for next meeting, weekend of the 20th or 27th plz) +[08:14:11] -*- antarus will find someone +[08:14:19] <antarus> October is...a bad month for me ;) +[08:14:36] <antarus> #info bugs +[08:14:38] <antarus> I closed a bunch +[08:14:43] <antarus> the end +[08:14:57] <prometheanfire> :D +[08:15:00] <prometheanfire> I just closed mine +[08:15:04] <antarus> I'll post the logs, the motions, the emails, the agenda, and the topic +[08:15:06] <antarus> cause..why not +[08:15:19] <prometheanfire> lol +[08:15:33] <antarus> prometheanfire: next meeting, any preference? +[08:15:41] <antarus> I suspect i am in europe both 20 and 27th +[08:16:02] <prometheanfire> I'm doing wedding stuff 18-23 +[08:16:18] <prometheanfire> other than that am open +[08:16:28] <antarus> so of the 20th and 27th, you prefer the latter? +[08:16:36] <prometheanfire> yes +[08:16:38] <antarus> ack +[08:16:53] -*- antarus bangs gavel +[08:16:55] <antarus> #endmeeting +[08:16:55] <trusteeBot> Meeting ended Sat Sep 15 23:16:54 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) |