[ciphershed] Re: Decisions to be made
- From: "Alain Forget" <aforget@xxxxxxx>
- To: <ciphershed@xxxxxxxxxxxxx>
- Date: Sun, 22 Jun 2014 09:39:21 -0400
1) Organisational/decision-making structure: I actually thought we (Chris,
Niklas, Jason, myself, and anyone else?) were mostly in favour of forming a PMC
of sorts, but the discussion ended when opinions from other core contributors
(namely Bill, Frank, and Stephen) was solicited, but there was no response.
2) Signatures / warrant canaries: I am keenly following the discussion, because
I am interested in adopting some kind of policy to alert others if I am ever
compromised in some way. However, at this time, I have no strong opinion, aside
that the solution must be usable (require little to (ideally) no effort to
maintain, particularly when no alarm is needed). This is one reason I haven't
yet adopted a warrant canary, because I haven't figured out a way to usably
keep it updated with little effort on my part. In any case, I support the
position that our primary line of defence against any of us being compromised
is the integrity of the public codebase and as many different people as
possible closely scrutinising new changes (which admittedly isn't a terribly
"usable" solution, but I know of no alternative thus far).
3) Attitudes towards external entities: I feel this is definitely something
that should be left for the PMC, since (in my mind) this will be one of their
primary functions. This issue is what seeded the whole idea of a PMC in the
first place, and I believe that, as the organising/"ruling" body largely
responsible for the oversight and direction of the project, involvement and
relations with external entities is definitely within their mandate.
I also agree with Niklas' concept of putting a firm timeline before decisions
(voting?) must be made (a policy the PMC should perhaps institute), in order to
prevent endless discussions without any decision or progress being made (as
Chris also fears).
Alain
-----Original Message-----
From: ciphershed-bounce@xxxxxxxxxxxxx [mailto:ciphershed-bounce@xxxxxxxxxxxxx]
On Behalf Of Niklas Lemcke - ???
Sent: Sunday, June 22, 2014 09:05
To: ciphershed@xxxxxxxxxxxxx
Subject: [ciphershed] Re: Decisions to be made
On Sun, 22 Jun 2014 13:58:54 +0100
PID0 <p1dz3r0@xxxxxxxxx> wrote:
> The clue is in the title, decisions to be made... by who? We have no
> leadership, so we're unlikely to agree on the items you mention, so
> we're always going to be stuck in a position of having decisions to be
> made and no "official" way of making them.
>
> Which is why I suggest some kind of PMC-like structure with the core
> devs. These are standards and guiding objectives that need to be set so
> we can start in earnest. Not sit around endlessly bickering about and
> never arrive at a conclusion.
>
> Someone/group needs to have the authority to say; this is what has been
> decided out of deliberation, this is our position. It's not immutable,
> it might change later as new facts become available, but for now, this
> is the line we're taking and the direction the project will move in.
>
> Or does that sound too much like actually getting stuff done?
It's what I suggested: a PMC-like structure.
>
> On 22/06/2014 13:06, Niklas Lemcke - 林樂寬 wrote:
> > Hi folks,
> >
> > we need to take decisions and the steps following from them on a few
> > topics, including:
> >
> > - project structure (remain as open--and possibly vulnerable--as now?)
> > We had that discussion not long ago, and one of the suggested
> > alternatives was to go for a kind of PMC structure like the Apache
> > project. I believe it was consensus though (correct me if I'm wrong)
> > that a top-down hierachy will do nothing but hurt the project, so this
> > needs to be handled with great care.
> >
> > - signatures / warrant canaries
> > * sign all commits?
> > my suggestion: yes, better save than sorry.
> >
> > * some people sign mails, some don't; some have warrant
> > canaries, some don't.
> > my suggestion: create @ciphershed.org mail accounts for each
> > core member, and require each mail sent from those addresses to contain
> > a warrant canary and to be signed. Mails from mobile or other
> > laptops are to be sent from personal accounts as until now. Also require
> > somewhat regular mails from that address (not possible to only "send
> > from mobile" w/o canary & signature).
> >
> > - What will be our attitude towards SecureStar, TCNext (esp. now that
> > they cooperate with VeraCrypt), and other similar situations? Will we
> > discuss this before or after we may have determined a PMC?
> >
> > This list is most likely not complete, but it's the most pressing
> > questions that I recall and that I was going to discuss on Teamspeak.
> >
> > I would like to set a timeframe for this. E.g. have these questions
> > answered by the end of next week, i.e. next Sunday.
> >
> > What are other opinions?
> >
>
--
Niklas
At the time of writing, no warrants have ever been served to me, Niklas
Lemcke, nor am I under any personal legal compulsion concerning the
CipherShed project. I do not know of any searches or seizures of my
assets.
Other related posts:
