[ciphershed] Re: Decisions to be made

  • From: Bill Cox <waywardgeek@xxxxxxxxx>
  • To: ciphershed@xxxxxxxxxxxxx
  • Date: Sun, 22 Jun 2014 12:10:01 -0400

I'm still mobile, but I support PMC structure.

Bill
On Jun 22, 2014 9:39 AM, "Alain Forget" <aforget@xxxxxxx> wrote:

> 1) Organisational/decision-making structure: I actually thought we (Chris,
> Niklas, Jason, myself, and anyone else?) were mostly in favour of forming a
> PMC of sorts, but the discussion ended when opinions from other core
> contributors (namely Bill, Frank, and Stephen) was solicited, but there was
> no response.
>
> 2) Signatures / warrant canaries: I am keenly following the discussion,
> because I am interested in adopting some kind of policy to alert others if
> I am ever compromised in some way. However, at this time, I have no strong
> opinion, aside that the solution must be usable (require little to
> (ideally) no effort to maintain, particularly when no alarm is needed).
> This is one reason I haven't yet adopted a warrant canary, because I
> haven't figured out a way to usably keep it updated with little effort on
> my part. In any case, I support the position that our primary line of
> defence against any of us being compromised is the integrity of the public
> codebase and as many different people as possible closely scrutinising new
> changes (which admittedly isn't a terribly "usable" solution, but I know of
> no alternative thus far).
>
> 3) Attitudes towards external entities: I feel this is definitely
> something that should be left for the PMC, since (in my mind) this will be
> one of their primary functions. This issue is what seeded the whole idea of
> a PMC in the first place, and I believe that, as the organising/"ruling"
> body largely responsible for the oversight and direction of the project,
> involvement and relations with external entities is definitely within their
> mandate.
>
> I also agree with Niklas' concept of putting a firm timeline before
> decisions (voting?) must be made (a policy the PMC should perhaps
> institute), in order to prevent endless discussions without any decision or
> progress being made (as Chris also fears).
>
> Alain
>
> -----Original Message-----
> From: ciphershed-bounce@xxxxxxxxxxxxx [mailto:
> ciphershed-bounce@xxxxxxxxxxxxx] On Behalf Of Niklas Lemcke - ???
> Sent: Sunday, June 22, 2014 09:05
> To: ciphershed@xxxxxxxxxxxxx
> Subject: [ciphershed] Re: Decisions to be made
>
> On Sun, 22 Jun 2014 13:58:54 +0100
> PID0 <p1dz3r0@xxxxxxxxx> wrote:
>
> > The clue is in the title, decisions to be made... by who? We have no
> > leadership, so we're unlikely to agree on the items you mention, so
> > we're always going to be stuck in a position of having decisions to be
> > made and no "official" way of making them.
> >
> > Which is why I suggest some kind of PMC-like structure with the core
> > devs. These are standards and guiding objectives that need to be set so
> > we can start in earnest. Not sit around endlessly bickering about and
> > never arrive at a conclusion.
> >
> > Someone/group needs to have the authority to say; this is what has been
> > decided out of deliberation, this is our position. It's not immutable,
> > it might change later as new facts become available, but for now, this
> > is the line we're taking and the direction the project will move in.
> >
> > Or does that sound too much like actually getting stuff done?
>
> It's what I suggested: a PMC-like structure.
>
> >
> > On 22/06/2014 13:06, Niklas Lemcke - 林樂寬 wrote:
> > > Hi folks,
> > >
> > > we need to take decisions and the steps following from them on a few
> > > topics, including:
> > >
> > >  - project structure (remain as open--and possibly vulnerable--as now?)
> > > We had that discussion not long ago, and one of the suggested
> > > alternatives was to go for a kind of PMC structure like the Apache
> > > project. I believe it was consensus though (correct me if I'm wrong)
> > > that a top-down hierachy will do nothing but hurt the project, so this
> > > needs to be handled with great care.
> > >
> > >  - signatures / warrant canaries
> > >     * sign all commits?
> > >     my suggestion: yes, better save than sorry.
> > >
> > >     * some people sign mails, some don't; some have warrant
> > > canaries, some don't.
> > >     my suggestion: create @ciphershed.org mail accounts for each
> > > core member, and require each mail sent from those addresses to contain
> > > a warrant canary and to be signed. Mails from mobile or other
> > > laptops are to be sent from personal accounts as until now. Also
> require
> > > somewhat regular mails from that address (not possible to only "send
> > > from mobile" w/o canary & signature).
> > >
> > >  - What will be our attitude towards SecureStar, TCNext (esp. now that
> > > they cooperate with VeraCrypt), and other similar situations? Will we
> > > discuss this before or after we may have determined a PMC?
> > >
> > > This list is most likely not complete, but it's the most pressing
> > > questions that I recall and that I was going to discuss on Teamspeak.
> > >
> > > I would like to set a timeframe for this. E.g. have these questions
> > > answered by the end of next week, i.e. next Sunday.
> > >
> > > What are other opinions?
> > >
> >
>
>
>
> --
> Niklas
>
> At the time of writing, no warrants have ever been served to me, Niklas
> Lemcke, nor am I under any personal legal compulsion concerning the
> CipherShed project. I do not know of any searches or seizures of my
> assets.
>
>
>

Other related posts: