[haiku-development] Re: RFC: @haiku-os.org email address policy

  • From: "Jorge G. Mare" <koki@xxxxxxxxxxxxx>
  • To: haiku-development@xxxxxxxxxxxxx
  • Date: Thu, 07 Jan 2010 13:32:59 -0800

Hi Niels,

Niels Reedijk wrote:

However, if the email address or Haiku's servers are used to transmit
illegal activities (including spam) or commercial activities
(including selling software or using the @haiku-os.org brand to
solicit for private donations), the email alias will be terminated at
the discretion of Haiku's system administrators.


I put in the no illegal activities, no commercial activities because
we should want to protect the Haiku brand from being misused. For
example, if you use your @haiku-os.org email to sollicit for donations
in my opinion using Haiku's brand image for personal gain.
We agree that we do not want the Haiku name to be misused or abused, and that any clearcut situation of technical nature (i.e., spamming, phishing, etc.) should be dealt with accordingly and expeditiously by the system admin(s). But... 


Secondly, about whether or not this is superfluous to the trusted
contributors. I think it is not, this is not meant as a threat, but
rather as a hint towards the limits of using the supplied email
address. I think putting in this makes a good and coherent suggestion
to what is allowed and what is not (and it will hopefully also suggest
that people ask when in doubt).
...when you start dealing with "commercial activities" and "personal gain" issues -- which can be very subjective; more on that below -- then you are getting into aspects that are not technical in nature, which thus stop being the competence of only the sys admins IMO. 


Thirdly, about 'watching sysadmins'. There will be no active
monitoring of the email accounts, we will not monitor the logs to see
whatever comes by. We will not keep data that is not needed for
everyday system maintenance. Like Oliver said, for the running of the
system we cannot guarantee complete anonimity. Protecting privacy does
not mean that everything should be anonymous: it means that we make it
transparant what data is stored, and who has access to that data. This
means that at every point in time there could be six people (without
malicious intentions) that might see a message pass by (though very
unlikely). However, our policies are openly and transparantly
discussed on the haiku-sysadmin list. [Note to fellow sysadmins: we
should publish what information is stored in logs and how long it is
kept]


OK, that sounds fair. Thanks for clarifying.


Fourth. How will violations be found? Simply through
abuse@xxxxxxxxxxxx for spam reports, strange system activity, or in
the unlikely case that someone violates the illegal or commercial
rules for using the account, it will probably be reported to the
admins directly or on some mailing list. So really, no active
monitoring.
There will be clearcut situations that are easy to deal with. For example, if someone impersonates the project, asks for donations and keeps the money for himself, then you have a clearcut violation. Cases of spam, phishing, etc. all those are very clear cut too.
However, dealing with issues of "personal gain" and "commercial activities" is like getting into muddy waters. These things can be very subjective, so they require a lot of care IMO. I can see, for example, people's whose activities or relationships made during the involvement in the project evolve into some form of personal gain or even commercial activities (i.e., a job, a contract, etc.). This is not unusual, and I don't see anything wrong with that, nor do I think such situations should be a reason for alienation from the community (i.e., by suspension of the mailbox).
I have the feeling that the concerns raised about the potential misuse of the Haiku email addresses may be rooted in the notion that anyone with a Haiku email address speaks for the project in some form of official capacity. This is a misconception IMO. All the Haiku email address does is identify the individual as a recognized contributor to the project; that in itself gives the individual certain credibility, but it does not grant that individual any authority to speak for the project in any official capacity. IMO, that's what needs to be disclosed when granting the email addresses and what the contributors need to agree to when getting the mailbox. 


Five. Why did I put in "terminated at the discretion of Haiku's system
administrators."  First of all, I think it is very unlikely that there
will be an intentional and malicious violation of these rules. In
other words, I never expect it to come this far. Now if it does, I
propose that we handle as follows. First of all, the final decision is
with the Haiku Core Developers. But as the system admins investigate
(as the executive commitee so to speak), they will also make an
initial decision.

Why? Well, we also handle the spam violations, and conveniently, we're
the ones that can enable or disable an account.
In the sense that the sys admins are in the front line, they should definitely have all the freedom to make the appropriate *technical* decisions should any steps be required to preserve the integrity of the system.
However, IMO any decisions that are not technical in nature regarding a reported abuse situation is not only the competence of the sys admins, and should therefore be dealt with by the core contributors instead. Note that I say *core contributors* as opposed to *core devs*, because we are talking about something is not exclusively development-related, and as such, the core non-dev contributors should also be given a chance to voice their position. 


Now of course they (we) will first try to discuss it with the owner,
but I don't want to make things to complex in this policy than it has
to be. In the proposal I put in two systems of checks and balances.
First of all, there is the requirement for the unanimous vote for
decisions to suspend accounts. This makes that six different people
coming from different areas of the project with different ideas have
to agree in order to do something drastic like a suspension. Secondly,
there is the obligation of the system admins to notify the owner and
haiku-development about investigations they have done (regardless of
the outcome). The Haiku Core Developers can at that point still decide
to vote for suspension or to cancel a suspension (thus overriding the
sysadmins).
The proposed double system of check and balances is already too complex. :) It would be simpler if you just separated the technical issues from the non-technical one, letting the admins decide on the technical aspects as needed to preserve system integrity, and if a non-technical issue arises, having them delegate it to the core contributors to discuss and decide upon. 


Like I said, while I am writing this, I realize this is highly
theoretical, and I doubt that a situation would ever occur where such
a drastic measure is needed. Instead, I want to keep the policy
simple.

Finally, I agree that the section is strongly worded. But hey, you're
a PR person, spin it! ;-)
The language in the RFC includes expressions such as "investigation" and "the decision can be appealed" which really makes it sound like the person is going to be put on trial. Adopting a more conciliatory language that reflects an assumption that the owner of the mailbox is innocent until proven guilty would make the whole idea of getting a mailbox a lot less scary. :) 

Cheers,

--
Jorge/aka Koki
Website: http://haikuzone.net
RSS: http://haikuzone.net/rss.xml

Other related posts:

  1. Home
  2. haiku-development
  3. Archive
  4. 01-2010