subject:"Debian packages"

Thanks to everyone that has participated in the discussion thus far. :)
I think there have been a number of solid concerns and issues raised,
which I'm going to try and wrap into a proposal below.

I think it might help simplify the donations goal by framing it in the
following way:

Ultimately, where to send a donation is the decision of the person or
organization doing the donation (the benefactor).

Package maintainers, software developers, and project organizations can
lobby for where they'd like to see the money go, but it's the benefactor
that decides where they'd like to send the money in the end. Given that
premise, all a package maintainer, software developer, or organization
can do is make suggestions to the benefactor.

Let's assume that there is a file named DONATE that is included with
source distributions of Free Software. Its use is analogous to a README.
A DONATE file lists a PaySwarm-compatible list of financial accounts
(and percentages associated with each account) that should be the target
of donations to the particular software project.

This file can also be included in the debian/ subdirectory. When placed
in that directory, it lists donations that the package maintainers feel
should be performed on top of the upstream authors' DONATE file (if it
exists).

Finally, this file can also be included in the /etc/ directory (or maybe
/etc/donate.conf?) to specify a list of donations that the distribution
feels should be performed on top of all other donations.

The files are composed together to suggest where donations should go to
the sender. They are composed in this order:

1. Upstream project's DONATE file.
2. Package maintainers DONATE file.
3. System's DONATE file.

So, when a benefactor types 'apt-donate apache2 $5', assuming 90% goes
to ASF and 10% goes to Debian, they are provided with the following
suggestion:

"""
Of your $5 donation:
  1. $4.50 will go to the Apache Software Foundation
  2. $0.50 will go to the Debian Project

If you would like to adjust the amounts, enter the number beside the
amount that you'd like to adjust.

Do these amounts look good to you? (y/n)
"""

At this point, the benefactor can modify amounts or choose not to
perform the donation at all.

Things that are currently not provided in the proposal:

1. The format of the DONATE file.
2. How these DONATE files are installed onto the system, or
   discovered by apt-donate.
3. Whether or not these files should specify "for-hire" or
   "bounty board" URLs.

This proposal attempts to address a number of concerns raised related to
package maintainers having a variety of differing opinions on how we
should handle donations. After reading through the proposal above, are
there any issues or concerns that remain as a high to moderate risk?

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bd2f0f.1070...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/15/2013 02:18 AM, Charles Plessy wrote:
> Le Sat, Jun 15, 2013 at 12:25:26AM -0400, Joey Hess a écrit :
>> Charles Plessy wrote:
>>> In the case of Debian, I share with others the concern of having 
>>> the packages as a source of revenue
>> 
>> How about making fixed bugs a source of revenue?
> 
> I do not see how to fit this in the PaySwarm model proposed here, 
> unless there are URLs for billing?

There is a PaySwarm spec called "Payment Intents", which is basically a
way to express "If X happens, I want to pay $Y". This can be used to do
all sorts of limit-based financial transactions:

"If bug 23489 is fixed, I'll pay $5."
"If $500 is raised to address bug 32892, I'll put in $10."

> In that case, the bounties could accumulate until somebody takes them
> by fixing the bug.

Have you heard of? https://www.bountysource.com/

Similar model.

> We would probably need some review system unless there are easy way
> for refunds.

The way PaySwarm Payment Intents work is by collecting "promises to
pay". When a limit is hit, all the payments go through. The model is
similar to KickStarter's all-or-nothing model. However, that model is a
bit constrained by the credit card and banking system (holds are put on
the funds in certain instances), which PaySwarm is not constrained by.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bd24d6.10...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/14/2013 09:45 PM, Charles Plessy wrote:
> thanks for your work on web payments.  I hope that they will be a 
> lead contribution to the development of Free works.

And thanks to you for taking part in the conversation and helping us
build something that will hopefully lead to more resources funneled to
Free Software development. :)

> I think that for Debian, we need methods that pay for the work to be 
> done, rather than for the work that has been done.  Debian has a 
> large number of contributors, and we should encourage mobility 
> between projects, rather than make ourselves dependant to the
> project that would be currently paying for our bills.

I see, good point. So your opinion is that something like a
bounty/crowdfunding mechanism would be more helpful than a donation system?

> Moreover, some of our upstreams who are already collecting donations
> may be worried of losing opportunities to reveive when their work is
> distributed through Debian packages. Here, PaySwarm can solve our
> problem.

I think I understand.

> As Paul showed you, we are collecting URLs for donations, and we 
> probably miss a lot of them.  If the PaySwarm project would provide 
> with mechanisms to easily communicate or discover this information, 
> that would be very useful.  Then, together with the information that 
> the donation they received comes from a Debian user, we could pass 
> the URL to our upstream guide
> (http://wiki.debian.org/UpstreamGuide), so that the packaging work
> (and therefore the need for support) is reduced thanks to Upstream
> standardising his work.

Got it, I'm working on a proposal now that might work. Your input was
very helpful as it helps flesh out some of the bounty/crowdfunding stuff.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bd2330.3060...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/14/2013 07:29 PM, David Kalnischkies wrote:
>> I disagree. Some packages make _a lot_ of work and some people 
>> spend thousands of hours to make Debian an excellent distribution 
>> and the package in particular useful and maintainable. This is in 
>> many cases not less work than being upstream, it's just another 
>> type of work which is often invisible.
> 
> My train of thought is that I will never be able to accept money for
>  the package 'apt'. Sure, I might do some stuff, but this package is
>  17 years old, has seen contribution from all round the world and all
>  that. What would give me the right to claim it rather than anyone 
> else who has ever worked on it. And even if you haven't worked 
> directly on it, we still have dependencies, be it code wise or 
> infrastructure (hardware, people, …). It can't be my job as the 
> maintainer¹ to rate the contribution of everyone even only remotely 
> involved to decide who is getting, who isn't and how much exactly. (¹
> which I am not, but lets keep it simple here)

Why wouldn't you, as maintainer, just say that all donations go to the
Debian Project? Isn't that the most logical thing to do in this instance?

> I have on the other hand accepted money for working on APT (e.g. as 
> GSoC student) so the concept of APT being a magical cash-cow I can 
> milk isn't completely alien for me, but for me there is a difference
>  between claiming that I am the one who should get the money if you 
> like the package and being up for hire if you need something to like
>  it (even more)

So is it fair to say that you'd like to be able to do the following:

1. List the Debian Project as the receiver for all donations.
2. List yourself as someone that is willing to be hired to do work on APT?

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bd20c4.9000...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/14/2013 06:50 PM, Jonas Smedegaard wrote:
> Anyone can locate a particular Debian contributor and wire them 15 
> Bitcoin.  No need for Debian to support that.

I don't think you mean 'anyone'. I think you mean 'a highly skilled
programmer that understands how open source software is built and how
the Debian project operates...' :)

In the same vein, you could claim that many people on the planet can
find someone else on the planet and get money to them. There are two
issues with attempting to do that, however: the first is finding the
right person, and the second is figuring out how to get something of
value to them. :)

With respect to Debian-packaged software, if we address both issues, the
benefit is that more resources can be directed toward Free Software
development.

Even finding the correct Debian Developer to send money to is a very
difficult proposition for someone that is just using a piece of
software. It's very difficult to find this information. Even if you find
the information, you have to figure out if the target Debian developer
accepts Bitcoin. Many don't, and would prefer to be paid in their
national currency.

Merely stating that something is possible does not mean that it's easy
to do. :)

> Debian do not promote a capitalist-driven boost, nor any other 
> specific gaming of the system.  Debian is indifferent about how its 
> developers find time and devotion for our shared project.
> 
> I really thought Gunnar nailed it:
> 
>> We have never needed it

What do you think about the counter-argument to that statement posed by
Martin Owens?

http://lists.debian.org/debian-project/2013/06/msg00031.html

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bd1f32.7000...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/14/2013 05:24 PM, Paul Tagliamonte wrote:
> On Fri, Jun 14, 2013 at 05:14:27PM -0400, Manu Sporny wrote:
>> I agree, which is why the payment details live completely outside
>> the Debian systems. The only thing you'd need to initiate payment
>> is an e-mail address, or a PaySwarm financial account address,
>> which looks like this:
>> 
>> https://dev.payswarm.com/i/manu/accounts/public-account
> 
> Interesting. So one would have to set up a payswarm instance to
> collect, or piggy back on a public instance?

You would piggy back on a public instance. Basically, you'd pick a
payment provider (kinda like you pick your grocery store, school, or
bank today). You would pick a payment processor you trust, and since
they're using PaySwarm, they're guaranteed to inter-operate with every
other PaySwarm-compatible payment processor out there.

We're also considering supporting financial account re-directs from a
personal website (as long as it's served over HTTPS). You could setup a
re-direct from your personal website to a URL on your payment provider.
There's isn't much advantage in doing this other than you being in full
control of your financial accounts in the event that your payment
provider goes rogue and/or freezes your account.

>> requirements when you process payments; know your customer (KYC) is
>> one of them. There are also anti-money laundering regulations that
>> you must ensure you follow to comply with the law. All of these
>> things are things
> 
> Which law? US law? We're an international org, are the laws standard 
> worldwide? We have Developers in every jurisdiction you can imagine
> :)

If you want to get very technical about it, the "law" is the combination
of all local, state, and federal laws applicable to the financial
transaction. What you're exchanging, how you're exchanging it, who is
exchanging it, trade embargoes... all of these things apply when you're
doing a financial transaction. So yes, it's a complicated problem due to
all the laws that apply, which is why payment processors exist.

>> Right, which is why one solution is making it up to the package 
>> maintainers and software authors to figure out how payments should
>> be split up. I think we all agree that tips should be distributed
>> based on merit and that the maintainers have a pretty good idea of
>> how that should go. In the event that the maintainers and upstream
>> can't come to an agreement, they could always just opt to send the
>> donation upstream to the Debian Project.
> 
> Right, but this leads to one of two things:

Wouter Verhelst had an excellent response to your concerns. There was a
counter to his line of argumentation, which I'll respond to shortly.

>>> Payment systems in general tend to lead to "paybullying", which
>>> is something I'd really (really) like to avoid. I've always loved
>>> how un-corporate the Debian community is.
>> 
>> I agree that we really don't want that. Any suggestions about how
>> we might be able to avoid it?
> 
> I'm not sure, but I've seen at least one high-profile F/OSS project 
> maintainer (with project email, writing from it) saying "I've written
> a patch for this bug, it's done, but you need to give me money before
> I release it". Putting an official system into place might make this
> more common / easier to make look "official".

I don't quite understand. I thought your concern was preventing that
sort of behavior, not condoning it?

That is, this is my read from the community so far:

People holding patches for ransom seems to be bad form and
anti-community. People stating that they'd like to work on X, but would
like to be paid for the work is better. People doing the work for free
and retroactively getting a donation for it is better. All donations to
large teams going to the Debian project seems to be the least
controversial solution (ignoring the fact that upstream developers don't
see any of that money).

I'm formulating a proposal that attempts to address all of the concerns
raised so far in this thread. More later...

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bd1ba0.1080...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/14/2013 02:54 PM, Scott Howard wrote:
> As a member of the bitcoin team in debian, I also see how easy it 
> could be in the future to semi-anonymously receive payment from and 
> to anywhere in the world for such work, and that this may already be 
> going on already in Debian or other distros.

As an aside, PaySwarm is currency agnostic. The commercial
implementation of it (Meritora) deals with USD today, has plans for Euro
(and a few other national currencies) within a year, and Bitcoin shortly
after that.

> I don't know how I feel about this, fundamentally, yet. But my gut 
> didn't like the idea of having a wiki page where DDs can post their 
> hourly rates for packaging software for Debian...

Yes, we probably don't want to create a Mos Eisley in Debian. However,
knowing that you can go somewhere to hire Debian developers to fix
issues that you're having with the system would be very helpful for
companies (like ours and the ones we sub-contract from) that build
products on top of Debian.

There is already a fantastic amount of money that is involved in the
development of Debian, it's just hidden.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bd1710.5020...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-15 Thread Paul Tagliamonte

On Sat, Jun 15, 2013 at 11:48:27AM +0200, Wouter Verhelst wrote:
> On 14-06-13 23:24, Paul Tagliamonte wrote:
> > Right, but this leads to one of two things:
> > 
> >   - No money is shared with dependencies (leading to people flocking to
> > awesomewm, gnome, kde, chrome, wine, apache2, etc)
> > 
> >   - Money is shared with dependencies (leading to people flocking to
> > gcc, linux, libc6)
> 
> Which is a problem, why?

Because, given a naive implementation, people could latch on and feed
off all the money trickling in without doing work. Unless you want to
"rate" people in Debian, which I think is a very bad idea.

Oh you? You're worth 1%. You? Oh, you get nothing. Kbai.

> - The maintainer(s) decide to put all the money in a fund that is used
>   for things like meetings among the package's maintainers. In other
>   words, there is no direct financial benefit to be had, and thus I
>   don't expect people to be interested in joining purely for financial
>   benefit.

This would be a nice result of this system. Very very nice. I would love
if donations for a package went to a single discretionary fund to help
them with development. Things like:

  - going to upstream development sprints
  - meeting in a central location for a sprint
  - [other brilliant ideas here]

> - The maintainer(s) set up some complex scheme by which financial
>   benefit is equally distributed among contributors based on size of

I think this is a can of worms we should very much avoid.

[..]

> Unless you think money is dirty, I don't see how any of this would
> involve "flocking" in a problematic manner.

I don't think it's dirty, but it distorts views. When the person next to
you doing less work than you is making $MONEY, and you're not, you don't
want to work on $THING anymore.

> Am I missing something?

No, just not looking in the same places as me.

> If/when this were to happen in Debian, I think it would be fair to kick
> said developer out of the project, on the basis of them violating the
> "do not stand in the way" rule of constitution §2.1.1.

He claimed he'd not stand in the way of anyone writing their own patch,
and I don't think you could claim not writing the patch is standing in
the way, so I think this doesn't apply.

It's shady, but I don't think we have a mechinism for enforcing people
don't do this. Having a big-professional system where you say "Oh, just
apt-donate me $10 usd and I'll release this patch", people would believe
this is how things work.

Cheers,
   Paul

-- 
 .''`.  Paul Tagliamonte 
: :'  : Proud Debian Developer
`. `'`  4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
 `- http://people.debian.org/~paultag

signature.asc
Description: Digital signature

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-15 Thread Jakub Wilk


* Wouter Verhelst , 2013-06-15, 11:48:
What happens with the money should be decided by the maintainers of the 
package. Before you'll see "flocking", there will have been such a 
decision already (otherwise there's no money and thus no "flocking"). 
Given that, I can see only a few possible outcomes:

[...]
- The (main/sole) maintainer decides to egoistically take all the money 
for themselves. They alienate all other maintainers, and nobody ever 
wants to work with them anymore.


Yeah, that could happen with or without money involved.

The package suffers, until it is hijacked or taken away by decree of 
the TC or similar.


Or rather s/, until.*/ forever/. I'm talking from experience here.

--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130615115151.gb4...@jwilk.net

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-15 Thread Wouter Verhelst

On 14-06-13 23:24, Paul Tagliamonte wrote:
> Right, but this leads to one of two things:
> 
>   - No money is shared with dependencies (leading to people flocking to
> awesomewm, gnome, kde, chrome, wine, apache2, etc)
> 
>   - Money is shared with dependencies (leading to people flocking to
> gcc, linux, libc6)

Which is a problem, why?

What happens with the money should be decided by the maintainers of the
package. Before you'll see "flocking", there will have been such a
decision already (otherwise there's no money and thus no "flocking").
Given that, I can see only a few possible outcomes:

- The maintainer(s) decide to put all the money in a fund that is used
  for things like meetings among the package's maintainers. In other
  words, there is no direct financial benefit to be had, and thus I
  don't expect people to be interested in joining purely for financial
  benefit.
- The maintainer(s) set up some complex scheme by which financial
  benefit is equally distributed among contributors based on size of
  contribution. People may flock to that package, but the net result
  will be a better package. This is a good thing. If many people try to
  join the packaging team, eventually all the low-hanging fruit will be
  gone and people will start looking for other packaging teams to join,
  because the possible benefit no longer outweighs the investment to be
  made.
- The (main/sole) maintainer decides to egoistically take all the money
  for themselves. They alienate all other maintainers, and nobody ever
  wants to work with them anymore. The package suffers, until it is
  hijacked or taken away by decree of the TC or similar. This is a
  possible problem in the proposed scheme, but I don't think it could
  involve any "flocking", since there's no benefit to be had.
- The (main/sole) maintainer decides to quit their job and live off
  donated money instead. Debian gets a more focused developer (and,
  thus, better packages) as a result. This is essentially similar to the
  second scheme, except that other people will have a harder time
  keeping up with the full-time developer.

Unless you think money is dirty, I don't see how any of this would
involve "flocking" in a problematic manner.

Am I missing something?

[...]
> I'm not sure, but I've seen at least one high-profile F/OSS project
> maintainer (with project email, writing from it) saying "I've written a
> patch for this bug, it's done, but you need to give me money before I
> release it". Putting an official system into place might make this more
> common / easier to make look "official".

If/when this were to happen in Debian, I think it would be fair to kick
said developer out of the project, on the basis of them violating the
"do not stand in the way" rule of constitution §2.1.1.

-- 
This end should point toward the ground if you want to go to space.

If it starts pointing toward space you are having a bad problem and you
will not go to space today.

  -- http://xkcd.com/1133/



signature.asc
Description: OpenPGP digital signature

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-15 Thread Wouter Verhelst

On 15-06-13 06:07, Russ Allbery wrote:
> I think the tension gets much worse if
> the project is explicitly deciding to pay some people and not others.

While that is true, I do not believe that the proposed scheme results in
"the project (...) deciding to pay". If done right, this could simply be
a way for people to communicate that a) they welcome donations, and b)
where these donations should go to.

Every maintainer in Debian can, for themselves, decide whether that
metadata should signal that they accept donations, and if so where these
donations should go. The project as a whole would not seem to factor in
to that decision.

One of the major arguments against the scheme of trying to arbitrarily
pay project members with project funds was that it was fairly difficult
for project members who just happen to be active in other areas to
solicit payment. This is explicitly not the case with the proposed scheme.

-- 
This end should point toward the ground if you want to go to space.

If it starts pointing toward space you are having a bad problem and you
will not go to space today.

  -- http://xkcd.com/1133/

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bc3434.3030...@debian.org

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-15 Thread Holger Levsen

On Samstag, 15. Juni 2013, Nikolaus Rath wrote:
> I agree. It would add a whole new dimension to NMU'ing, orphaning,
> adopting, and salvaging packages with a large user base. For example,
> currently most people would probably happily accept co-maintainers even
> if they're confident that they could do the work alone -- but what if
> adding a co-maintainer means that a potential stream of personal revenue
> will be cut in half?

thanks for nailing this one aspect. (there are more but this one is a good 
example...)




signature.asc
Description: This is a digitally signed message part.

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-15 Thread Holger Levsen

Hi,

On Samstag, 15. Juni 2013, Russ Allbery wrote:
> There were some past experiments with this in Debian, and they caused a
> lot of social controversy.
> 
> One of the problems with paying for work in the Debian context is that
> we're a world-wide project that welcomes contributions from everyone as
> equally as we can manage.  I think this is one of the major strengths of
> the project.  For the most part, we can ignore such things as differences
> in compensation rates in different parts of the world.  But if we get into
> paying for work, that immediately highlights that amounts that are
> inadequate to pay for skilled time in some areas where there are project
> contributors are far more than a typical wage in other areas.  This
> creates, or at least highlights, an awkward inequality in the project.
> 
> Another problem is that when some people are paid for doing the same work
> that other people are doing on a volunteer basis, it creates a lot of
> tension that's difficult to manage.  While this is true anyway (for
> example, my employer pays me to do some packaging work), currently it's
> quite indirect, and the payment isn't officially blessed by the project or
> part of the project structure.  Every contributor to Debian just manages
> their finances in their own ways.  I think the tension gets much worse if
> the project is explicitly deciding to pay some people and not others.

FWIW I share these concerns and also don't like the idea to as a project 
endorse ways to give money to developers. I don't want to see money persons 
join Debian and I dont want see people leave Debian because of it. I also dont 
want to see people fight over money. ("Hey, I must maintain this software 
because I deserve the money users pay for it.")

Donations to Debian OTOH, which benefit all developers (by paying for 
hardware, developer sprints, etc) are very much welcome.


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Charles Plessy

Le Sat, Jun 15, 2013 at 12:25:26AM -0400, Joey Hess a écrit :
> Charles Plessy wrote:
> > In the case of Debian, I share with others the concern of having the 
> > packages
> > as a source of revenue
> 
> How about making fixed bugs a source of revenue?

I do not see how to fit this in the PaySwarm model proposed here, unless there
are URLs for billing ?  In that case, the bounties could accumulate until
somebody takes them by fixing the bug.  We would probably need some review
system unless there are easy way for refunds.  For instance, one person would
claim the bounties by sending a patch, and a Debian Developer or Maintainer
would acknowledge that the patch actually solves the problem by uploading the
package.  But there are probably better ways to do it.

Cheers,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130615061824.ge11...@falafel.plessy.net

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Ben Hutchings

On Sat, 2013-06-15 at 00:25 -0400, Joey Hess wrote:
> Charles Plessy wrote:
> > In the case of Debian, I share with others the concern of having the 
> > packages
> > as a source of revenue
> 
> How about making fixed bugs a source of revenue?

http://dilbert.com/strips/comic/1995-11-13/

Ben.

-- 
Ben Hutchings
If the facts do not conform to your theory, they must be disposed of.


signature.asc
Description: This is a digitally signed message part

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Joey Hess

Charles Plessy wrote:
> In the case of Debian, I share with others the concern of having the packages
> as a source of revenue

How about making fixed bugs a source of revenue?

-- 
see shy jo


signature.asc
Description: Digital signature

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Russ Allbery

Martin Owens  writes:

> I feel much better about paying for work to be done than tipping, it
> feels more right. Although it requires larger pools of money and a more
> forthright approach deciding where this resource should be plowed in
> order to curate the larger design. Debian hasn't been much for curating
> anything, since it's more anarchistic than planned. But maybe it'd be
> possible to have project goals at the debian level which such money
> could be focused.

There were some past experiments with this in Debian, and they caused a
lot of social controversy.

One of the problems with paying for work in the Debian context is that
we're a world-wide project that welcomes contributions from everyone as
equally as we can manage.  I think this is one of the major strengths of
the project.  For the most part, we can ignore such things as differences
in compensation rates in different parts of the world.  But if we get into
paying for work, that immediately highlights that amounts that are
inadequate to pay for skilled time in some areas where there are project
contributors are far more than a typical wage in other areas.  This
creates, or at least highlights, an awkward inequality in the project.

Another problem is that when some people are paid for doing the same work
that other people are doing on a volunteer basis, it creates a lot of
tension that's difficult to manage.  While this is true anyway (for
example, my employer pays me to do some packaging work), currently it's
quite indirect, and the payment isn't officially blessed by the project or
part of the project structure.  Every contributor to Debian just manages
their finances in their own ways.  I think the tension gets much worse if
the project is explicitly deciding to pay some people and not others.

-- 
Russ Allbery (r...@debian.org)   

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87bo78koez@windlord.stanford.edu

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Martin Owens

On Fri, 2013-06-14 at 07:20 -0400, Paul Tagliamonte wrote:
> Payment systems in general tend to lead to "paybullying", which is
> something I'd really (really) like to avoid. I've always loved how
> un-corporate the Debian community is.

There are two reasons money gets given to people.

a. Money is freely given retroactively as a reward for having done
something. This requires good record keeping about how much work someone
actually did and how much of the reward they should be likely to claim.
The down side is that it reduces enthusiasm. This is 'tipping' in my
vernacular.
b. Money is given pro-actively, for work you are about to, are doing or
have done and not published. This requires good quality checking and
being able to decide if the work was completed as agreed. This requires
a bunch of work to have been done to 'design' the work to be done
strictly. This is 'paying' in my lingo.

I feel much better about paying for work to be done than tipping, it
feels more right. Although it requires larger pools of money and a more
forthright approach deciding where this resource should be plowed in
order to curate the larger design. Debian hasn't been much for curating
anything, since it's more anarchistic than planned. But maybe it'd be
possible to have project goals at the debian level which such money
could be focused.

I think pro-active funding works better at the project level. If
Inkscape wants to spend it's money on sending contributors to
conferences, then that's a valid way to spend money on project goals. If
Blender wants to spend money on funding developers and movie makers to
stretch their software, also valid.

What we can't be is scared to develop the social and administrative
systems that make handling money effective. If we don't try, we won't
learn.

On Sat, 2013-06-15 at 00:50 +0200, Jonas Smedegaard wrote:
>  We should just be indifferent about it.  And that's what we practice
now as I see it.

We could be indifferent about lots of things in Debian. Licensing for
instance. \"Who cares! as long as we get the software delivered, only
lawyers care about some silly license and besides it could happen
outside of debian!\"

No, we care because it's important. Having meta data that describes the
connection between the user and the developer is an important
responsibility of the distributing platform. It is in fact the power of
the platform to deliver projects in a way that sustains and supplies
(users|attention|money|developers) to the upstream.

I don't think we're doing our job if we are not communicating an
important facet of the life-blood of our upstreams to our users. We are
instead acting to cut them off from each other unintentionally.

Martin Owens

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1371260896.18562.26.camel@delen

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Charles Plessy

Le Fri, Jun 14, 2013 at 04:42:54PM -0400, Manu Sporny a écrit :
> 
> What if we did the following:
> 
> 1. If information exists in the package to distribute the donation
>automatically (these 35 people should get exactly these
>percentages), then we do that.
> 2. If the package lists the upstream project donation account, then we
>do that.
> 3. If there is no such information, then we send the money to the
>Debian project.

Dear Manu,

thanks for your work on web payments.  I hope that they will be a lead
contribution to the development of Free works.

In the case of Debian, I share with others the concern of having the packages
as a source of revenue, that would strongly reduce incentive for collaborative
maintainance of packages.  I think that for Debian, we need methods that pay
for the work to be done, rather than for the work that has been done.  Debian
has a large number of contributors, and we should encourage mobility between
projects, rather than make ourselves dependant to the project that would be
currently paying for our bills.

Most of the works we distribute are of a much smaller scale, where the approach
that you propose would not have such a negative side effect.  Moreover, some of
our upstreams who are already collecting donations may be worried of losing
opportunities to reveive when their work is distributed through Debian packages.
Here, PaySwarm can solve our problem.

As Paul showed you, we are collecting URLs for donations, and we probably miss
a lot of them.  If the PaySwarm project would provide with mechanisms to easily
communicate or discover this information, that would be very useful.  Then,
together with the information that the donation they received comes from a
Debian user, we could pass the URL to our upstream guide
(http://wiki.debian.org/UpstreamGuide), so that the packaging work (and
therefore the need for support) is reduced thanks to Upstream standardising his
work.

Have a nice week-end,

-- 
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130615014503.ga11...@falafel.plessy.net

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Nikolaus Rath

Paul Wise  writes:
> I am very concerned about motivations of Debian project volunteers
> being distorted by money so I would suggest only allowing donations to
> Debian as a whole or directly to individual upstream projects.

I agree. It would add a whole new dimension to NMU'ing, orphaning,
adopting, and salvaging packages with a large user base. For example,
currently most people would probably happily accept co-maintainers even
if they're confident that they could do the work alone -- but what if
adding a co-maintainer means that a potential stream of personal revenue
will be cut in half?

Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/871u84mg1n@vostro.rath.org

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread David Kalnischkies

On Fri, Jun 14, 2013 at 4:44 PM, Arno Töll  wrote:
> On 14.06.2013 15:52, David Kalnischkies wrote:
>> She/he is doing a lot of work for sure, but I appreciate the software, not
>> that it is packaged with this. That I can get this software easily while
>> using Debian is something the whole project is responsible for, not just
>> the person who happens to maintain this specific package, so appreciation
>> for the package itself should go to the project as a whole.

(in the last sentence, I meant "Debian project", I see now that this
 might be mistaken as refering to upstream.)

> I disagree. Some packages make _a lot_ of work and some people spend
> thousands of hours to make Debian an excellent distribution and the
> package in particular useful and maintainable. This is in many cases
> not less work than being upstream, it's just another type of work which
> is often invisible.

My train of thought is that I will never be able to accept money for the
package 'apt'. Sure, I might do some stuff, but this package is 17 years old,
has seen contribution from all round the world and all that. What would give
me the right to claim it rather than anyone else who has ever worked on it.
And even if you haven't worked directly on it, we still have dependencies,
be it code wise or infrastructure (hardware, people, …). It can't be my job
as the maintainer¹ to rate the contribution of everyone even only remotely
involved to decide who is getting, who isn't and how much exactly.
(¹ which I am not, but lets keep it simple here)

Thankfully, 'apt' is a native package, so it has by default an entity which
accepts donations and is able to divide the money raised in a good way
across all involved people by sponsoring meetings, hardware and stuff.
And I believe the same entity should collect money channeled to "us" for
packaging non-native software rather than to individual maintainers.

I have on the other hand accepted money for working on APT (e.g. as GSoC
student) so the concept of APT being a magical cash-cow I can milk isn't
completely alien for me, but for me there is a difference between claiming
that I am the one who should get the money if you like the package and
being up for hire if you need something to like it (even more) – even
though its on the etch of being double-think.

Best regards

David Kalnischkies

--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAZ6_fBeTULS1Q7gv8GthCHty0z=a+pte6pown03165omc1...@mail.gmail.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Jonas Smedegaard

Quoting Manu Sporny (2013-06-14 22:57:46)
> On 06/14/2013 05:36 AM, Martin Owens wrote:
> > On Thu, 2013-06-13 at 23:03 -0500, Gunnar Wolf wrote:
> >> We have never needed it
> > 
> > Such a mechanism would never be needed if the only people Debian 
> > should serve are technical users who are able to involve themselves 
> > in the project when they need it.
> > 
> > Excluding people with money is just another way of excluding people 
> > from Free Software development. I'm not so sure it's been as healthy 
> > for us or our users as assumed here.
> 
> I think this is an excellent point. The people that use Debian, more 
> specifically Ubuntu, are not always capable of jumping in and doing 
> the technical work themselves. It would be nice to give them a way to 
> contribute (donations), or promote work they want to see happen 
> (bounties).

Anyone can locate a particular Debian contributor and wire them 15 
Bitcoin.  No need for Debian to support that.

IMO Debian should not be against bounties or other forms of developer- 
or package-specific monetary boosting (read: distortion).  We should 
just be indifferent about it.  And that's what we practice now as I see 
it.

Some developers may be paid full time for the things they do in Debian, 
while others don't get a dime.

Some packages may get lots of love from maintainer with a full stomach 
and a house with a pool, while other package may survive with less 
attentive maintainers poking a bit now and then when not busy hunting or 
farming to support their families.

Debian do not promote a capitalist-driven boost, nor any other specific 
gaming of the system.  Debian is indifferent about how its developers 
find time and devotion for our shared project.

I really thought Gunnar nailed it:

> We have never needed it

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/14/2013 09:52 AM, David Kalnischkies wrote:
> On Thu, Jun 13, 2013 at 11:50 PM, Manu Sporny 
>  wrote:
>> A deeper discussion of the social concerns and solutions with
>> 
>> http://lists.debian.org/deity/2013/06/msg00054.html
> 
> I thought this was pretty shallow, but anyway:

Well, I meant deeper than the introductory e-mail about the topic. :)

> I believe its in some sense our responsibility to also collect the 
> information of how to show appreciation for the hard work of
> everyone involved in this project.

+1 - If we can get this right, we can make it easier to donate in a way
that is equitable. There are a significant number of organizations that
spend most of their donations on administrative staff to do funding drives.

PaySwarm allows you to see exactly where your money is going. We did
this by design in order to ensure transparency for people that want it.
The one down-side to sending money to an organization or a foundation is
that you have no idea where your money goes after you send it. More below...

> This especially means though, that it must be very very very clear 
> who is the receiver of the appreciation. I would personally be 
> surprised if the maintainer of package XYZ is getting a share via 
> "apt-donate xyz '5 coins'"

Yes, exactly right. PaySwarm lists every single entity that will receive
funds. If there are 50 maintainers and upstream authors listed with
varying amounts, the donor will be able to see exactly where every
single bit of their donation goes (if they want to see the details).

There is a video demonstrating what a purchase looks like from the browser:

https://www.youtube.com/watch?v=02vX36Ntxxk

and what one looks like from the command line (note the list of who is
getting paid and how much they're getting paid):

https://www.youtube.com/watch?v=0SEUnX-H2Qc

How you specify the entities being paid, which will be visible to the
person doing the donation, is outlined in this blog post:

https://hacks.mozilla.org/2013/04/payswarm-part-2/

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bb8cda.5070...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Paul Tagliamonte

On Fri, Jun 14, 2013 at 05:14:27PM -0400, Manu Sporny wrote:
> I agree, which is why the payment details live completely outside the
> Debian systems. The only thing you'd need to initiate payment is an
> e-mail address, or a PaySwarm financial account address, which looks
> like this:
> 
> https://dev.payswarm.com/i/manu/accounts/public-account

Interesting. So one would have to set up a payswarm instance to collect,
or piggy back on a public instance?

> requirements when you process payments; know your customer (KYC) is one
> of them. There are also anti-money laundering regulations that you must
> ensure you follow to comply with the law. All of these things are things

Which law? US law? We're an international org, are the laws standard
worldwide? We have Developers in every jurisdiction you can imagine :)

> that the Debian project doesn't want to (or have to) deal with wrt. the
> current proposal.
> 
> > I think allowing users to 'tip' would be nice, but it creates this 
> > system where now everyone wants to co-maint gcc, bash, libc, linux 
> > and not really "do" anything.
> 
> Right, which is why one solution is making it up to the package
> maintainers and software authors to figure out how payments should be
> split up. I think we all agree that tips should be distributed based on
> merit and that the maintainers have a pretty good idea of how that
> should go. In the event that the maintainers and upstream can't come to
> an agreement, they could always just opt to send the donation upstream
> to the Debian Project.

Right, but this leads to one of two things:

  - No money is shared with dependencies (leading to people flocking to
awesomewm, gnome, kde, chrome, wine, apache2, etc)

  - Money is shared with dependencies (leading to people flocking to
gcc, linux, libc6)

In both cases, Debian Project Members (non-uploading / non-maintainers)
don't get any love either. We could use pseudo-packages to help (e.g.
donate www.debian.org $1,000,000), but I can't imagine that's complete
(we'd never donate gsoc-team-alpha $500, for instance).

In the case where we do always split it, it kills a bit of the motivation
for tipping packages in general.


> > Payment systems in general tend to lead to "paybullying", which is 
> > something I'd really (really) like to avoid. I've always loved how 
> > un-corporate the Debian community is.
> 
> I agree that we really don't want that. Any suggestions about how we
> might be able to avoid it?

I'm not sure, but I've seen at least one high-profile F/OSS project
maintainer (with project email, writing from it) saying "I've written a
patch for this bug, it's done, but you need to give me money before I
release it". Putting an official system into place might make this more
common / easier to make look "official".

> Let me know if the above makes sense. I'd be happy to answer more
> questions if it would help. :)

Thank you! :)

> 
> > P.S., I do like your work on JSON-LD, Manu!
> 
> Thanks! Fun fact: We built JSON-LD because of PaySwarm. We needed to
> make sure that the core financial protocol could be extensible in a
> distributed way, and JSON-LD ended up being the solution for that.

Neat!

> 
> You can see how JSON-LD is used for the PaySwarm financial protocol and
> digital receipts here:
> 
> https://hacks.mozilla.org/2013/04/payswarm-part-2/
> 
> https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-purchasing-part-3-of-3/
> 
> -- manu
> 
> -- 
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Meritora - Web payments commercial launch
> http://blog.meritora.com/launch/


Cheers,
  Paul

-- 
 .''`.  Paul Tagliamonte 
: :'  : Proud Debian Developer
`. `'`  4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
 `- http://people.debian.org/~paultag


signature.asc
Description: Digital signature

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/14/2013 07:20 AM, Paul Tagliamonte wrote:
> In particular, I have concerns on how people *collect* this money.
> In the case of a package maintainer, we don't require we know who
> they are, nor their legal name, or even where the live. Just an
> active, working email and good changes that we can upload (hell, they
> could even just get sponsorship via debdiffs without a GPG key for
> all we know). In that case, verifiying identity wouldn't be something
> we could do, nor do I think such people would give their bank numbers
>  up.

I agree, which is why the payment details live completely outside the
Debian systems. The only thing you'd need to initiate payment is an
e-mail address, or a PaySwarm financial account address, which looks
like this:

https://dev.payswarm.com/i/manu/accounts/public-account

If a developer wants a payment, they can list a valid PaySwarm account,
or just provide their e-mail address. If they provide their e-mail
address, they'll get an e-mail from the PaySwarm payment processor
stating that someone has sent them some money.

It's up to the PaySwarm payment processors to verify names, addresses,
bank accounts, and credit card numbers. There are a number of legal
requirements when you process payments; know your customer (KYC) is one
of them. There are also anti-money laundering regulations that you must
ensure you follow to comply with the law. All of these things are things
that the Debian project doesn't want to (or have to) deal with wrt. the
current proposal.

> I think allowing users to 'tip' would be nice, but it creates this 
> system where now everyone wants to co-maint gcc, bash, libc, linux 
> and not really "do" anything.

Right, which is why one solution is making it up to the package
maintainers and software authors to figure out how payments should be
split up. I think we all agree that tips should be distributed based on
merit and that the maintainers have a pretty good idea of how that
should go. In the event that the maintainers and upstream can't come to
an agreement, they could always just opt to send the donation upstream
to the Debian Project.

> Payment systems in general tend to lead to "paybullying", which is 
> something I'd really (really) like to avoid. I've always loved how 
> un-corporate the Debian community is.

I agree that we really don't want that. Any suggestions about how we
might be able to avoid it?

> I'm very lukewarm about this right now, but I think with some sound 
> arguments, I'd warm up to it.

Let me know if the above makes sense. I'd be happy to answer more
questions if it would help. :)

> P.S., I do like your work on JSON-LD, Manu!

Thanks! Fun fact: We built JSON-LD because of PaySwarm. We needed to
make sure that the core financial protocol could be extensible in a
distributed way, and JSON-LD ended up being the solution for that.

You can see how JSON-LD is used for the PaySwarm financial protocol and
digital receipts here:

https://hacks.mozilla.org/2013/04/payswarm-part-2/

https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-purchasing-part-3-of-3/

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bb87b3.8000...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/14/2013 05:36 AM, Martin Owens wrote:
> On Thu, 2013-06-13 at 23:03 -0500, Gunnar Wolf wrote:
>> We have never needed it
> 
> Such a mechanism would never be needed if the only people Debian
> should serve are technical users who are able to involve themselves
> in the project when they need it.
> 
> Excluding people with money is just another way of excluding people
> from Free Software development. I'm not so sure it's been as healthy
> for us or our users as assumed here.

I think this is an excellent point. The people that use Debian, more
specifically Ubuntu, are not always capable of jumping in and doing the
technical work themselves. It would be nice to give them a way to
contribute (donations), or promote work they want to see happen (bounties).

Even if there are some developers that oppose monetary contribution in
any form, there are others that would love to develop for Debian more
(but can't feed their families on volunteering). That is, it's important
to not encode a personal opinion in software that silences those that
have a different opinion.

We can build this system such that those that don't want any donations
can pass it on to the Debian Project, or reject all donations outright.
We can also build this system such that those that would like donations
can state exactly how they want the donation to be split up among the
project participants. This approach ends up being fair to both sides and
doesn't silence either opinion.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51bb83ca.1010...@digitalbazaar.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

On 06/13/2013 10:33 PM, Paul Wise wrote:
> We already have means of donating to Debian. Making that more 
> accessible is on the todo and probably your work could help out 
> here.
> 
> http://www.debian.org/donations 
> http://lists.debian.org/debian-www/2013/05/msg00025.html

Great, would love to help out in some way. Who should I chat with about
that?

> We have a mechanism for maintainers to point folks at upstream 
> donation pages, it is only used by two packages so far though:
> 
> http://wiki.debian.org/UpstreamMetadata 
> http://upstream-metadata.debian.net/table/Donation

Yes, that's one of the problems we had identified. If the donation
mechanism is more complicated than 'apt-donate apache2 $5', then the
likelihood that it will be used goes down dramatically.

> Tying donations to one payment processor doesn't sound like a good 
> idea to me.

I agree. PaySwarm is designed to be an open payment standard. Once the
standard is finalized you'll be able to port your financial account from
one PaySwarm payment processor to another just as easily as people can
port their cellphones today. The specs are designed to prevent vendor
lock-in. There is only one payment processor today (Meritora), but once
other PaySwarm payment processors pop up, if you don't like Meritora for
whatever reason, you can switch (while preserving all of your financial
account data).

If you'd like to learn more about PaySwarm, there are a set of blog
posts that we did for Mozilla Hacks here:

https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-identity-part-1-of-3/

https://hacks.mozilla.org/2013/04/payswarm-part-2/

https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-purchasing-part-3-of-3/

> I am very concerned about motivations of Debian project volunteers 
> being distorted by money so I would suggest only allowing donations 
> to Debian as a whole or directly to individual upstream projects.

We could certainly do the former, although the upstream software authors
may not like that because it could be construed as the overall Debian
project overreaching into what should be a conversation between the
package maintainer and the upstream authors.

We could also do the latter, but I'd like there to be a possibility of a
package maintainer getting a reward of some kind for past work
performed. The Debian Security team does an excellent job, and have
saved us on numerous occasions. I'd love to have some way of sending
them something in appreciation.

What if we did the following:

1. If information exists in the package to distribute the donation
   automatically (these 35 people should get exactly these
   percentages), then we do that.
2. If the package lists the upstream project donation account, then we
   do that.
3. If there is no such information, then we send the money to the
   Debian project.

Does that sound reasonable?

> I am also concerned about the distortions that monetisation has had 
> on the web and worry about the consequences of embedding this into 
> browsers. Both the modern web and modern web browsers are very 
> concerning in general though.

I agree, although we may differ on what the root of the problem is. I
don't think it's money or monetization, as that is a neutral thing, just
like technology (and Debian). It's not inherently evil or good. We tend
to think of it more from a systems perspective. Certain systems result
in certain behaviors.

The Web's monetization has happened mainly based on advertising dollars
(Google, Facebook, Yahoo, Twitter, etc.). The system of advertising
results in an attempt to please the advertisers, since they're the
customers. Citizens are consumers, and tend to be viewed as 2nd class
citizens to the advertisers. We think that there are better models for
the Web, but that the core infrastructure for those models doesn't exist
yet.

The fundamental thing that we're trying to do with PaySwarm is to
democratize finance. That means that we're trying to put the tools that
are only available to large corporations and Wall street into the hands
of most people. It's analogous to how the Web democratized publishing...
pretty easy to put something out there these days that can reach
hundreds of millions of people. We want to do that to our global
financial infrastructure.

I think software developers are going to play a major role in building
this new Web-based financial infrastructure. I also agree with you that
we have to be careful and methodical about how we build this system. The
hope is that by doing it right, we can bring more money into the
ecosystem (in a good way) and tackle some long-standing problems
(under-staffing, interface design, testing, infrastructure, etc.).

I've been using Debian since the late 1990s. I love this project. I'm
primarily interested in trying to build the core donations
infrastructure in a way that is going to truly help the Debian community.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Foun

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Scott Howard

On Thu, Jun 13, 2013 at 5:50 PM, Manu Sporny wrote:
> I'd like to add a feature to apt that enables people to donate money or
> crowdfund a particular project or developer. The inspiration for the
> project comes from [1]Gittip.

Another issue/can of worms: Someone started a thread on an ubuntu list
asking how to get a company's proprietary software into multiverse.
The generic response, as usual, is to either us a PPA or try to twist
a DDs arm to get it into non-free (if it is redistributable). DDs
don't want to use their volunteer time on non-free projects, but while
thinking of the response I was aware about how financial incentive may
change a DD's opinion. As a member of the bitcoin team in debian, I
also see how easy it could be in the future to semi-anonymously
receive payment from and to anywhere in the world for such work, and
that this may already be going on already in Debian or other distros.

Allowing quick in-distribution monetization of effort potentially
opens up a market for DDs to work on packaging specific commercial
(and free) projects for pay. On one hand, it feels like it ruins the
"free-ness" (both in beer and speech) of Debian (although there is no
rule saying you have to pay to get in), but on the other hand
explicitly rejecting monetization feels like we are discriminating
against the commercial field of use, which is also a non-free act
(kind of what Martin Owen is saying).

I don't know how I feel about this, fundamentally, yet. But my gut
didn't like the idea of having a wiki page where DDs can post their
hourly rates for packaging software for Debian...

This is just a warning of one way I can see such an official donation
system evolving in a few years. I still prefer donating to the project
as a whole just to avoid this mess for now.

~Scott

--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/CANg8-dDcpXTXEhdz+LbnQsz1kWKYS3zXZpSJ1krRzQN3==v...@mail.gmail.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Arno Töll

Hi,

On 14.06.2013 15:52, David Kalnischkies wrote:
> She/he is doing a lot of work for sure, but I appreciate the software, not
> that it is packaged with this. That I can get this software easily while
> using Debian is something the whole project is responsible for, not just
> the person who happens to maintain this specific package, so appreciation
> for the package itself should go to the project as a whole.

I disagree. Some packages make _a lot_ of work and some people spend
thousands of hours to make Debian an excellent distribution and the
package in particular useful and maintainable. This is in many cases
not less work than being upstream, it's just another type of work which
is often invisible.

Not saying we should implement a user interface for (micro-) donations
to Debian package maintainers, but I'm sure people being grown up enough
to become contractually capable, are also able to differentiate whether
they would like to donate to upstream or to the distributor and both
deserve their part of the cake.

Now, if comes up to discuss whether we should proxy donations from
people to maintainers I'm unsure. I'd rather be in favor of collecting
these donations to a common pool and divide it equal amongst maintainers
who opt-in for very simple reasons:

* Opt-In for the reason Mr. Tagliamonte mentioned: Some of us are
pseudonymous identities, some may not want to share bank account data etc.

* A maintainer is not responsible alone for the work. Personally I
cannot value enough the tremendous work the Security Team spends with
packages I and $boss uses daily for profit.

* A maintainer builds his work on the shoulders of others, like you,
being the APT maintainer, like maintainers of dependencies, like the
Release Team hating your debdiffs. And, of course, our non-uploading DDs
who spend lots of time to maintain the website, make translations, etc.

* Obviously some very important packages virtually get zero attention.
You know, people donate what they see, be it apache2 (taken because I
maintain this), but who would donate for libz we depend upon? This is an
imbalance to have in mind.

However, is all of that a reason not to accept money from people at all?
I don't think so. We should just ensure it's fair and balanced _within_
Debian and clear to people donating that the money goes (to what
fraction) to whom.

-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

signature.asc
Description: OpenPGP digital signature

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread David Kalnischkies

On Thu, Jun 13, 2013 at 11:50 PM, Manu Sporny  wrote:
> A deeper discussion of the social concerns and solutions with
> integrating donations and fundraising into Debian packages can be found
> here:
>
> http://lists.debian.org/deity/2013/06/msg00054.html

I thought this was pretty shallow, but anyway:

My personal opinion is that while many projects have means of accepting
donations most of the time its not as easy to discover or to use.

"Donating" to projects which are not free-to-use is a lot easier as the same
interface over which you discover this incredible masterpiece of a project
is also the place where you find how to channel money to it – simply because
you have to pay for it before you use it.

And I am not talking about money exclusively here: Some projects have
licenses encouraging buying the developer a beer if you see her/him,
to send a postcard, to donate to favorite entity, … all of which isn't
that accessible if you aren't highly determined to find it.

As a distribution we work hard on making the best software available via
an easy interface, we collect screenshots, reviews and votes for them (in
various way with various states of completion in various downstreams) so
I believe its in some sense our responsibility to also collect the
information of how to show appreciation for the hard work of everyone
involved in this project.

That Debian is able to collect and deliver appreciations to developers via
a simple interface was proven in 2010 with thanks.debian.net (the original
is gone) which was like the best idea since sliced bread. :)
[I know that others didn't like the "spam" – so much for uncontroversial]

So I don't believe Debian should be the entity actually collecting (at least)
the more physical/dangerous forms of appreciation, this is really something
the projects itself have to work out, but we are good at collection metadata
and I think many would appreciate being able to appreciate more easily.

This especially means though, that it must be very very very clear who is
the receiver of the appreciation. I would personally be surprised if the
maintainer of package XYZ is getting a share via "apt-donate xyz '5 coins'"
(I use this interface now just for brevity).
She/he is doing a lot of work for sure, but I appreciate the software, not
that it is packaged with this. That I can get this software easily while
using Debian is something the whole project is responsible for, not just
the person who happens to maintain this specific package, so appreciation
for the package itself should go to the project as a whole.

Best regards

David Kalnischkies

--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAZ6_fBEh6grc=u=+xoghj_fmqlo3nf0enx2y9jkocumk2g...@mail.gmail.com

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Paul Tagliamonte

On Thu, Jun 13, 2013 at 11:03:36PM -0500, Gunnar Wolf wrote:
[..]
> work. That's all fine. We have a mechanism in place to help people
> donate money to Debian as a whole. That's also fine. But I'd very much
> rather keep both things separate — Not instate mechanisms in Debian to
> get funds to individual developer. We have never needed it, and from
> the discussions I have taken part in or witnessed, I really doubt we
> would need it now.

In particular, I have concerns on how people *collect* this money. In
the case of a package maintainer, we don't require we know who they are,
nor their legal name, or even where the live. Just an active, working
email and good changes that we can upload (hell, they could even just
get sponsorship via debdiffs without a GPG key for all we know). In that
case, verifiying identity wouldn't be something we could do, nor do I
think such people would give their bank numbers up.

I think allowing users to 'tip' would be nice, but it creates this
system where now everyone wants to co-maint gcc, bash, libc, linux and
not really "do" anything.

Payment systems in general tend to lead to "paybullying", which is
something I'd really (really) like to avoid. I've always loved how
un-corporate the Debian community is.

I'm very lukewarm about this right now, but I think with some sound
arguments, I'd warm up to it.

P.S., I do like your work on JSON-LD, Manu!

Cheers,
  Paul

-- 
 .''`.  Paul Tagliamonte 
: :'  : Proud Debian Developer
`. `'`  4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
 `- http://people.debian.org/~paultag

signature.asc
Description: Digital signature

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-14 Thread Martin Owens

On Thu, 2013-06-13 at 23:03 -0500, Gunnar Wolf wrote:
> We have never needed it

Such a mechanism would never be needed if the only people Debian should
serve are technical users who are able to involve themselves in the
project when they need it.

Excluding people with money is just another way of excluding people from
Free Software development. I'm not so sure it's been as healthy for us
or our users as assumed here.

Martin,


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1371202594.18562.3.camel@delen

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-13 Thread Gunnar Wolf

Paul Wise dijo [Fri, Jun 14, 2013 at 10:33:58AM +0800]:
> (...)
> Tying donations to one payment processor doesn't sound like a good idea to me.
> 
> I am very concerned about motivations of Debian project volunteers
> being distorted by money so I would suggest only allowing donations to
> Debian as a whole or directly to individual upstream projects.
> 
> I am also concerned about the distortions that monetisation has had on
> the web and worry about the consequences of embedding this into
> browsers. Both the modern web and modern web browsers are very
> concerning in general though.

FWIW, I agree with Paul here. Some Debian people have requested
(individually) for public sponsorship to their free software-related
work. That's all fine. We have a mechanism in place to help people
donate money to Debian as a whole. That's also fine. But I'd very much
rather keep both things separate — Not instate mechanisms in Debian to
get funds to individual developer. We have never needed it, and from
the discussions I have taken part in or witnessed, I really doubt we
would need it now.

Of course, I cannot decline the offer in the name of the whole
project. I just state my opinion.


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130614040336.gb41...@gwolf.org

Re: KickStarter for Debian packages - crowdfunding/donations for development

2013-06-13 Thread Paul Wise

We already have means of donating to Debian. Making that more
accessible is on the todo and probably your work could help out here.

http://www.debian.org/donations
http://lists.debian.org/debian-www/2013/05/msg00025.html

We have a mechanism for maintainers to point folks at upstream
donation pages, it is only used by two packages so far though:

http://wiki.debian.org/UpstreamMetadata
http://upstream-metadata.debian.net/table/Donation

Tying donations to one payment processor doesn't sound like a good idea to me.

I am very concerned about motivations of Debian project volunteers
being distorted by money so I would suggest only allowing donations to
Debian as a whole or directly to individual upstream projects.

I am also concerned about the distortions that monetisation has had on
the web and worry about the consequences of embedding this into
browsers. Both the modern web and modern web browsers are very
concerning in general though.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAKTje6HrFjkLbckHYUD6361p89CPisqNo1Z0OW1Fx1aXX=z...@mail.gmail.com

KickStarter for Debian packages - crowdfunding/donations for development

2013-06-13 Thread Manu Sporny

I'd like to add a feature to apt that enables people to donate money or
crowdfund a particular project or developer. The inspiration for the
project comes from [1]Gittip.

I've already contacted the APT project and they directed me here, as
they felt it needed to be discussed by the larger Debian community.

My name is [2]Manu Sporny and I'm the current chair of the Web Payments
group at the World Wide Web Consortium (W3C). I'm also the project
leader for the [3]PaySwarm project, which is an initiative to create a
universal payment standard for the Web. We're also currently [4]working
with Mozilla to build payments into the browser. Each of these
initiatives is a patent-free and royalty-free open standard that we'd
like to try and apply to the Debian project.

The general idea with apt-based donations is to enable every package in
Debian to be able to accept funding and/or donations for the project.
Here are some of the ideas we were kicking around:

 1. Simple donations. Donate a fixed dollar amount $1, $2.50,
 $5, or $10 to a project. This could be opt-in or automatic.

 2. Split donations. Donate a fixed dollar amount to a project,
 where 50% of the donation goes to the project and 50% of the
 donation is split equally among the project dependencies (by
 reading the Debian control file).

 3. Recurring donations. Same as the first item above, but
 happens on a recurring basis.

 4. Variable split donations. Same as the second item above, but
 the percentages of where the money goes is specified by the
 maintainer in the Debian control file or other included file.

 5. The ability to donate arbitrary amounts to registered
 Debian developers, or registered project goals.

We could add these features to a new command in apt that can be executed
via the command-line:

apt-donate [package] [amount]

A deeper discussion of the social concerns and solutions with
integrating donations and fundraising into Debian packages can be found
here:

http://lists.debian.org/deity/2013/06/msg00054.html

There is a series on PaySwarm for developers on the Mozilla Hacks blog,
if you want more background information on how PaySwarm works:

[5]PaySwarm: Identity (part 1 of 3)
[6]PaySwarm: Assets and Listings (part 2 of 3)
[7]PaySwarm: Purchasing (part 3 of 3)

We'd tie donations to the [8]Meritora PaySwarm payment processor. If
there is interest in adding this sort of feature in apt (or apt-utils),
then we'd be happy to do the work on the software and make it happen.

I'd like to understand what the expectations might be for a feature like
this. I'd also like to answer any questions about the Web Payments /
PaySwarm standardization work as well. If it would help, I can jump on a
quick voice chat with someone closely associated with the Debian Project
to discuss in more depth.

My contact info (in preferred order):
Skype: msporny
VoIP: sip:mspo...@digitalbazaar.com
G+ Hangout: +Manu Sporny
Mobile: 540-641-1942

Is there interest in this feature?

-- manu

1. https://www.gittip.com/
2. http://www.linkedin.com/in/manusporny
3. https://payswarm.com/
4. http://manu.sporny.org/2013/browser-payments/
5.
https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-identity-part-1-of-3/
6. https://hacks.mozilla.org/2013/04/payswarm-part-2/
7.
https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-purchasing-part-3-of-3/
8. http://blog.meritora.com/launch/

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51ba3e97.7010...@digitalbazaar.com

Re: Debian packages

2009-03-11 Thread Goswin von Brederlow

Gabriel McCall  writes:

> Dear Debian Package Maintainers,
>
> Is there a definitive way to download packages for a machine that,
> due to it's remote location, does not have an internet connection?
> What I'm looking for is a complete file that would contain all the
> packages that a specific application is dependant upon whether or
> not a given operating system already included said packages in it's
> makeup.

This sounds like you want a partial mirror. There is apt-zip for
package management with sneakernet (you carry an USB stick/disk
around) but that will only list needed packages and skip already
installed ones.

If I had this problem I would use reprepro. Reprepro is an easy tool
to create or mirror a debian archive for use with apt. It also alows
filtering the package list to create partial mirrors. It is easy to
mirror just a list of packages. The hard part and the part that is
missing is to create the package list so that all
depends/recommends[/suggests] are satisfied. Maybe you can borrow code
from debian-cd for that.

> If something like that is not available, would there be a way to
> create files full of packages that would cover a large range of
> basic packages in an index such as a "pool"?  This would allow users
> to download and burn a CD full of the latest packages for specific
> uses such as Multimedia, games, development, or perhaps entire
> desktops that could be added to existing operating systems.
>
> For example, I cannot install a second desktop environment such as
> Xfce or Kde on a machine that has Gnome installed without using a
> package manager and an internet connection.  However, if I were able
> to download a set of package files which came with thier
> dependencies neatly bundled in an index that could be read by
> something like synaptic; I could then install the alternate desktop
> environment without the need for an internet connection.
>
> Simpler yet would be a multimedia bundle, or perhaps a networking
> bundle.  If I simply wanted a media player installed on my system
> and could download a package bundle which contained everything
> needed to install that specific media player it would be much easier
> than trying to download each individual package and install them all
> as individual binary packages.

There are way too many kinds of bundles people might want for debian
to provide them all and only providing a select few will always leave
most people wanting. So I think that would be a bad idea.

> Please help me understand why this is not something that is easliy found.
>
> Thank you for your time
>
> Gabriel  (hellion_darkl...@inbox.com)

MfG
Goswin

-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Debian packages

2009-03-11 Thread Mehdi Dogguy

Gabriel McCall wrote:
> Dear Debian Package Maintainers,
> 
> Is there a definitive way to download packages for a machine that, due to 
> it's remote location, does not have an internet connection?  What I'm looking 
> for is a complete file that would contain all the packages that a specific 
> application is dependant upon whether or not a given operating system already 
> included said packages in it's makeup.  
> 

I think that AptOnCd is what your are looking for:

http://aptoncd.sourceforge.net/

Cheers,

-- Mehdi Dogguy


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Debian packages

2009-03-10 Thread Daniel Dickinson

On Tue, 10 Mar 2009 09:54:31 -0800
Gabriel McCall  wrote:

> Dear Debian Package Maintainers,
> 
> Is there a definitive way to download packages for a machine that,
> 
> Simpler yet would be a multimedia bundle, or perhaps a networking
> bundle.  If I simply wanted a media player installed on my system and
> could download a package bundle which contained everything needed to
> install that specific media player it would be much easier than
> trying to download each individual package and install them all as
> individual binary packages.

You may want to look at http://wiki.debian.org/DebianCustomCD if
apt-zip doesn't fulfill your needs.

> 
> Please help me understand why this is not something that is easliy
> found.

Because it's not easy to do.  Development of easier alternatives for
making custom pools is ongoing (though slowly as most developers who
need a pool also have hard drive space for a mirror for a particular
architecture).

Regards,

Daniel

-- 
And that's my crabbing done for the day.  Got it out of the way early, 
now I have the rest of the afternoon to sniff fragrant tea-roses or 
strangle cute bunnies or something.   -- Michael Devore
GnuPG Key Fingerprint 86 F5 81 A5 D4 2E 1F 1C  http://gnupg.org


signature.asc
Description: PGP signature

Re: Debian packages

2009-03-10 Thread Julien BLACHE

Gabriel McCall  wrote:

Hi,

> Is there a definitive way to download packages for a machine that, due
> to it's remote location, does not have an internet connection?  What
> I'm looking for is a complete file that would contain all the packages
> that a specific application is dependant upon whether or not a given
> operating system already included said packages in it's makeup.

apt-zip might be what you're looking for.

JB.

-- 
 Julien BLACHE - Debian & GNU/Linux Developer -  
 
 Public key available on  - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Debian packages

2009-03-10 Thread Gabriel McCall

Dear Debian Package Maintainers,

Is there a definitive way to download packages for a machine that, due to it's 
remote location, does not have an internet connection?  What I'm looking for is 
a complete file that would contain all the packages that a specific application 
is dependant upon whether or not a given operating system already included said 
packages in it's makeup.  

If something like that is not available, would there be a way to create files 
full of packages that would cover a large range of basic packages in an index 
such as a "pool"?  This would allow users to download and burn a CD full of the 
latest packages for specific uses such as Multimedia, games, development, or 
perhaps entire desktops that could be added to existing operating systems.  

For example,  I cannot install a second desktop environment such as Xfce or Kde 
on a machine that has Gnome installed without using a package manager and an 
internet connection.  However, if I were able to download a set of package 
files which came with thier dependencies neatly bundled in an index that could 
be read by something like synaptic; I could then install the alternate desktop 
environment without the need for an internet connection.  

Simpler yet would be a multimedia bundle, or perhaps a networking bundle.  If I 
simply wanted a media player installed on my system and could download a 
package bundle which contained everything needed to install that specific media 
player it would be much easier than trying to download each individual package 
and install them all as individual binary packages.

Please help me understand why this is not something that is easliy found.

Thank you for your time

Gabriel  (hellion_darkl...@inbox.com)

 


--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: buildd redundancy (was Re: Recompilation of ALL Debian packages ...

2006-10-04 Thread Wouter Verhelst

On Sun, Sep 24, 2006 at 02:32:27PM -0400, Nathanael Nerode wrote:
> It's not reasonable to rely on one single machine like that: apart from the 
> mess that would happen if it went down or the person uploading its packages 
> took a week's vacation,

As opposed to the "mess" that does happen right now when that same
person who does powerpc, mips, mipsel, and a slew of other buildd
machines goes on vacation?

Right.

-- 
 Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Recompilation of ALL Debian packages ...

martin f krafft wrote:

> also sprach Russ Allbery <[EMAIL PROTECTED]> [2006.09.01.0241 +0200]:
>> Rebuilding every package really doesn't buy you that much in the
>> way of security.
> 
> This is arguable and I don't want to go there. The reason I am
> pushing for this is because of two of my clients, who have been
> wanting to use Debian for three years now but consciously decided
> against it, because it is not guaranteed that the sources and the
> binaries in our archives correspond for all architectures. They are
> well aware that trojans can still exist, but it's an entirely
> different thing whether they exist in source and hence in all
> architectures (which would result in some serious negative feedback
> or even revocation of upload rights), or just in one of the binaries
> and hence would be much harder to detect/analyse.

How big are your clients?  If they're good-sized companies with a spare 
computer, they can compile all the packages they use locally from Debian 
source with not *too* much work.

-- 
Nathanael Nerode  <[EMAIL PROTECTED]>

Bush admitted to violating FISA and said he was proud of it.
So why isn't he in prison yet?...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Recompilation of ALL Debian packages ...

Roberto C. Sanchez wrote:

> Is it not part of the process of becoming a DD (or sponsorship of
> packages for non-DDs) learning the "responsible" way to build packages.
> That is, developers are taught to use tools like pbuilder or sbuild in
> order to ensure that packages build cleanly.  I'm not saying that
> mistakes will never occur.  However, I would think that the vast
> majority of the people will be responsible and do it correctly the vast
> majority of the time.

Yeah, but a 5% error rate, or even a 1% error rate, is still a hell of a lot
of packages for QA to find and fix.

-- 
Nathanael Nerode  <[EMAIL PROTECTED]>

Bush admitted to violating FISA and said he was proud of it.
So why isn't he in prison yet?...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

buildd redundancy (was Re: Recompilation of ALL Debian packages ...

martin f krafft wrote:

> also sprach Henning Makholm <[EMAIL PROTECTED]> [2006.08.31.1641 +0200]:
>> Please read up on the regular (every few months) discussions about
>> "source-only uploads" in the list archives. (Capsule summary: yes,
>> it would be easy to do, but there is no consensus that it would be
>> *desirable* to do so).
> 
> For instance: http://lists.debian.org/debian-devel/2006/07/msg00544.html
> 
> You say people have argued against source-only uploads, but I think
> source-only is actually not what we are talking about. The subject
> line says: "recompile...".
> 
> Whether or not requiring binary packages in the upload as a QA sort
> of measure is a good thing is a tangential debate.
> 
> I would like to know why we can't just discard those binaries and
> rebuild them on trusted machines. Then we get the best of all
> worlds.

This is really a nice idea.  It is *not* reasonable to do this until
we get the long awaited redundancy in the i386 buildd system.
Currently there is one buildd with one maintainer, unless something
has changed since http://release.debian.org/etch_arch_qualify.html was
last updated.  (Has something changed?  That looks out of date, but I don't
know who to ask.)

It's not reasonable to rely on one single machine like that: apart from the 
mess that would happen if it went down or the person uploading its packages 
took a week's vacation,  a compromise of that one machine will root every 
i386 Debian system.  (I hope it's at least as secure as ftpmaster, but two 
single points of failure are worse than one.)

Redundancy is needed for alpha, amd64, hppa, arm, and ia64 as well,
according to that chart.

-- 
Nathanael Nerode  <[EMAIL PROTECTED]>

Bush admitted to violating FISA and said he was proud of it.
So why isn't he in prison yet?...

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

buildd redundancy (was Re: Recompilation of ALL Debian packages ...