Re: Questions for all candidates: decentralization of power

2010-04-01 Thread Mike O'Connor
On Thu, Apr 01, 2010 at 01:45:45PM +0900, Charles Plessy wrote:
> If it is not an export or a license violation that a member of the FTP team
> inspects a package, then I do not think it is for any other member of the
> project. I am not proposing to give a read access to the NEW queue for any
> other purpose.

I think that what we are doing now puts us in very safe legal ground.  I
fear what could happen when some litigious copyright holder accuses us
of illegally redistributing their software and our reponse is, "We just
copied it to one other machine so that we could make it available to our
entire membership."

> If because you do not trust the other DDs to respect the rules, that packages
> in the NEW queue must not be resdistributed before they are accepted, then 
> yes,
> you have to do the work alone. 

It doesn't take long processing NEW to realize that many DDs cannot be
trusted to make sure that all of the code they are uploading is legally
redistributable.

> If we do not think that the DDs respect the
> rules (http://www.debian.org/devel/dmup, in which we could add a note about 
> NEW
> packages before opening up the mirror), how can we tell our users that our
> system is secure?

The problem is also one of accountability.  If the DD screws up and
eventually an ftp-master or a mirror owner or DPL or SPI or someone else
is the one getting sued, can the person getting sued hold the DD
accountable?

stew


signature.asc
Description: Digital signature


Re: Questions for all candidates: decentralization of power

2010-03-31 Thread Mike O'Connor
On Thu, Apr 01, 2010 at 10:58:07AM +0900, Charles Plessy wrote:
> Hi Mike,
> 
> you give three interesting examples on how the FTP team is isolating itself.
> 
> 
> 1) By a combination of (self-appointed?) authority and technical design, the
> package section splitting becomes a private tool of the FTP team.

I'm not familiar with how the package sections came to be.  I'll
reluctantly take your word for it.

> Apart from a
> couple of usual examples, sections are not much useful nowardays, and they are
> getting reimplemented in parallel through debtags, tasks, or meta-packages

Agreed.

> (just like our website is being reimplemented on wiki.d.o or alioth.d.o, 
> etc.).

I didn't know about this.

> I think that one of the causes is that it is not directly under the project's
> responsibility. 

I'm not sure what you mean by this.  Having the packages in the distro
grouped by secitions isn't the repsonsibility of the distro?

> What is your vision of the package sections? Where is the big
> picture? 

Its a way of categorizing packages to facilitate browsing through or
searching for packages in debian.  Its not much more than this.  I think
that once debtags is farther along, they could replace sections
completely.

> Why the maintainers should even care about them if everything in the
> design reminds them that sections are not their business, except for saving a
> bit of your time at the first upload?

I don't understand what you mean here at all.  I'm not sure what time is
being saved.  If you don't want to care about them, you can probably
ignore them.  Some people don't,  the ftp team makes sure there are sane
choices being made in the cases where maintainers haven't cared enough.

IfIf there is a package in an incorrect section or with the wrong
priority, please just file a bug against ftp.debian.org and it will get
fixed.

Opening up write access to the database that maintains the archive to
all developers just so that they can change sections (something that you
yourself characterize as "not much useful" anyway) seems like something
that is not worth the security risk.

> 
> 2) We can not export software without doing some procedures, but what is the
> definition of an export? If it is not an export when a DD appointed by a DD
> delegated by the DPL logs in from outside the USA to inspect a package, then I
> think that the DPL or the Project can delegate all DDs equally the possibility
> to do this inspection and write in a NEW package's ITP bug what they think
> about its copyright and how it is summarised for Debian. Again, the line is
> currently drawn in a way that increases your workload. That is your choice.

The issue I was talking about had nothing to do with software crossing
state lines.  It had to do with violating license agreements.  I'm not
familiar with any procedures we must do before exporting software that
you are alluding to.  The issue that I was talking about would be when
the license of a piece of software prohibits us from legally
distributing the software at all, or if distributing the software might
include a legal burden we don't want to carry.  For instance, if someone
were to upload software such as opera or adobe flash or skype which has
explicit licenses which prohibit any redistribution, we cannot allow the
ftp-master machine to become a point of redistribution.  For this
reason, we don't allow the software to be copied off of the ftp-master
machine until we've audited it with respect to software licenses.

If we were to do what it seems like you want (correct me if I'm wrong
about what you'd want).  We'd have to either open up the ftp-master
machine to all developers, which worries me from a security standpoint,
or we'd have to be willing to distribute potentially non-redistributable
software off the machine to developers, which would worry me from a
legal standoint.

> 
> 3) The FTP team is looking for people, but you left my propositions to help
> with the NEW queue unanswered. 

If there were propositions that we aren't already discussing.  I missed
them.  I'm sorry.

> Whatever your opinion on me as a person, you
> choice was to discard some help with no justification.

Sorry.  I mussed have missed something.  I don't think there is any
reason to discuss my opinion of you as a person, lets please drop that,
its irrelevant.  I don't know what help you are offering that I'm
discarding with no justification.  The ONLY thing I've done so far was
to justify.

> 
> In my opinion, the perimeter of the FTP team is not well defined, and has a
> tendency grow with self-appointed new responsibilities (like the lintian 
> checks
> at upload for instance). 

How do you think it should be defined then?

> I am not surprised that your team is running out of
> manpower frequently.

I'm not either.  But I get the feeling that we have differing opinions
about why that is.  

It seems to me that we don't retain members becuase there is a lot of
very very tedious, often thankless w

Re: Questions for all candidates: decentralization of power

2010-03-31 Thread Mike O'Connor
On Sun, Mar 21, 2010 at 12:46:44AM +0900, Charles Plessy wrote:
> Dear Clint,
> 
> I also think that there are many restricted operations that should be opened.
> Write access to our website, chosing the priority and section of our pacakges,
> triggering bin-NMUs, designating new members, inspecting new packages 
> submitted
> to our archive, ???

You do get to choose the priority and section which your packages belong
to, though the ftp team can override your choice.  When we do override
your choice, you get an email inviting discussion about it.  I can't
think of any instance where the ftp team and maintainers haven't been
able to come to an agreement about where the packages belong.  The
alternative option, where DDs are given write access to the dak database
doesn't seem worth the security issues for the small benefit(?) of
avoiding having this discussion with the ftp team.

Inspecting new packages which haven't cleared NEW has potential legal
problems.  We don't want to be in the position where we are distributing
software that might not be legal for us to distribute.  Our trend has
been to increase the amount of info about the packages we make available
on http://ftp-master.debian.org/new.html (currently down), but we have
to stop short of potentially illegally distributing software.  For
people that want to help with the process of auditing packages in NEW,
The ftp team is looking for new members, our most recent solicitation
being here:
http://lists.debian.org/debian-devel-announce/2010/03/msg3.html

stew


signature.asc
Description: Digital signature


Re: Q for all candidates: license and copyright requirements

2010-03-24 Thread Mike O'Connor

On Wed, 24 Mar 2010 00:32:19 +, Dmitrijs Ledkovs wrote

> 2. If tarball is not redistributable

> It belongs in non-free, or must be repackaged to become redistributable

No,  If its not redistributable, It doesn't belong in non-free or any
other place we distribute software.  This is why we don't distribute
other popular non-redistributable software like Opera or skype or flash
in non-free.

stew


signature.asc
Description: Digital signature


Re: GR proposal: Do not require listing of copyright holders

2009-03-21 Thread Mike O'Connor
On Sat, Mar 21, 2009 at 03:08:26PM -0700, Steve Langasek wrote:
> On Sat, Mar 21, 2009 at 09:38:04PM +, Mark Hymers wrote:
> > I've therefore asked the DPL to get us legal advice on the minimum
> > copyright information we should ship in debian/copyright.  Once we get
> > this, I propose we amend policy to be crystal clear about what we need
> > (basically, what we can get away with[0]) and then all carry on.
> 
> I think this needs to be a two-part question to the lawyer: what does
> copyright law require, and what does the GPLv3 require.  I believe they are
> not the same.
> 

And then, of course, there are the other dozens of licenses.  Some of
them (such as the BSD license in /usr/share/common-licenses/BSD) very
clearly require us to list copyright holders somewhere in the binary
packages.  Some don't have this requirement in the license.  Some are
less clear.

stew


signature.asc
Description: Digital signature


Re: gr_lenny vs gr_socialcontract

2008-12-19 Thread Mike O'Connor
On Fri, Dec 19, 2008 at 02:44:46PM +0100, Johannes Wiedersich wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Manoj Srivastava wrote:
> > I suspect it would not be hard to create a non-free installer CD
> >  that obviates the requirement of a separate USB key for remote
> >  installs.
> 
> If (almost?) everyone will use non-free stuff anyway, why not just make
> live more easy for everyone and include it on all the installer images.
> People still have the freedom to buy freely supported hardware or to not
> use non-free firmware.

So then debian becomes the "100% Free Operating System (some
restrictions apply.  see details*)

(* Operating system deosn't include installer images, or kernel.  Freedom
only guaranteed on one CPU.)

> 
> I don't think that any computer will be more 'free' whether some
> non-free code is loaded on boot from hard disk (kernel firmware blob) or
> whether the non-free code is loaded from ROM like the BIOS. IMHO, it
> also does not contribute in any way to freedom to force users to load
> the firmware blobs from a separate installation medium.  Or to drive them
> into buying hardware with on board ROM chips for the then still non-free
> firmware/software.

The point isn't to try to force users to only have free software on
their machines, the point is to only have free software in debian.

In my eyes, it is important to make a very clear distinction between
what is free and what is not free, even If it means some inconvenience.
It would be nice to be able to say with more confidence,  "If you get it
from debian main, you can be assured it is free.  Debian worries about
the licenses, so you don't have to."

If we make users have to decide between the "100% free installer" and
the "installer with non-free", and it makes the user have to think about
"what is this non-free stuff, and why should I care".  I think it is an
added side benefit.  If a user at some point decides to "vote with their
pocketbook", by choosing a piece of hardware based on its compatibility
with debian, I think that could also be a benefit.

> 
> I don't understand the clout around the fight for removing the little
> bits of non-free firmware for the network cards, while practically no
> one is able to run his/her computer without much more non-free code
> hidden in all the other places.

Because if its software, and its not free software, it just doens't
belong in debian.  Read the last paragraph of the social contract:

"We acknowledge that some of our users require the use of works
that do not conform to the Debian Free Software Guidelines. We have
created "contrib" and "non-free" areas in our archive for these works"

We can still acknowlege that some our users require the use of non-free
software during the install process, without having to keep main
contaminated.  

A line has to be drawn somewhere.  If we don't fight for the line, I
worry about it becoming a slippery slope that starts with firmware, then
starts to include all kinds of binary blobs like the non-free nvidia
drivers, then who knows what, a non-free userspace Then stuff like
ipw3945d, then at some point the discussion we are having is "why not
include rar, since we already have all of this other non-free stuff.

The arguments about "we are losing users to [other distro] becuase of
this"  Hold very little weight.  "Be a popular distro" is not a goal of
debian, "Be a free distro" is.  "Let's include non-free software because
everyone else is" is a counter-argument to me.  If we are the only ones
left that cares so much, all the more reason to stick to our principles.

stew


signature.asc
Description: Digital signature


Re: Technical committee resolution

2008-04-01 Thread Mike O'Connor
On Tue, Apr 01, 2008 at 04:20:30PM -0500, Manoj Srivastava wrote:
> On Tue, 1 Apr 2008 13:21:52 -0400, Mike O'Connor <[EMAIL PROTECTED]> said: 
> 
> > On Tue, Apr 01, 2008 at 09:43:28AM -0500, Manoj Srivastava wrote:
> >> On Tue, 1 Apr 2008 05:43:47 -0400, Mike O'Connor <[EMAIL PROTECTED]>
> >> said:
> >> 
> >> > I saw multiple people suggesting such limits.  I did NOT see anyone
> >> > propose a reason for such a limit other than you who seemed to be
> >> > concluding that the reason for a limit was the speed at which
> >> > people were performing their job.  I was just proposing an
> >> > alternate reason to yours.  If the proposers of such limits had
> >> > stated that they think it would aid in the speed at which things
> >> > got done, they eluded me.
> >> 
> >> That is not quite right. I have not presumed to know what reasons
> >> other people might have had for limits, nor did I propose a rationale
> >> for limits; I have merely expressed my opinion about one cause for
> >> the deficiencies in the tech ctte's performance. I have suggested
> >> that this cause (lack of time pr participation) has an observable
> >> metric, and that metric could be used to aid decisions about the
> >> composition of the cotte, rather than just setting some arbitrary
> >> limits.
> 
> > well you clearly stated that you thought the proposal to limit the
> > number of hats was silly "Because the number of hats does not seem to
> > be a good predictor for performance..."  I was just trying to suggest
> > this is not the only reason that one might want to suggest such a
> > limit.  You seem to agree that my reason sounds valid, so I guess your
> > previous reason for thinking it to be a silly proposal is no longer
> > relevant, so we can drop it...
> 
> You evidently have trouble reading what I said. I have never
>  ever stated anything about speed, as you quote shows. And then,
>  after misreading my stance, you proceed to knock down an  argument never
>  made -- in logic, this is known as a strawman.
> 
You are mistaken. I should have included more of the quote, where you
definately talk about speed.  Here is the entire paragraph:

Because the number of hats does not seem to be a good predictor 

 for performance -- at least, not for a low number of hats.  There are  

 better objective measure that would ensure hastening of the glacial

 pace and lack of follow through th tech ctte has.  


Note the words "hastening" and "glacial pace".  I don't think i'm having
trouble reading this.

stew


signature.asc
Description: Digital signature


Re: Technical committee resolution

2008-04-01 Thread Mike O'Connor
On Tue, Apr 01, 2008 at 09:43:28AM -0500, Manoj Srivastava wrote:
> On Tue, 1 Apr 2008 05:43:47 -0400, Mike O'Connor <[EMAIL PROTECTED]> said: 
> 
> > I saw multiple people suggesting such limits.  I did NOT see anyone
> > propose a reason for such a limit other than you who seemed to be
> > concluding that the reason for a limit was the speed at which people
> > were performing their job.  I was just proposing an alternate reason
> > to yours.  If the proposers of such limits had stated that they think
> > it would aid in the speed at which things got done, they eluded me.
> 
> That is not quite right. I have not presumed to know what
>  reasons other people might have had for limits, nor did I propose a
>  rationale for limits; I have merely expressed my opinion about one
>  cause for the deficiencies in the tech ctte's performance. I have
>  suggested that this cause (lack of time pr participation) has an
>  observable metric, and that metric could be used to aid decisions about
>  the composition of the cotte, rather than just  setting some arbitrary
>  limits. 

well you clearly stated that you thought the proposal to limit the
number of hats was silly "Because the number of hats does not seem to be
a good predictor for performance..."  I was just trying to suggest this
is not the only reason that one might want to suggest such a limit.  You
seem to agree that my reason sounds valid, so I guess your previous
reason for thinking it to be a silly proposal is no longer relevant, so
we can drop it...


> 
> > Are you implying that my hypothetical shouldn't be advanced here?
> 
> Having seen no concrete rationale, I have no idea whether your
>  hypothetical has any value or not. Did I not invite you tpo present any
>  supporting arguments?

You did not.  You invited me to present a well thought out proposal that
I was ready to defend publicly instead of just a hypothetical, which
seemed to make me think that you didn't think I should be advancing any
such hypothetical until I had such a proposal.  Which i don't have.
Sorry if I misinterpreted your intentions.

stew


signature.asc
Description: Digital signature


Re: Technical committee resolution

2008-04-01 Thread Mike O'Connor
On Tue, Apr 01, 2008 at 03:13:02AM -0500, Manoj Srivastava wrote:
> On Tue, 1 Apr 2008 02:32:54 -0400, Mike O'Connor <[EMAIL PROTECTED]> said: 
> 
> > It seems to me however that there might be other valid reasons to
> > limit the number of important hats one wears other than what effect it
> > might have on ones performance.  As examples I think that it would be
> > reasonable for people to think that having the same person that is
> > deciding which packages can be allowed into debian also be a person
> > that decides what pepole can become new members might be too much
> > power for one person.  Or if you have one person in charge of the
> > debian policy, in charge of conducting all votes and also serving on
> > the team making technical deicistions it might be too much
> > power. Regardless of the speed at which people in these kinds of
> > positions may or may not be performing their jobs.
> 
> Now that would be a valid argument, if you could defend it. But
>  that was not was being done;  the sillyness resulted from putting
>  arbitrary numbers and limits; what you are hypothesizing requires thought
>  being put into the proposal, and taking into account the actual people,
>  roles, and powers, and stating why that amalgamation of
>  responsibilities  is something to be avoided.  Proposals about policy
>  are things that require effort and thought; short circuiting the
>  thought process and rushing in with limits just for the sake of limits
>  leads us nowhere.

I saw multiple people suggesting such limits.  I did NOT see anyone
propose a reason for such a limit other than you who seemed to be
concluding that the reason for a limit was the speed at which people
were performing their job.  I was just proposing an alternate reason to
yours.  If the proposers of such limits had stated that they think it
would aid in the speed at which things got done, they eluded me.

> 
> Now, if you have such s proposal (rather than a hypothetical,
>  and are prepared to defend that proposal in an open discussion, please
>  advance it here.

I don't have such a proposal.  Just though I would offer up an idea.
Are you implying that my hypothetical shouldn't be advanced here? 

stew


signature.asc
Description: Digital signature


Re: Technical committee resolution

2008-04-01 Thread Mike O'Connor
On Mon, Mar 31, 2008 at 11:28:24PM -0500, Manoj Srivastava wrote:
> On Mon, 31 Mar 2008 12:47:42 -0300, Martín Ferrari <[EMAIL PROTECTED]> said: 
> 
> > On Mon, Mar 31, 2008 at 6:46 AM, MJ Ray <[EMAIL PROTECTED]> wrote:
> >> Manoj Srivastava <[EMAIL PROTECTED]> wrote:
> 
> >> >  better job of them than other candidates, why deprive the project
> >> >  due Clint's law of pointless limitations? [...]
> >> 
> >> I feel that the above personalisation of argument is unhelpful.
> >> 
> >> I don't believe that we should limit people to one hat, but limiting
> >> people to one hat *of this type* might be helpful and merits further
> >> consideration.  What is "this type"?  Probably we need to re-sort
> >> http://www.debian.org/intro/organization>  to decide that, if people
> >> http://www.debian.org/intro/organization>  feel it's a good idea.
> 
> > I fail to understand why Manoj sees this as such a silly idea, and it
> 
> Because the number of hats does not seem to be a good predictor
>  for performance -- at least, not for a low number of hats.  There are
>  better objective measure that would ensure hastening of the glacial
>  pace and lack of follow through th tech ctte has.
> 

It seems to me however that there might be other valid reasons to limit
the number of important hats one wears other than what effect it might
have on ones performance.  As examples I think that it would be
reasonable for people to think that having the same person that is
deciding which packages can be allowed into debian also be a person that
decides what pepole can become new members might be too much power for
one person.  Or if you have one person in charge of the debian policy,
in charge of conducting all votes and also serving on the team making
technical deicistions it might be too much power. Regardless of the
speed at which people in these kinds of positions may or may not be
performing their jobs.

IANADDyet,
stew



signature.asc
Description: Digital signature