Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--2018/20180915.log.txt318
1 files changed, 318 insertions, 0 deletions
diff --git a/2018/20180915.log.txt b/2018/20180915.log.txt
new file mode 100644
index 0000000..7f3e1f3
--- /dev/null
+++ b/2018/20180915.log.txt
@@ -0,0 +1,318 @@
+[07:06:41] <antarus> #startmeeting "Foundation 2018-09"
+[07:06:41] <trusteeBot> Meeting started Sat Sep 15 22:06:41 2018 UTC and is due to finish in 60 minutes. The chair is antarus. Information about MeetBot at http://wiki.debian.org/MeetBot.
+[07:06:41] <trusteeBot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
+[07:06:41] <trusteeBot> The meeting name has been set to '_foundation_2018_09_'
+[07:06:44] <dwfreed> heh
+[07:07:11] <antarus> rollcall prometheanfire robbat2 antarus alicef b-man
+[07:07:17] <prometheanfire> o/
+[07:07:41] <robbat2> present but late
+[07:08:30] <antarus> #info Rollcall: antarus, prometheanfire, robbat2
+[07:08:44] <prometheanfire> well, quorum at least
+[07:08:50] <antarus> yes quite :)
+[07:08:55] <antarus> the bot is logging, supposedly
+[07:08:59] <prometheanfire> itnis
+[07:09:01] <prometheanfire> it is
+[07:09:02] <antarus> I neglected to test that bit
+[07:09:14] <dwfreed> I have text logs if you need them
+[07:09:19] <antarus> #info old business
+[07:09:39] <antarus> Updating the foundation address; I'm waiting until we update the NM filing
+[07:09:45] <antarus> I expect to have it all done by next month
+[07:10:02] <antarus> I need b-man's address to update the filing; I sent him an email abou tit
+[07:10:17] <prometheanfire> ack, and also seen via cc
+[07:10:32] <NeddySeagoon> Our registered addr has to stay in NM
+[07:10:36] <antarus> (I may try to update ones I don't think I need the filing for)
+[07:10:50] <antarus> NeddySeagoon: yes, we are updating other addresses
+[07:10:52] <antarus> (not that one)
+[07:10:53] <prometheanfire> robbat2: should we update the bank info? or since I stayed on are we still good (iirc dabbott was the other person on the account)
+[07:11:00] <NeddySeagoon> antarus: :)
+[07:11:18] <antarus> NeddySeagoon: its https://bugs.gentoo.org/show_bug.cgi?id=613950 if you are curious
+[07:11:30] <robbat2> one sec, checking the latest statemnets to confirm bank addresses
+[07:11:48] <prometheanfire> robbat2: and account 'holders'?
+[07:13:01] <robbat2> Money market #3246 definetly has the new mailing address
+[07:13:55] <robbat2> prometheanfire: can you login to the spark business account and confirm mailing address on there? it only has the registered agent addr
+[07:14:00] <robbat2> on the statements
+[07:14:10] <prometheanfire> ok
+[07:14:11] <antarus> robbat2: can we just do this OOB and update teh bugs accordingly?
+[07:14:24] <robbat2> antarus: continue in the meantime
+[07:14:44] <antarus> The question of who to keep on the accounts is an interesting one
+[07:14:54] <antarus> i'm not familiar enough wth business accounts to say
+[07:15:24] <robbat2> the president & treasurer if possible is best-practice I've had elsewhere from research;
+[07:15:37] <robbat2> failing that, president & secretary
+[07:15:46] <antarus> ack
+[07:15:53] <robbat2> either way, antarus should be added
+[07:16:07] <robbat2> question is also if b-man should be added; and when to remove dabbott
+[07:16:36] <antarus> #action Change account holders to be [antarus,robbat2,b-man]
+[07:16:38] <prometheanfire> expand then contract
+[07:16:45] <antarus> bot, I hope you are doing stuff ;)
+[07:16:53] <robbat2> you can't add me: because the bank won't add non us-resident
+[07:17:20] <robbat2> presently on the spark is prometheanfire, dabbott
+[07:17:38] <robbat2> presently on the moneymarket#3246 is tsunam (we were trying to close this one)
+[07:17:43] <antarus> I aspire to add all 3, lets see how far we get
+[07:18:00] <prometheanfire> antarus: robbat2 we can talk offline and work on it
+[07:18:02] <antarus> I think there is a branch in NY i can go to to hopefully get that MM one taken
+[07:18:10] <antarus> #info votes
+[07:18:11] <prometheanfire> that'd be nice
+[07:18:17] <prometheanfire> they closed satx branches...
+[07:18:42] <antarus> https://bugs.gentoo.org/645192 - Staff quiz and gpg competence should be required for foundation membership
+[07:19:09] <antarus> any thoughts on this one?
+[07:19:16] <prometheanfire> I don't think the 'staff quiz' (now called the developer quiz) is fully suited as a foundation membership quiz
+[07:19:22] <prometheanfire> it's a good base though
+[07:19:28] <prometheanfire> https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt
+[07:19:32] <prometheanfire> #link https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt
+[07:19:45] <NeddySeagoon> What is 'gpg competence' ?
+[07:20:08] <antarus> I think the real challenge is that the community doesn't understand what qualifies people to be members, or not
+[07:20:15] <antarus> and this reduces credibility of membership
+[07:20:40] <antarus> (and just of the foundation in general)
+[07:21:31] <prometheanfire> sure, I do think a quiz is a good idea (to ensure knowlege about what membership means and requires)
+[07:22:41] <antarus> any other comments? otherwise we can vote?
+[07:23:19] <robbat2> i want a clear definition of the gpg competence for the implementation; but i'd like to vote now
+[07:23:28] <antarus> please vote aye or nay
+[07:23:44] <prometheanfire> suggestion for a quiz to be adopted (give us something to vote on, rather than a concept)
+[07:24:39] <antarus> I believe the current proposal is the staff quiz
+[07:24:50] <antarus> Lets start with that then
+[07:24:51] <prometheanfire> ok
+[07:25:00] <robbat2> the proposal says staff quiz + gpg competence
+[07:25:07] <robbat2> on the staff quiz: aye
+[07:25:10] <antarus> propose that new foundation members take the "developer quiz"
+[07:25:20] <antarus> (as linked above)
+[07:25:37] <prometheanfire> nay
+[07:26:06] <robbat2> antarus: your vote is going to decide ;-)
+[07:26:14] <antarus> I know, its terrible
+[07:26:16] <antarus> I vote aye
+[07:26:19] <prometheanfire> lol
+[07:26:43] -*- prometheanfire would like to see the questions updated to be more applicable to foundation membership
+[07:27:02] <antarus> happy to iterate on content there
+[07:27:06] <prometheanfire> k
+[07:27:12] <antarus> I generally prefer some kind of concrete criteria over nothing
+[07:27:14] <NeddySeagoon> who will asess quizzes ?
+[07:27:16] <antarus> whichi is why I voted aye
+[07:27:28] <antarus> trustees@, clearly ;)
+[07:27:29] <prometheanfire> NeddySeagoon: the proposal states that the trustees do
+[07:27:48] <prometheanfire> #link https://bugs.gentoo.org/645192
+[07:28:02] <NeddySeagoon> That works. So no @gentoo.org for members from that.
+[07:28:12] <antarus> #agreed that new foundation members take the "developer quiz"
+[07:28:29] <antarus> #info https://bugs.gentoo.org/536668 - Change grammar of social contract to be clearer
+[07:29:15] <antarus> in particular I think we should vote on the update prometheanfire just added to the bug
+[07:29:15] <prometheanfire> do we have a proposal of the actual change to be made?
+[07:29:40] <antarus> #link https://bugs.gentoo.org/536668#c5
+[07:29:53] -*- prometheanfire will vote last on that
+[07:30:20] <antarus> I thought i had to vote last as a matter of procedure ;p
+[07:30:24] <robbat2> to give another concrete example of something we do & must hide: PII as part of treasurer reimbursement process
+[07:30:29] <antarus> any comments before voting?
+[07:30:44] <prometheanfire> antarus: nice to have, not needed, doesn't really mater much imo
+[07:30:47] <prometheanfire> for this at least
+[07:31:03] <prometheanfire> robbat2: ack
+[07:31:18] <prometheanfire> I wrote the update as I did to allow us leeway in what we decide to hide
+[07:31:24] <prometheanfire> chaned will to may as well
+[07:31:27] <antarus> in general I prefer a culture where we assume people act in good faith
+[07:32:04] <antarus> that means allowing them to actually act on their own and not have enumeration; within reason
+[07:33:02] <antarus> please vote yay or nay
+[07:33:06] <antarus> or aye or nay
+[07:33:10] <antarus> ;)
+[07:33:46] <robbat2> aye
+[07:33:49] <antarus> aye
+[07:33:50] <prometheanfire> aye
+[07:33:55] <robbat2> (afk, brb)
+[07:34:09] <antarus> #agreed The social contract will be amended as per https://bugs.gentoo.org/536668#c5
+[07:34:29] <antarus> #info https://bugs.gentoo.org/642072 - Vote on new DCO
+[07:34:33] <antarus> #link https://bugs.gentoo.org/642072
+[07:35:04] <prometheanfire> before the meeting we talked about implimentation timeline
+[07:35:55] <antarus> my opinion is that we delegate to council for implementation timeline
+[07:35:55] <prometheanfire> 2 weeks for interpreting it, 2 more weeks for enforcing
+[07:36:24] <prometheanfire> that's fine too
+[07:36:51] <antarus> I want to see it happen, I'm not sure it matters if it happens tomorrow or 30 days from now, or whatever
+[07:36:57] <antarus> I assume the council will do the right thing
+[07:37:12] <antarus> robbat2: we can vote when you return
+[07:37:24] <prometheanfire> I don't quite like 'The term "open source" has been replaced by "free software" throughout.
+[07:37:33] <prometheanfire> because that's less exact imo
+[07:37:42] <prometheanfire> then again, open source isn't exactly great
+[07:38:05] <prometheanfire> The term "free software" is used for consistency with the language of the Gentoo Social Contract [1].
+[07:38:10] <prometheanfire> but still...
+[07:38:14] <antarus> hrm, https://dev.gentoo.org/~ulm/glep-copyrightpolicy.html is also 404
+[07:38:27] <antarus> https://www.gentoo.org/glep/glep-0076.html is I guess what we are voting on
+[07:38:28] <ulm> it's at https://www.gentoo.org/glep/glep-0076.html
+[07:38:30] <antarus> #link https://www.gentoo.org/glep/glep-0076.html
+[07:38:39] <ulm> yep :)
+[07:38:46] <prometheanfire> yes, I'm looking at https://www.gentoo.org/glep/glep-0076.html
+[07:38:59] <prometheanfire> I'm fine to vote now
+[07:41:40] <robbat2> back
+[07:41:52] <antarus> robbat2: any comments on glep 76 before voting?
+[07:42:19] <robbat2> i also disagree w/ open source vs free software, but understand why the change for consistency
+[07:43:00] <robbat2> esp that the social contract definition invokes OSI
+[07:43:10] <robbat2> so what it calls 'free software' is really what OSI calls open source
+[07:43:27] <prometheanfire> yep
+[07:44:17] <antarus> so noted
+[07:44:28] <antarus> please vote aye / nay on glep 76
+[07:44:44] <prometheanfire> aye
+[07:45:58] <robbat2> aye
+[07:46:38] <antarus> #agreed Glep 76 is accepted
+[07:46:53] <robbat2> antarus: did you vote?
+[07:46:54] <antarus> ulm: congratulations on your hard work driving this process
+[07:46:56] <robbat2> i don't see it above
+[07:46:58] <antarus> do I need to vote?
+[07:47:01] <prometheanfire> I didn't see a vote
+[07:47:03] <ulm> thanks
+[07:47:04] <prometheanfire> it'd be good
+[07:47:07] <antarus> aye
+[07:47:10] <prometheanfire> :D
+[07:47:30] <antarus> much cats were herded
+[07:47:53] <antarus> #info Bug 659620 - Please look into possibilities of providing crypto/enhanced security hardware to developers
+[07:47:55] <willikins> antarus: https://bugs.gentoo.org/659620 "Please look into possibilities of providing crypto/enhanced security hardware to developers"; Gentoo Foundation, Proposals; IN_P; mgorny:trustees
+[07:47:56] <prometheanfire> ulm: the fun is just starting, now changes get to be implimented :P
+[07:47:58] <antarus> #link https://bugs.gentoo.org/659620
+[07:48:06] <antarus> oh thanks willikins
+[07:48:18] <ulm> prometheanfire: yeah, that will take some time
+[07:48:28] <ulm> repoman, mainly
+[07:48:35] <prometheanfire> sure
+[07:48:56] <prometheanfire> antarus: my main comment for the token, is I'm not sure the use case
+[07:49:09] <prometheanfire> do we want it for gpg, or 2fa? (or both)
+[07:49:09] <robbat2> b-man's two motion texts were only in trustees email
+[07:49:25] <robbat2> i'd like them copied here for the record
+[07:49:33] <robbat2> (i'll paste if no objections)
+[07:49:42] <prometheanfire> please do (aye)
+[07:49:53] <robbat2> Motion: I move that the board vote to accept the offer from Yubico or
+[07:49:53] <robbat2> Nitrokey and begin our agreement with the accepted vendor beginning 1
+[07:49:54] <robbat2> September 2018. This motion will provide security tokens to all current
+[07:49:54] <robbat2> developers listed in Gentoo's LDAP infrastructure as of 31 August 2018.
+[07:49:54] <robbat2> Motion: I move that the board vote to maintain the aforementioned
+[07:49:56] <robbat2> agreement in order to support future Gentoo developers with security
+[07:49:58] <robbat2> tokens. This motion includes the right to terminate future purchases
+[07:50:01] <robbat2> based on the Foundation's financials.
+[07:50:25] <antarus> we could change the dates, I supposed
+[07:50:28] <prometheanfire> ya
+[07:50:44] <prometheanfire> but I'm still not sure what problem it's an attempt to solve
+[07:51:21] <robbat2> it's just trying to encourge better GPG practice
+[07:51:23] <prometheanfire> I know mgorny was testing 2fa
+[07:51:29] <robbat2> not trying to solve general 2FA requirement
+[07:51:31] <antarus> The yubico keys were approximately 6600$, the nitrokeys were 4700 (both for a count of 150)
+[07:51:33] <prometheanfire> ok
+[07:51:39] <antarus> (sorry both in USD)
+[07:51:48] <prometheanfire> nitrokey would dropship too
+[07:52:15] <robbat2> dropship and we're not on the hook for all of them, incremental billing
+[07:52:21] <prometheanfire> for gpg only purposes I have my vote ready on the two motions
+[07:52:32] <robbat2> (i'm going to have to go in a moment)
+[07:52:44] <antarus> #info: We will publish the actual agreements, if possible, post meeting
+[07:53:33] <antarus> I propose 3 votes
+[07:53:51] <antarus> 1) Should we spend foundation funds to buy keys for Gentoo developers?
+[07:54:00] <antarus> 2) Yubico or Nitrokey?
+[07:54:11] <antarus> 3) the second b-man motion, essentially
+[07:54:17] <robbat2> i have a 4th vote to add
+[07:54:24] <antarus> (as the first motion is only for existing developers)
+[07:54:30] <robbat2> or rather, it's a clarification of vote text
+[07:54:34] <antarus> shoot
+[07:54:39] <antarus> Trying to wrap this up in the next 5 minutes ;)
+[07:54:57] <robbat2> 1) Should we spend foundation funds to buy keys for Gentoo developers, for GPG signing?
+[07:55:03] <antarus> ack, sgtm
+[07:55:06] <robbat2> 4) Should we spend foundation funds to buy keys for Gentoo developers, general 2FA?
+[07:55:18] <prometheanfire> k
+[07:55:29] <robbat2> antarus: you good with that #4?
+[07:55:35] <antarus> Yes
+[07:55:40] <antarus> Please vote on the first motion.
+[07:55:48] <robbat2> aye on #1
+[07:55:53] <prometheanfire> aye to the ammended first motion
+[07:55:56] <antarus> aye
+[07:56:10] <antarus> #agreed We shall spend foundation funds to buy keys for Gentoo developers, for GPG signing.
+[07:56:49] <antarus> 2) Given the two vendor options as secured by b-man, please vote by saying "yubico" or "nitrokey"
+[07:57:04] <robbat2> #2: nitrokey
+[07:57:05] <antarus> #info vendor selection: Yubico or Nitrokey?
+[07:57:19] <prometheanfire> aye for nitrokey
+[07:57:24] <antarus> nitrokey
+[07:57:34] <antarus> #agreed We will more forward with the Nitrokey agreement
+[07:57:49] <robbat2> (yubico is better hardware choice I feel, but cannot ship to some of our developers and has other non-hardware downsides like open source concerns)
+[07:58:19] <antarus> #info Do we agree to maintain the nitrokey agreement for potential future developers?
+[07:58:26] <antarus> please vote aye or nay
+[07:58:29] <prometheanfire> robbat2: ack
+[07:58:37] <prometheanfire> aye
+[07:58:48] <robbat2> aye, for 12 months subject to renewal by later trustees
+[07:59:08] <antarus> aye
+[07:59:23] <antarus> #agreed The agreement shall cover potential future developers and will require annual renewal
+[07:59:30] <prometheanfire> sgtm
+[07:59:43] <antarus> #info (4) Should the foundatoin spend funds to purchase hardware tokens for 2FA purposes?
+[07:59:57] <prometheanfire> nay, needs more clarification on usage / need
+[08:00:19] <prometheanfire> infra input there would be helpful
+[08:00:36] <antarus> The only existing 2FA is blogs, github, and d.g.o (but not git.g.o)
+[08:00:39] <antarus> (iirc)
+[08:00:47] <robbat2> nay, because the hardware options aren't solidified enough yet (no FIDO2 options per my other email)
+[08:01:00] <antarus> nay for basically the same reasons
+[08:01:10] <antarus> hopefully some tokens covering the new standards come out soon
+[08:01:13] <robbat2> gitolite has 2FA support, but no SSO-like integration which makes it really painful
+[08:01:32] <robbat2> specifically it's NOT SSH 2FA, it's a seperate layer
+[08:01:54] <prometheanfire> ya, I would like fido2 + gpg
+[08:01:55] <antarus> #info Motion 4 failed to be accepted
+[08:02:31] <antarus> #info prometheanfire update on wiki copy?
+[08:02:41] <antarus> #link https://bugs.gentoo.org/662182
+[08:02:47] <prometheanfire> sure
+[08:02:47] <robbat2> re the keys, I have a statement as treasurer I'd like on record
+[08:03:12] <antarus> robbat2: go
+[08:03:35] <robbat2> if devs retire less than 6 months after having the key, i'm going to ask they wipe & ship it back to (exact locations to be decided later, to avoid international shipping)
+[08:03:43] <robbat2> after that, i intend to write off the cost
+[08:04:04] <antarus> ok
+[08:04:17] <robbat2> if the return shipping cost is too high, it's an writeoff already
+[08:04:36] <robbat2> (because it's cheaper to ship a new unit to somebody else)
+[08:04:46] <NeddySeagoon> Return and ship out again cost
+[08:04:54] <prometheanfire> I emailed the whois contact (best I could find), reply was automated to go to a web form for contact, I did that, have not recieved a response, I think we need to escelate next, though I just checked and 404 https://www.linuxsecrets.com/gentoo-wiki/
+[08:05:07] <antarus> prometheanfire: excellent
+[08:05:38] <antarus> I'm goign to skip jmbsvicetto for robbat2; any treasurer updates?
+[08:05:47] <prometheanfire> so they didn't respond but did act, I cc'd the trustees for my email, but I pointed to the name/usage guidelines for how they could come in compliance (and to the wayback machine as an example)
+[08:05:54] <antarus> #info Treasurer updates
+[08:06:15] <robbat2> treasurer: thanks to NeddySeagoon for his work collecting in-kind history from wiki+public cvs
+[08:06:16] <antarus> prometheanfire: that is similar to my experience when sending out these notifications
+[08:06:34] <robbat2> further collection is needed from infra inventory emails, infra cvs&git history [cfengine/puppet]
+[08:06:41] <robbat2> and old infra logs
+[08:06:52] <robbat2> on the assignment of value to machines
+[08:07:18] <robbat2> i have spoken to several sponsors so far, and they ask that I come up with a consistent form request for them to pass to their accountants/finance people
+[08:07:48] <robbat2> so far that's packet.net, OSL, bytemark, SevenL
+[08:07:55] <robbat2> that I asked about it
+[08:08:21] <robbat2> all of those were verbal discussion; packet & OSL were in person
+[08:08:35] <robbat2> (during open source summit conference)
+[08:08:59] <robbat2> that's all on the treasurer front
+[08:09:07] <robbat2> are we having a motion on the RFP?
+[08:09:31] <prometheanfire> my suggestion these is to use robbat2's suggestions with it
+[08:09:36] <antarus> My preference is to send it out before the next board meeting
+[08:09:42] <antarus> I was going to ask where it was at ;)
+[08:09:52] <prometheanfire> atm it's on K_F's site
+[08:10:19] <antarus> #link https://dev.gentoo.org/~k_f/irs-rfp-wip2.pdf
+[08:10:19] <robbat2> there's latex source for it
+[08:10:24] <antarus> was the last copy I have available
+[08:10:29] <prometheanfire> #link https://download.sumptuouscapital.com/gentoo/irs-rfp.pdf
+[08:10:37] <prometheanfire> that's 'current'
+[08:10:53] <prometheanfire> ya, latex is in get, somewhere
+[08:11:13] <Shentino> Original proposer here in regards to bug 645192. By "GPG competence" I mean that the prospective new member knows enough about GPG to actually sign the quiz when submitting it as part of their application.
+[08:11:15] <willikins> Shentino: https://bugs.gentoo.org/645192 "Staff quiz and gpg competence should be required for foundation membership"; Gentoo Foundation, Proposals; CONF; shentino:trustees
+[08:11:45] <antarus> robbat2: basically I think we need to amend the RFP with your draft comments, check the RFP in somewhere we know
+[08:11:56] <prometheanfire> sgtm
+[08:11:57] <antarus> and we can do the motion over email on the nfp list
+[08:12:05] <robbat2> copy git history to our own repos
+[08:12:09] <robbat2> edit, publish
+[08:12:24] <prometheanfire> wfm
+[08:12:25] <robbat2> that other RFP that I saw during the week may have some further improvements too
+[08:12:36] <antarus> who is owning that set of work
+[08:12:41] <antarus> robbat2: do you have bandwidth for it?
+[08:13:07] <antarus> (feel free to say no)
+[08:13:27] <robbat2> i do not have time presently
+[08:13:35] <robbat2> and I have to leave the meeting now
+[08:13:39] <robbat2> for kids
+[08:13:40] <robbat2> bye
+[08:13:48] <antarus> ok
+[08:13:51] <antarus> cya ;)
+[08:14:04] <robbat2> (for next meeting, weekend of the 20th or 27th plz)
+[08:14:11] -*- antarus will find someone
+[08:14:19] <antarus> October is...a bad month for me ;)
+[08:14:36] <antarus> #info bugs
+[08:14:38] <antarus> I closed a bunch
+[08:14:43] <antarus> the end
+[08:14:57] <prometheanfire> :D
+[08:15:00] <prometheanfire> I just closed mine
+[08:15:04] <antarus> I'll post the logs, the motions, the emails, the agenda, and the topic
+[08:15:06] <antarus> cause..why not
+[08:15:19] <prometheanfire> lol
+[08:15:33] <antarus> prometheanfire: next meeting, any preference?
+[08:15:41] <antarus> I suspect i am in europe both 20 and 27th
+[08:16:02] <prometheanfire> I'm doing wedding stuff 18-23
+[08:16:18] <prometheanfire> other than that am open
+[08:16:28] <antarus> so of the 20th and 27th, you prefer the latter?
+[08:16:36] <prometheanfire> yes
+[08:16:38] <antarus> ack
+[08:16:53] -*- antarus bangs gavel
+[08:16:55] <antarus> #endmeeting
+[08:16:55] <trusteeBot> Meeting ended Sat Sep 15 23:16:54 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)