Openness of mailing lists #1
Comments
|
Hi, this was not a change in policy, but a UI bug. |
So are you saying there is no config option to (possibly) restrict access to the archives? |
|
@baentsch there is, but it wasn't set to do so. |
|
I did more digging. On 07 FEB, on all the mailing lists, the Linux Foundation automation bot or Todd Benzies made some changes. I can't tell what the changes were, just that they were made. On the main list, I made changes on 06 March, but that changed nothing. |
So I thought, @ryjones . This is precisely the reason why I am requesting with this issue a binding policy decision by PQCA as to the setting of this config -- and to inform everyone subscribing of this permanent policy within the registration email. Without this, PQCA can decide at any time to close out the general public from its discussion(archive)s (or again "UI bugs" may happen or --not exactly trust-enhancing-- things like "the Linux Foundation automation bot or Todd Benzies made some changes"). This actually also is one of the reasons why I am not on Discord: As an independent, non-Linux Foundation member I do not want to hand control over information flow to FOSS projects I maintain to a corporate-controlled entity that can remove access or data at any time:
|
I don't think we need to officially make this a policy. Our default policy is that everything should be as open as possible. This means that almost everything except budget discussions and security vulnerability disclosures are public. If we make a policy, then people might assume that some things aren't open, which is not what we want.
We can't control all bugs, but we can promise that as LF staff we won't close out the general public from discussion archives. In general, you can assume that we will strive to make everything as open as reasonably possible.
In an ideal world, we would have open source software hosting tools that are fully decentralized. You could imagine a decentralized hosting service that functioned like a blockchain and simultaneously hosted software and tools for software on a number of different clouds and platforms, meaning that no company could censor or remove access to software or communications. Unfortunately, this is not where we are today. While you correctly point out that Discord is centrally controlled, so is Github itself (it's a subsidiary of Microsoft). In theory, Microsoft could take everything on Github down tomorrow. While this is obviously an extremely low probability event, the probability of such a thing happening for Discord is also probably quite small (although maybe not as small as that of Github). So, while I sympathize with your principles, I am willing to compromise for the sake of efficiency. |
You may not want it, but you do it: By also stating
you confirm the assumption that PQCA restricts the open flow of information. By not stating publicly, e.g., in the mailing list subscription documentation, what it is that PQCA retains to "members only" eyes it shirks a public discussion about this. This is a pretty controversial approach in a project involving security software ("security by obscurity"? See "Open Design" cf. NIST 800-123). Assuming the 2 exceptions to the term "almost everything" [should be open] above are the only ones, allow me to comment them:
But we digress: The question was: Is PQCA willing to commit to a policy regarding mailing list openness? The answer of PQCA seems to be "No". I personally find this a wrong decision and countering the interest of the wider OSS community interested in topics PQCA works on. By not committing to support open communication flows you are also robbing PQCA of external perspectives by people valuing that property and who may be beneficial to progress and/or finding alternative solutions, e.g. benefiting more entities than just PQCA members. In turn a question to you personally, @hartm: Would you be willing to publicly state your affiliation and function in this as otherwise it is difficult to judge whether your statements above indeed are an informed decision by the PQCA governing board (are you its chair?), one of Linux Foundation (paying your salary, right?) or your personal opinion (always welcome) -- or whether this all coalesces into one (a bit scary)? This surely would help understand the governance model of PQCA -- actually, another sign of openness and arguably befitting a project called "PQCA/governance".
Yes. An asteroid could crash into Redmond tomorrow, too. Fun aside: Microsoft taking down (all software on) |
We obviously don't believe in security by obscurity, and I am sorry if my reply could be interpreted in any way as supporting this. In fact, defining a PQCA security vulnerability disclosure policy will be one of the first things that the PQCA TAC needs to do. The OpenSSF has done a lot of work on this.
Keeping budget discussions partially hidden is standard practice for nonprofits and government agencies. It is not about on what, exactly, money is being spent, but more about negotiating. For instance, if the PQCA wants to contract with a third party for a security audit, it becomes difficult to get the best price if that company can hear all of the internal discussion on the topic.
To my knowledge, no other Linux Foundation project has such a policy. I'm not sure why the PQCA would want or need to be the first project to do so. There are also probably other things that would have to be excluded from being open like code of conduct violation/harassment reporting, so writing a policy would be tricky and would likely require legal approval. That being said, TAC meetings are completely open (and start next week--see the TAC list). Anyone is always welcome to bring things in front of the TAC, and you could bring this up for discussion, although there are probably things for the first couple of meetings that most folks will consider higher priority than this. Personally, I would share this sentiment: we have more important things to do at this point in the project than hash out a mailing list openness policy, including things like setting a project lifecycle policy, a security vulnerability disclosure policy, electing a TAC chair, and so forth.
Sure! I am not on the governing board, which will soon also have the TAC chair on it as per the PQCA Charter. However, I am a full-time Linux Foundation employee. The LF is pretty excellent about letting us state our personal opinions, so yes, this is my personal opinion. Does that clarify things for you? |
And this is exactly my concern regarding LinuxFoundation projects, incl. PQCA: Not having a general policy committing to openness in all regards.
Some people may agree to this, but the question of openness in my view is rather central to OSS projects.
Yes, it does, Thank You. I will leave this issue open until/if PQCA GB decided on its course concerning openness. |
This is to request a long-term decision as to the openness of PQCA mailing list archives.
My personal preference would be to document them as permanently and openly accessible and searchable to anyone without registration and make subscribers aware of this policy upon registration.
Reason for this request is a change of policy from "closed" to "open" in the past few days, indicating the policy could be changed (back again).
The text was updated successfully, but these errors were encountered: