[07:06:41] <antarus> #startmeeting "Foundation 2018-09"
[07:06:41] <trusteeBot> Meeting started Sat Sep 15 22:06:41 2018 UTC and is due to finish in 60 minutes.  The chair is antarus. Information about MeetBot at http://wiki.debian.org/MeetBot.
[07:06:41] <trusteeBot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
[07:06:41] <trusteeBot> The meeting name has been set to '_foundation_2018_09_'
[07:06:44] <dwfreed> heh
[07:07:11] <antarus> rollcall prometheanfire robbat2 antarus alicef b-man 
[07:07:17] <prometheanfire> o/
[07:07:41] <robbat2> present  but late
[07:08:30] <antarus> #info Rollcall: antarus, prometheanfire, robbat2
[07:08:44] <prometheanfire> well, quorum at least
[07:08:50] <antarus> yes quite :)
[07:08:55] <antarus> the bot is logging, supposedly
[07:08:59] <prometheanfire> itnis
[07:09:01] <prometheanfire> it is
[07:09:02] <antarus> I neglected to test that bit
[07:09:14] <dwfreed> I have text logs if you need them
[07:09:19] <antarus> #info old business
[07:09:39] <antarus> Updating the foundation address; I'm waiting until we update the NM filing
[07:09:45] <antarus> I expect to have it all done by next month
[07:10:02] <antarus> I need b-man's address to update the filing; I sent him an email abou tit
[07:10:17] <prometheanfire> ack, and also seen via cc
[07:10:32] <NeddySeagoon> Our registered addr has to stay in NM
[07:10:36] <antarus> (I may try to update ones I don't think I need the filing for)
[07:10:50] <antarus> NeddySeagoon: yes, we are updating other addresses
[07:10:52] <antarus> (not that one)
[07:10:53] <prometheanfire> robbat2: should we update the bank info? or since I stayed on are we still good (iirc dabbott was the other person on the account)
[07:11:00] <NeddySeagoon> antarus: :)
[07:11:18] <antarus> NeddySeagoon: its https://bugs.gentoo.org/show_bug.cgi?id=613950 if you are curious
[07:11:30] <robbat2> one sec, checking the latest statemnets to confirm bank addresses
[07:11:48] <prometheanfire> robbat2: and account 'holders'?
[07:13:01] <robbat2> Money market #3246 definetly has the new mailing address
[07:13:55] <robbat2> prometheanfire: can you login to the spark business account and confirm mailing address on there? it only has the registered agent addr
[07:14:00] <robbat2> on the statements
[07:14:10] <prometheanfire> ok
[07:14:11] <antarus> robbat2: can we just do this OOB and update teh bugs accordingly?
[07:14:24] <robbat2> antarus: continue in the meantime
[07:14:44] <antarus> The question of who to keep on the accounts is an interesting one
[07:14:54] <antarus> i'm not familiar enough wth business accounts to say
[07:15:24] <robbat2> the president & treasurer if possible is best-practice I've had elsewhere from research;
[07:15:37] <robbat2> failing that, president & secretary
[07:15:46] <antarus> ack
[07:15:53] <robbat2> either way, antarus should be added
[07:16:07] <robbat2> question is also if b-man should be added; and when to remove dabbott 
[07:16:36] <antarus> #action Change account holders to be [antarus,robbat2,b-man]
[07:16:38] <prometheanfire> expand then contract
[07:16:45] <antarus> bot, I hope you are doing stuff ;)
[07:16:53] <robbat2> you can't add me: because the bank won't add non us-resident
[07:17:20] <robbat2> presently on the spark is prometheanfire, dabbott
[07:17:38] <robbat2> presently on the moneymarket#3246 is tsunam (we were trying to close this one)
[07:17:43] <antarus> I aspire to add all 3, lets see how far we get
[07:18:00] <prometheanfire> antarus: robbat2 we can talk offline and work on it
[07:18:02] <antarus> I think there is a branch in NY i can go to to hopefully get that MM one taken
[07:18:10] <antarus> #info votes
[07:18:11] <prometheanfire> that'd be nice
[07:18:17] <prometheanfire> they closed satx branches...
[07:18:42] <antarus> https://bugs.gentoo.org/645192 - Staff quiz and gpg competence should be required for foundation membership
[07:19:09] <antarus> any thoughts on this one?
[07:19:16] <prometheanfire> I don't think the 'staff quiz' (now called the developer quiz) is fully suited as a foundation membership quiz
[07:19:22] <prometheanfire> it's a good base though
[07:19:28] <prometheanfire> https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt
[07:19:32] <prometheanfire> #link https://projects.gentoo.org/comrel/recruiters/quizzes/developer-quiz.txt
[07:19:45] <NeddySeagoon> What is 'gpg competence' ?
[07:20:08] <antarus> I think the real challenge is that the community doesn't understand what qualifies people to be members, or not
[07:20:15] <antarus> and this reduces credibility of membership
[07:20:40] <antarus> (and just of the foundation in general)
[07:21:31] <prometheanfire> sure, I do think a quiz is a good idea (to ensure knowlege about what membership means and requires)
[07:22:41] <antarus> any other comments? otherwise we can vote?
[07:23:19] <robbat2> i want a clear definition of the gpg competence for the implementation; but i'd like to vote now
[07:23:28] <antarus> please vote aye or nay
[07:23:44] <prometheanfire> suggestion for a quiz to be adopted (give us something to vote on, rather than a concept)
[07:24:39] <antarus> I believe the current proposal is the staff quiz
[07:24:50] <antarus> Lets start with that then
[07:24:51] <prometheanfire> ok
[07:25:00] <robbat2> the proposal says staff quiz + gpg competence
[07:25:07] <robbat2> on the staff quiz: aye
[07:25:10] <antarus> propose that new foundation members take the "developer quiz"
[07:25:20] <antarus> (as linked above)
[07:25:37] <prometheanfire> nay
[07:26:06] <robbat2> antarus: your vote is going to decide ;-)
[07:26:14] <antarus> I know, its terrible
[07:26:16] <antarus> I vote aye
[07:26:19] <prometheanfire> lol
[07:26:43] -*- prometheanfire would like to see the questions updated to be more applicable to foundation membership
[07:27:02] <antarus> happy to iterate on content there
[07:27:06] <prometheanfire> k
[07:27:12] <antarus> I generally prefer some kind of concrete criteria over nothing
[07:27:14] <NeddySeagoon> who will asess quizzes ?
[07:27:16] <antarus> whichi is why I voted aye
[07:27:28] <antarus> trustees@, clearly ;)
[07:27:29] <prometheanfire> NeddySeagoon: the proposal states that the trustees do
[07:27:48] <prometheanfire> #link https://bugs.gentoo.org/645192
[07:28:02] <NeddySeagoon> That works.  So no @gentoo.org for members from that.
[07:28:12] <antarus> #agreed that new foundation members take the "developer quiz"
[07:28:29] <antarus> #info https://bugs.gentoo.org/536668 - Change grammar of social contract to be clearer
[07:29:15] <antarus> in particular I think we should vote on the update prometheanfire just added to the bug
[07:29:15] <prometheanfire> do we have a proposal of the actual change to be made?
[07:29:40] <antarus> #link https://bugs.gentoo.org/536668#c5
[07:29:53] -*- prometheanfire will vote last on that
[07:30:20] <antarus> I thought i had to vote last as a matter of procedure ;p
[07:30:24] <robbat2> to give another concrete example of something we do & must hide: PII as part of treasurer reimbursement process
[07:30:29] <antarus> any comments before voting?
[07:30:44] <prometheanfire> antarus: nice to have, not needed, doesn't really mater much imo
[07:30:47] <prometheanfire> for this at least
[07:31:03] <prometheanfire> robbat2: ack
[07:31:18] <prometheanfire> I wrote the update as I did to allow us leeway in what we decide to hide
[07:31:24] <prometheanfire> chaned will to may as well
[07:31:27] <antarus> in general I prefer a culture where we assume people act in good faith
[07:32:04] <antarus> that means allowing them to actually act on their own and not have enumeration; within reason
[07:33:02] <antarus> please vote yay or nay
[07:33:06] <antarus> or aye or nay
[07:33:10] <antarus> ;)
[07:33:46] <robbat2> aye
[07:33:49] <antarus> aye
[07:33:50] <prometheanfire> aye
[07:33:55] <robbat2> (afk, brb)
[07:34:09] <antarus> #agreed The social contract will be amended as per https://bugs.gentoo.org/536668#c5
[07:34:29] <antarus> #info https://bugs.gentoo.org/642072 - Vote on new DCO
[07:34:33] <antarus> #link https://bugs.gentoo.org/642072
[07:35:04] <prometheanfire> before the meeting we talked about implimentation timeline
[07:35:55] <antarus> my opinion is that we delegate to council for implementation timeline
[07:35:55] <prometheanfire> 2 weeks for interpreting it, 2 more weeks for enforcing
[07:36:24] <prometheanfire> that's fine too
[07:36:51] <antarus> I want to see it happen, I'm not sure it matters if it happens tomorrow or 30 days from now, or whatever
[07:36:57] <antarus> I assume the council will do the right thing
[07:37:12] <antarus> robbat2: we can vote when you return
[07:37:24] <prometheanfire> I don't quite like 'The term "open source" has been replaced by "free software" throughout.
[07:37:33] <prometheanfire> because that's less exact imo
[07:37:42] <prometheanfire> then again, open source isn't exactly great
[07:38:05] <prometheanfire> The term "free software" is used for consistency with the language of the Gentoo Social Contract [1].
[07:38:10] <prometheanfire> but still...
[07:38:14] <antarus> hrm, https://dev.gentoo.org/~ulm/glep-copyrightpolicy.html is also 404
[07:38:27] <antarus> https://www.gentoo.org/glep/glep-0076.html is I guess what we are voting on
[07:38:28] <ulm> it's at https://www.gentoo.org/glep/glep-0076.html
[07:38:30] <antarus> #link https://www.gentoo.org/glep/glep-0076.html
[07:38:39] <ulm> yep :)
[07:38:46] <prometheanfire> yes, I'm looking at https://www.gentoo.org/glep/glep-0076.html
[07:38:59] <prometheanfire> I'm fine to vote now
[07:41:40] <robbat2> back
[07:41:52] <antarus> robbat2: any comments on glep 76 before voting?
[07:42:19] <robbat2> i also disagree w/ open source vs free software, but understand why the change for consistency
[07:43:00] <robbat2> esp that the social contract definition invokes OSI
[07:43:10] <robbat2> so what it calls 'free software' is really what OSI calls open source
[07:43:27] <prometheanfire> yep
[07:44:17] <antarus> so noted
[07:44:28] <antarus> please vote aye / nay on glep 76
[07:44:44] <prometheanfire> aye
[07:45:58] <robbat2> aye
[07:46:38] <antarus> #agreed Glep 76 is accepted
[07:46:53] <robbat2> antarus: did you vote?
[07:46:54] <antarus> ulm: congratulations on your hard work driving this process
[07:46:56] <robbat2> i don't see it above
[07:46:58] <antarus> do I need to vote?
[07:47:01] <prometheanfire> I didn't see a vote
[07:47:03] <ulm> thanks
[07:47:04] <prometheanfire> it'd be good
[07:47:07] <antarus> aye
[07:47:10] <prometheanfire> :D
[07:47:30] <antarus> much cats were herded
[07:47:53] <antarus> #info Bug 659620 - Please look into possibilities of providing crypto/enhanced security hardware to developers
[07:47:55] <willikins> antarus: https://bugs.gentoo.org/659620 "Please look into possibilities of providing crypto/enhanced security hardware to developers"; Gentoo Foundation, Proposals; IN_P; mgorny:trustees
[07:47:56] <prometheanfire> ulm: the fun is just starting, now changes get to be implimented :P
[07:47:58] <antarus> #link https://bugs.gentoo.org/659620
[07:48:06] <antarus> oh thanks willikins 
[07:48:18] <ulm> prometheanfire: yeah, that will take some time
[07:48:28] <ulm> repoman, mainly
[07:48:35] <prometheanfire> sure
[07:48:56] <prometheanfire> antarus: my main comment for the token, is I'm not sure the use case
[07:49:09] <prometheanfire> do we want it for gpg, or 2fa? (or both)
[07:49:09] <robbat2> b-man's two motion texts were only in trustees email
[07:49:25] <robbat2> i'd like them copied here for the record
[07:49:33] <robbat2> (i'll paste if no objections)
[07:49:42] <prometheanfire> please do (aye)
[07:49:53] <robbat2> Motion: I move that the board vote to accept the offer from Yubico or
[07:49:53] <robbat2> Nitrokey and begin our agreement with the accepted vendor beginning 1
[07:49:54] <robbat2> September 2018. This motion will provide security tokens to all current
[07:49:54] <robbat2> developers listed in Gentoo's LDAP infrastructure as of 31 August 2018.
[07:49:54] <robbat2> Motion: I move that the board vote to maintain the aforementioned
[07:49:56] <robbat2> agreement in order to support future Gentoo developers with security
[07:49:58] <robbat2> tokens. This motion includes the right to terminate future purchases
[07:50:01] <robbat2> based on the Foundation's financials.
[07:50:25] <antarus> we could change the dates, I supposed
[07:50:28] <prometheanfire> ya
[07:50:44] <prometheanfire> but I'm still not sure what problem it's an attempt to solve
[07:51:21] <robbat2> it's just trying to encourge better GPG practice
[07:51:23] <prometheanfire> I know mgorny was testing 2fa
[07:51:29] <robbat2> not trying to solve general 2FA requirement
[07:51:31] <antarus> The yubico keys were approximately 6600$, the nitrokeys were 4700 (both for a count of 150)
[07:51:33] <prometheanfire> ok
[07:51:39] <antarus> (sorry both in USD)
[07:51:48] <prometheanfire> nitrokey would dropship too
[07:52:15] <robbat2> dropship and we're not on the hook for all of them, incremental billing
[07:52:21] <prometheanfire> for gpg only purposes I have my vote ready on the two motions
[07:52:32] <robbat2> (i'm going to have to go in a moment)
[07:52:44] <antarus> #info: We will publish the actual agreements, if possible, post meeting
[07:53:33] <antarus> I propose 3 votes
[07:53:51] <antarus> 1) Should we spend foundation funds to buy keys for Gentoo developers?
[07:54:00] <antarus> 2) Yubico or Nitrokey?
[07:54:11] <antarus> 3) the second b-man motion, essentially
[07:54:17] <robbat2> i have a 4th vote to add
[07:54:24] <antarus> (as the first motion is only for existing developers)
[07:54:30] <robbat2> or rather, it's a clarification of vote text
[07:54:34] <antarus> shoot
[07:54:39] <antarus> Trying to wrap this up in the next 5 minutes ;)
[07:54:57] <robbat2> 1) Should we spend foundation funds to buy keys for Gentoo developers, for GPG signing?
[07:55:03] <antarus> ack, sgtm
[07:55:06] <robbat2> 4) Should we spend foundation funds to buy keys for Gentoo developers, general 2FA?
[07:55:18] <prometheanfire> k
[07:55:29] <robbat2> antarus: you good with that #4?
[07:55:35] <antarus> Yes
[07:55:40] <antarus> Please vote on the first motion.
[07:55:48] <robbat2> aye on #1
[07:55:53] <prometheanfire> aye to the ammended first motion
[07:55:56] <antarus> aye
[07:56:10] <antarus> #agreed We shall spend foundation funds to buy keys for Gentoo developers, for GPG signing.
[07:56:49] <antarus> 2) Given the two vendor options as secured by b-man, please vote by saying "yubico" or "nitrokey"
[07:57:04] <robbat2> #2: nitrokey
[07:57:05] <antarus> #info vendor selection: Yubico or Nitrokey?
[07:57:19] <prometheanfire> aye for nitrokey
[07:57:24] <antarus> nitrokey
[07:57:34] <antarus> #agreed We will more forward with the Nitrokey agreement
[07:57:49] <robbat2> (yubico is better hardware choice I feel, but cannot ship to some of our developers and has other non-hardware downsides like open source concerns)
[07:58:19] <antarus> #info Do we agree to maintain the nitrokey agreement for potential future developers?
[07:58:26] <antarus> please vote aye or nay
[07:58:29] <prometheanfire> robbat2: ack
[07:58:37] <prometheanfire> aye
[07:58:48] <robbat2> aye, for 12 months subject to renewal by later trustees
[07:59:08] <antarus> aye
[07:59:23] <antarus> #agreed The agreement shall cover potential future developers and will require annual renewal
[07:59:30] <prometheanfire> sgtm
[07:59:43] <antarus> #info (4) Should the foundatoin spend funds to purchase hardware tokens for 2FA purposes?
[07:59:57] <prometheanfire> nay, needs more clarification on usage / need
[08:00:19] <prometheanfire> infra input there would be helpful
[08:00:36] <antarus> The only existing 2FA is blogs, github, and d.g.o (but not git.g.o)
[08:00:39] <antarus> (iirc)
[08:00:47] <robbat2> nay, because the hardware options aren't solidified enough yet (no FIDO2 options per my other email)
[08:01:00] <antarus> nay for basically the same reasons
[08:01:10] <antarus> hopefully some tokens covering the new standards come out soon
[08:01:13] <robbat2> gitolite has 2FA support, but no SSO-like integration which makes it really painful
[08:01:32] <robbat2> specifically it's NOT SSH 2FA, it's a seperate layer
[08:01:54] <prometheanfire> ya, I would like fido2 + gpg
[08:01:55] <antarus> #info Motion 4 failed to be accepted
[08:02:31] <antarus> #info prometheanfire update on wiki copy?
[08:02:41] <antarus> #link https://bugs.gentoo.org/662182
[08:02:47] <prometheanfire> sure
[08:02:47] <robbat2> re the keys, I have a statement as treasurer I'd like on record
[08:03:12] <antarus> robbat2: go
[08:03:35] <robbat2> if devs retire less than 6 months after having the key, i'm going to ask they wipe & ship it back to (exact locations to be decided later, to avoid international shipping)
[08:03:43] <robbat2> after that, i intend to write off the cost
[08:04:04] <antarus> ok
[08:04:17] <robbat2> if the return shipping cost is too high, it's an writeoff already
[08:04:36] <robbat2> (because it's cheaper to ship a new unit to somebody else)
[08:04:46] <NeddySeagoon> Return and ship out again cost
[08:04:54] <prometheanfire> I emailed the whois contact (best I could find), reply was automated to go to a web form for contact, I did that, have not recieved a response, I think we need to escelate next, though I just checked and 404 https://www.linuxsecrets.com/gentoo-wiki/
[08:05:07] <antarus> prometheanfire: excellent
[08:05:38] <antarus> I'm goign to skip jmbsvicetto for robbat2; any treasurer updates?
[08:05:47] <prometheanfire> so they didn't respond but did act, I cc'd the trustees for my email, but I pointed to the name/usage guidelines for how they could come in compliance (and to the wayback machine as an example)
[08:05:54] <antarus> #info Treasurer updates
[08:06:15] <robbat2> treasurer: thanks to NeddySeagoon for his work collecting in-kind history from wiki+public cvs
[08:06:16] <antarus> prometheanfire: that is similar to my experience when sending out these notifications
[08:06:34] <robbat2> further collection is needed from infra inventory emails, infra cvs&git history [cfengine/puppet]
[08:06:41] <robbat2> and old infra logs
[08:06:52] <robbat2> on the assignment of value to machines
[08:07:18] <robbat2> i have spoken to several sponsors so far, and they ask that I come up with a consistent form request for them to pass to their accountants/finance people
[08:07:48] <robbat2> so far that's packet.net, OSL, bytemark, SevenL
[08:07:55] <robbat2> that I asked about it
[08:08:21] <robbat2> all of those were verbal discussion; packet & OSL were in person
[08:08:35] <robbat2> (during open source summit conference)
[08:08:59] <robbat2> that's all on the treasurer front
[08:09:07] <robbat2> are we having a motion on the RFP?
[08:09:31] <prometheanfire> my suggestion these is to use robbat2's suggestions with it
[08:09:36] <antarus> My preference is to send it out before the next board meeting
[08:09:42] <antarus> I was going to ask where it was at ;)
[08:09:52] <prometheanfire> atm it's on K_F's site
[08:10:19] <antarus> #link https://dev.gentoo.org/~k_f/irs-rfp-wip2.pdf
[08:10:19] <robbat2> there's latex source for it
[08:10:24] <antarus> was the last copy I have available
[08:10:29] <prometheanfire> #link https://download.sumptuouscapital.com/gentoo/irs-rfp.pdf
[08:10:37] <prometheanfire> that's 'current'
[08:10:53] <prometheanfire> ya, latex is in get, somewhere
[08:11:13] <Shentino> Original proposer here in regards to bug 645192.  By "GPG competence" I mean that the prospective new member knows enough about GPG to actually sign the quiz when submitting it as part of their application.
[08:11:15] <willikins> Shentino: https://bugs.gentoo.org/645192 "Staff quiz and gpg competence should be required for foundation membership"; Gentoo Foundation, Proposals; CONF; shentino:trustees
[08:11:45] <antarus> robbat2: basically I think we need to amend the RFP with your draft comments, check the RFP in somewhere we know
[08:11:56] <prometheanfire> sgtm
[08:11:57] <antarus> and we can do the motion over email on the nfp list
[08:12:05] <robbat2> copy git history to our own repos
[08:12:09] <robbat2> edit, publish
[08:12:24] <prometheanfire> wfm
[08:12:25] <robbat2> that other RFP that I saw during the week may have some further improvements too
[08:12:36] <antarus> who is owning that set of work
[08:12:41] <antarus> robbat2: do you have bandwidth for it?
[08:13:07] <antarus> (feel free to say no)
[08:13:27] <robbat2> i do not have time presently
[08:13:35] <robbat2> and I have to leave the meeting now
[08:13:39] <robbat2> for kids
[08:13:40] <robbat2> bye
[08:13:48] <antarus> ok
[08:13:51] <antarus> cya ;)
[08:14:04] <robbat2> (for next meeting, weekend of the 20th or 27th plz)
[08:14:11] -*- antarus will find someone
[08:14:19] <antarus> October is...a bad month for me ;)
[08:14:36] <antarus> #info bugs
[08:14:38] <antarus> I closed a bunch
[08:14:43] <antarus> the end
[08:14:57] <prometheanfire> :D
[08:15:00] <prometheanfire> I just closed mine
[08:15:04] <antarus> I'll post the logs, the motions, the emails, the agenda, and the topic
[08:15:06] <antarus> cause..why not
[08:15:19] <prometheanfire> lol
[08:15:33] <antarus> prometheanfire: next meeting, any preference?
[08:15:41] <antarus> I suspect i am in europe both 20 and 27th
[08:16:02] <prometheanfire> I'm doing wedding stuff 18-23
[08:16:18] <prometheanfire> other than that am open
[08:16:28] <antarus> so of the 20th and 27th, you prefer the latter?
[08:16:36] <prometheanfire> yes
[08:16:38] <antarus> ack
[08:16:53] -*- antarus bangs gavel
[08:16:55] <antarus> #endmeeting
[08:16:55] <trusteeBot> Meeting ended Sat Sep 15 23:16:54 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)