Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Posted Sep 22, 2022 10:06 UTC (Thu) by jezuch (subscriber, #52988)Parent article: Two visions for the future of sourceware.org
If now the community frowns upon this governance design, would they lose the sponsors?
> He has been "burned" in the past by overly public discussions,
Double huh!
Posted Sep 22, 2022 10:34 UTC (Thu)
by nix (subscriber, #2304)
[Link] (11 responses)
Stranger is the governance structure (of what? the hosting? all of sourceware and all the software running on it? do they have veto power on what the projects can do, or is this just overseers again under a new name?) where in return for huge piles of money -- paid, as far as I can tell, from the new sponsors to the hosting organization of their choice, *quite possibly themselves*, so this is quite possibly only money in theory, like living in a house you own is foregone rent -- the sponsors get to occupy almost all the seats on the new governance board, leaving only *one* for a rep of the actual projects. So a huge loss of control compared to now where overseers are almost all involved in various projects too. Indeed the original talk was all about the neat things that that control were letting them do and the services they were providing, which would probably be impossible in this new world because they'd be beholden to asking, and probably paying, someone else instead.
And, uh, what are the benefits? Well, unnamed third parties are worried about "cybersecurity" causing the projects to not be allowed in various other projects. Were there any actual examples? Not in the first half of the talk, and even if there were this appears to be third parties engaging in what looks very like extortion, threats to obtain a desired end, particularly if some of them are among the sponsors (not saying they are because the sponsors' identities are also largely unknown, a really good look for this sort of thing). Generally one doesn't respond to extortion by saying "yeah, good, go on, you can have all but one seat on the governing board".
Presumably, going by their actions, the unnamed third parties are worried about attackers getting into the hosting, rather than about the actual developers, at least for now, but who's to say they wouldn't start using the same argument to impose extra constraints on who can push to the GNU toolchain software on their hardware in future? Not working for an approved employer? Goodbye, you can always switch jobs! They can even use the exact same excuse. Only approved employers are "secure". This sort of thing is routine in the proprietary world, and no doubt that's the sort of entity pushing this.
Also, this whole thing is also only worthwhile if the "professionally managed hosting" is vastly better than what it replaces. As we know cloud infrastructure and hosting providers are perfectly secure and never go down, oh wait no they're a really big basket containing lots of eggs, and an even bigger target for attackers!
Honestly to me it seems like the right solution is preventing people messing with the repos, and oh look we're using git so that's easy. It's pretty obvious if anyone messes with history because everyone's pulls conflict suspiciously (and if it was way back in history, fixing it is *hard*, needs hacking at everyone's individual working repos, and will stand out a mile). For recent commits getting locally committed under someone else's name, we also already have a fix: get everyone to sign their commits. SSH keys are fine, they can stick them up somewhere else on the web, on a SSL-signed domain they control or on a verified github account or something, or just get people to vouch for each other. The feature's only been in git for about ten years -- but quite possibly teaching these third parties' security consultants that git commit signing is even possible will be very hard, as will teaching them why git histories are hard to surreptitiously modify. Such people are almost always box-tickers and their boxes are often decades out of date. Maybe you can call git a blockchain to make them happy.
Attackers can also modify the system configuration (and often do), so keep the system config in git too and autovalidate it every N hours, and an attacker can only get in for N hours before their changes are reverted and the system sounds the alarm.
As someone who wasn't even at cauldron, and whose only previous impressions of Carlos have been enormously positive: if Carlos had *wanted* everyone to look on this as a giant and distinctly ugly conspiracy akin to the attempted takeover of .org by venture capitalists helmed by the person then running .org (also described as critical for security reasons, and it didn't happen and none of the promised disasters came to pass), I'm not sure he could have done better. I am baffled.
Posted Sep 22, 2022 10:41 UTC (Thu)
by nix (subscriber, #2304)
[Link] (2 responses)
(And this is the *starting* position, before they start using all that new power we just gave them. What if they decide they don't like us any more or they say they want more money because "the cost of hosting went up" -- and if these people are largely paying that money to themselves they can set the "cost" to whatever they want, whenever they want -- and then they suddenly leave us without any hosting or infrastructure or (in a "managed" world) systems at all unless we buckle under and do whatever they say or give them whatever they want to extort from us. Don't tell me hosting providers with *actual governance positions* and no other connections to the things they "govern" don't do that sort of thing, because they do, there are lots of examples starting with what happened to ICANN over the years. Overseers would never do that both because they literally can't because we never gave them the whip hand like this and because they're *us*.)
I wish I could stop thinking this way. It feels awful. I wish I could convince myself I was wrong.
Posted Sep 30, 2022 17:13 UTC (Fri)
by donbarry (guest, #10485)
[Link]
Yes. I think this will wake up many people whose salaries are not tied to the silent actors behind this.
Posted Oct 3, 2022 9:13 UTC (Mon)
by paulj (subscriber, #341)
[Link]
Yes.
Not in any organised conspiracy way, but simply as an emergent property of the fact that corporations (i.e., the managers who allocate resources) want some level of control in return for the resources they allocate. And they can be _very_ ruthless about how they go about it. They will hire programmers to work on an open-source project, then work to get control - in back-room dealing kinds of ways (see my other comment on how corporate politics can work).
Just speaking as someone who was at the sharp end of this on another project. And - I'm sorry Jon - but LWN completely uncritically ran the LF press release on that one, without reference to the other side.
Posted Sep 22, 2022 11:40 UTC (Thu)
by nix (subscriber, #2304)
[Link] (5 responses)
I suspect the only, partial protection against this would be to have an augmented version of the rules about employer identity on the GCC steering committee: that far from being a committee of sponsors, it's a committee of individuals; that no one employer or set of employers with more than 50% control in common may control more than $smallnum seats (ideally, 1)... and even then just the fact that this is an official governance structure risks employers telling their minions on the governance committee what to do. Overseers is so unglamorous that that basically doesn't happen, so this alone is a risk.
It seems to me that this idea is only justified if the risk is extreme, perhaps if IBM had said that they were reassigning all RH employees working on the toolchain to something else unless this was done -- but in that case this is an internal corporate bunfight between IBM and its subsidiary RH and why on earth is anyone else getting involved? Also, since they own sourceware anyway... this is both a worst case because of course IBM runs a cloud and might well be one of the sponsors so we might well have been landed into the above extortion scenario... and a best-case because IBM *already* in effect controls sourceware. (But the fact that overseers@ could not manage what ran on it anymore would be an awful loss, and probably a good justification on its own for migrating as much of sourceware hosting as possible to somewhere else that is not subject to this, rendering the whole thing moot.)
But of course we don't know if this is true, because almost all the parties in this proposed setup are anonymous. Anonymous, but want almost complete control. Is there any *wonder* that people are coming up with worst-case scenarios? They're writing themselves!
Posted Sep 23, 2022 9:51 UTC (Fri)
by paulj (subscriber, #341)
[Link] (4 responses)
There is a tension in Free Software between the (typically) original motivation of some development - where a developer scratches some itch and believes in Freedom, and so does the initial community that builds around it - and the motivation of those who end up working on it later IF the project becomes successful and widely used.
Many in the latter set will be corporate programmers, working for a large corporate. They like corporate control. They see it as structured, ordered, and responsible. They want clear governance. They want a corporate structure in place that can over-ride any messy disagreements in the community, sometimes even override community consensus. And of course, it pays for their house, their family, etc. - not unreasonable things for a programmer to want, per se. Some of those in the latter set may well have come from the original set.
Some people of course do not see corporate control - whether by one or a committee of them - as a good thing. Of course, people in this set are far less likely to receive resources from the corporates. So this is typically a resources starved set, and they simply can't (reliably) achieve as much as those backed by the corporate, commercial interests.
And I guess such is life.
The one thing I have seen is that /some/ in the corporate set can be /very/ ruthless about getting their way. Some in this set are career players of the "smile to your face, while plotting to stab you in the back, and one day surprise you with the knife" kind of politics found (and encouraged) in certain corporates. And they will bring this misery into your community.
Tales of year-long behind the scenes, secret organising with other corporates + then disrupting a talk of others, to hijack a relatively technical talk for the purposes of discussing what you want, starts to point a bit in that direction, least for me.
Also, funny how Linux Foundation is often the preferred umbrella for such corporate governed projects / project reorgs.
Without casting any aspersions, it is worth noting LWN gets funding from LF - AFAIK. I doubt it has any direct influence, but we are all humans. And, even just subconsciously, we all do tend to be slightly nicer towards hands that feed us.
Posted Sep 23, 2022 9:54 UTC (Fri)
by paulj (subscriber, #341)
[Link]
Posted Sep 23, 2022 13:24 UTC (Fri)
by corbet (editor, #1)
[Link]
We might see if they are willing to renew the travel money at some point, but we have not even asked that question. The steady stream of "I got COVID" reports coming in from the events of the last two weeks has not increased our urgency on that point.
Posted Sep 30, 2022 19:01 UTC (Fri)
by pebolle (guest, #35204)
[Link] (1 responses)
My gut feeling is that some in the non-corporate set can be just at bad. Not restricted by corporate metrics - market share, profits, etc. - some people in non-profit roles, volunteers, etc. show very limited restraint. Many such cases documented on lwn.net.
Posted Sep 30, 2022 21:17 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
The big problem I hit is that the professionals just don't "get" that many of us are elderly and disabled. Okay, that's not true of me but it is true of most of my fellow volunteers. And every now and then they have to be forcibly reminded that we just can't do what they want.
(Then throw into the mix what I see far too often on LWN and other views of America - the *assumption* of bad faith and conspiracy - and you have a toxic mix that sadly makes stories like this commonplace.)
What's that I heard (that I've mentioned here before)? If you assume other people are typically decent, well meaning, and rational - you know, just like you - then when you have disagreements the obvious conclusion is that one of you is mis-informed. And what's the betting it's you!
Cheers,
Posted Sep 23, 2022 20:19 UTC (Fri)
by jhhaller (guest, #56103)
[Link]
I don't know what the actual cybersecurity concerns are, but this could be part of the concerns.
Posted Sep 23, 2022 20:40 UTC (Fri)
by carlos.odonell (subscriber, #99737)
[Link]
Posted Sep 22, 2022 13:37 UTC (Thu)
by kpfleming (subscriber, #23250)
[Link] (1 responses)
Posted Sep 22, 2022 14:04 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
When things are screwed up that early in the proceedings, it's rather difficult to clean up the mess.
Thus giving fuel to the conspiracy theorists. It sounds like this discussion has been going on for a while, but I remember a similar situation not that long ago when the purists were baying "why didn't you tell us earlier", and when the protagonists said "we didn't tell you earlier because there was nothing to tell you" the purists' response was "that's no excuse!".
I don't know, but if this meeting was MEANT to be "we've been discussing and we'd like to present our ideas" I think they were on a hiding to nothing. Not only did they completely mess up the presentation, but the mob are usually only too keen to complain about "fait accompli" when the presenters really do want to discuss ...
Damned if you do, damned if you don't. Sounds a bit like it ...
Cheers,
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Through the end of 2019, LWN received some travel sponsorship from the LF that enabled us to get to events and was much appreciated. For some strange reason we stopped travelling in 2020 and that sponsorship ended; we have received no funds from the LF since that time. So the claim in the above comment is not really true.
Funding from the LF
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Wol
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Two visions for the future of sourceware.org
Wol