greptilian logo

IRC log for #sourcefu, 2016-12-08

http://sourcefu.com

| Channels | #sourcefu index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
13:12 pdurbin dotplus: "mission of advising software consumers through expert scientific inquiry into software safety" http://cyber-itl.org ... also related, mentioned at Susan Sons (Center for Applied Cybersecurity Research, Indiana University) - YouTube - https://www.youtube.com/watch?v=vjSzVAKJkqU&t=17m10s
13:12 pdurbin via http://boingboing.net/2016/11/29/ntp-the-rebirth-of-ailing-fa.html
13:13 pdurbin via https://twitter.com/ICEIorg/status/803790549199233024
15:39 HedgeMage joined #sourcefu
15:39 * HedgeMage peeks in.
15:41 HedgeMage Hi, all.  pdurbin invited me.  He mentioned a discussion about Cory's posting my talk on BoingBoing, and ICEI and LF's CII being in the same-ish space. :)
15:41 HedgeMage If anybody has any questions, I'll be around for a bit.
15:42 pdurbin dotplus: over in #openhatch HedgeMage mentioned that these organizations are run differently.
15:42 pdurbin HedgeMage: I'm curious about the differences and dotplus is quite good about catching up on logs. (This channel is logged, as the topic indicates.)
15:44 HedgeMage So, the most important difference, in my opinion, is that unlike CII, ICEI does not give donors any kind of veto power over what projects or developers we sponsor.  We sometimes agree to general forms of directed funding (the only example so far is that on one occasion we took money specifically for security-related projects), but that's as specific as we get.
15:45 HedgeMage This leads to more stability for the projects we help, because there's a lot less drama and politics, we can focus more on software engineering practice.
15:46 HedgeMage At CII, a committee of reps from their big donors vote on renewing or terminating projects, and that can get very political.  CII has to do what they say because that's the agreement upon which they took the money.
15:46 HedgeMage Other differences:
15:47 HedgeMage CII only funds developers, they don't maintain any developers of their own or provide specific help, training, or expertise to projects.
15:47 HedgeMage So, their funding might help if your project has all the people and expertise it needs, but you need the funds for equipment, or to let your personnel spend more time on the project (e.g. because they have flexible jobs and can shift hours from another job to open source work if funded).
15:48 HedgeMage The thing is, that is not all projects.  That is well-suited to help *some* projects.
15:48 HedgeMage ICEI takes a far more individualized approach.
15:48 HedgeMage In some cases, we fund specific development work using a project's existing developers.
15:49 HedgeMage In others, we do work that the project couldn't do for itself because it lacks the expertise, but that work is enough of a one-off that it would be silly for the project to spend resources building skill on that front.
15:49 HedgeMage An example of that is tricking something-to-git migrations.  We now have two reposurgeon experts on hand and one person learning it, who can reconstruct very big, complex, and broken-by-multiple-migrations repo histories into a clean git repo.
15:50 HedgeMage Sometimes a big-picture rescue or re-implementation is needed: those are all complicated and very individual, but I can provide some docs on my approach if anyone's interested.  The big picture is that project sustainability is #1...
15:51 HedgeMage Because of that (and because some of the other projects we need just simply need more manpower), we have a project called New Guard that is actively mentoring early- and mid-career hackers who want to work on infrastructure software.
15:51 HedgeMage All the money in the world won't help if there's no one with the right skills to hire.
15:53 HedgeMage We're working on programs that provide secure software development training to existing OSS developers, and that do a sort of review-help-and-move-on for projects that aren't in crisis but need to improve in one or two areas.  Those are both a bit experimental at this stage.
15:53 pdurbin It certainly does sound like https://icei.org and https://www.coreinfrastructure.org are quite different. Thanks.
15:54 pdurbin HedgeMage: it sounds like the main way we can help is by sending hackers your way :)
15:54 HedgeMage We also have the ability to step in and deal with some of the weird security needs that OSS projects sometimes run into but can't handle, like vulnerability report escrow and such (i.e. edge cases they were unprepared for).
15:55 HedgeMage pdurbin: Thanks!  Send hackers, and send donations.  The IRS is now reviewing our 501(c)3 again (long story) and the broader our donation base is, the more likely we are to succeed.  (i.e. the more individual donors that make up our donor pool, even if they are $5-$10 a pop, the safer we are)
15:57 pdurbin HedgeMage: so if I send a hacker your way, she'd look at https://icei.org/activities/projects/ and assume that she's be helping with NTP. Is that right? Is there other software to fix? Is there a list on your website?
16:00 HedgeMage pdurbin: We've got a lot more planned for 2017, but we're in the holiday lull right now.  We have a general rule of not spinning up anything new between approx Dec 1 and Jan 15 (though existing projects continue) unless there's an emergency because people are too swamped with year-end stuff and family commitments.
16:01 HedgeMage pdurbin: early 2017 plans include a re-implementation of rsync, some more NTPSec work, a security review for gitolite, and trying to hash out a better way to approach evaluating/prioritizing rescue projects so we're more systematic about it.  Also, more new guard activities :D
16:04 pdurbin Ok, hearing about stuff like rsync and gitolite is interesting. I'm just looking for the names of software that might be worked on so the hackers and pick and choose.
16:06 pdurbin There are probably viable alternatives to Gitolite such as GitLab.
16:11 HedgeMage gitolite isn't in trouble, the author reached out to us to check out its security because he doesn't have a security background
16:11 pdurbin Ah, ok. That makes sense.
16:11 HedgeMage And no, gitolite doesn't have an alternative right now... gitlab, github, any of the "alternatives" lack gitolite's granular permissions scheme, which means that they are unsuitable for maintaining infrastructure software such as the Linux kernel
16:12 pdurbin The Linux kernel uses gitolite? Huh. I always assumed they used vanilla git.
16:12 HedgeMage gitolite is protecting a LOT of critical code right now, because it's the only thing that recognizes granular permissions to the level of per-branch workflows and separate "can write" vs "can destroy history" perms and so on.
16:12 HedgeMage Nope.
16:12 HedgeMage They use git hosted behind a gitolite instance.
16:13 pdurbin "We are using an access control system called gitolite" https://www.kernel.org/faq.html
16:13 pdurbin interesting
16:13 HedgeMage But, it's maintained by one guy with no security training, so we're doing a security review for him and looking to get him some help, not because he's not doing well but because if he gets hit by a bus we are all screwed.
16:14 HedgeMage That's the thing about infrastructure software...most people aren't very aware of it until something goes horribly wrong. :)
16:15 pdurbin Yeah. Have you ever considered trying to get interviewed for the RFC podcast? This one: Request For Commits with Nadia Eghbal and Mikeal Rogers | Changelog - https://changelog.com/rfc
16:16 HedgeMage Someone pointed them out recently.  I should consider dropping a note.  I'm not familiar with the podcast, but i used to be on Nadia's email list and have met her.
16:17 pdurbin Nice. I've been meaning to read her "Roads and Bridges" report at http://www.fordfoundation.org/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure . I've heard it's good.
16:22 pdurbin I wonder if she's on freenode.
16:25 pdurbin Or the co-host ( http://mikealrogers.com ).
16:33 pdurbin I just opened this issue: Susan Sons from ICEI as a guest on the Request For Commits (RFC) podcast · Issue #615 · thechangelog/ping - https://github.com/thechangelog/ping/issues/615
16:34 pdurbin After seeing "Submit an issue to our open inbox on GitHub. Share your projects, news, feedback, or tips." at https://changelog.com/contact
16:34 pdurbin my hot tip :)
16:48 pdurbin HedgeMage: oh, is https://snowdrift.coop on your radar?
16:51 sivoais huh, gitolite. Good piece of software. We used it at the lab I worked at after many years of SVN.
16:52 sivoais And reimp of rsync? I'd love to read about that. Didn't know it needed one since it seemed so stable.
16:57 HedgeMage sivoais: It's been suffering from developer inattention.  It *could* be rescued in-place, but we intend to use it as a test case for re-implementing a C tool in Rust to make it easier for junior and intermediate devs to work alongside senior systems devs and get a better mentorship pipeline going.
16:57 HedgeMage sivoais: The learning curve to become a junior committer on a systems project in C is pretty long.
17:01 sivoais ah, I can see that.
17:03 HedgeMage So, yeah, it could have been fixed in place rather than re-implemented.  But, it was the just-right size and scope to experiment on, so we decided to go for it.
17:06 sivoais I'm not sure if I have the time, but I do frequently code in Perl and C. It'd be nice to have some small tasks to hop on from time to time.
17:50 pdurbin HedgeMage: is there any URL to keep any eye on for the rewrite-rsync-in-rust project?
17:53 sivoais I signed up for the mailing list that pdurbin linked earlier in the chat
17:53 sivoais :-)
17:54 pdurbin It feels like only yesterday: http://irclog.greptilian.com/sourcefu/2016-12-07 :)
18:14 pdurbin prologic: it looks like you and sivoais chatted about systems programming languages back at http://irclog.greptilian.com/sourcefu/2015-03-09#i_101177

| Channels | #sourcefu index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

http://sourcefu.com