Time |
S |
Nick |
Message |
13:12 |
|
pdurbin |
dotplus: "mission of advising software consumers through expert scientific inquiry into software safety" http://cyber-itl.org ... also related, mentioned at Susan Sons (Center for Applied Cybersecurity Research, Indiana University) - YouTube - https://www.youtube.com/watch?v=vjSzVAKJkqU&t=17m10s |
13:12 |
|
pdurbin |
via http://boingboing.net/2016/11/29/ntp-the-rebirth-of-ailing-fa.html |
13:13 |
|
pdurbin |
via https://twitter.com/ICEIorg/status/803790549199233024 |
15:39 |
|
|
HedgeMage joined #sourcefu |
15:39 |
|
* HedgeMage |
peeks in. |
15:41 |
|
HedgeMage |
Hi, all. pdurbin invited me. He mentioned a discussion about Cory's posting my talk on BoingBoing, and ICEI and LF's CII being in the same-ish space. :) |
15:41 |
|
HedgeMage |
If anybody has any questions, I'll be around for a bit. |
15:42 |
|
pdurbin |
dotplus: over in #openhatch HedgeMage mentioned that these organizations are run differently. |
15:42 |
|
pdurbin |
HedgeMage: I'm curious about the differences and dotplus is quite good about catching up on logs. (This channel is logged, as the topic indicates.) |
15:44 |
|
HedgeMage |
So, the most important difference, in my opinion, is that unlike CII, ICEI does not give donors any kind of veto power over what projects or developers we sponsor. We sometimes agree to general forms of directed funding (the only example so far is that on one occasion we took money specifically for security-related projects), but that's as specific as we get. |
15:45 |
|
HedgeMage |
This leads to more stability for the projects we help, because there's a lot less drama and politics, we can focus more on software engineering practice. |
15:46 |
|
HedgeMage |
At CII, a committee of reps from their big donors vote on renewing or terminating projects, and that can get very political. CII has to do what they say because that's the agreement upon which they took the money. |
15:46 |
|
HedgeMage |
Other differences: |
15:47 |
|
HedgeMage |
CII only funds developers, they don't maintain any developers of their own or provide specific help, training, or expertise to projects. |
15:47 |
|
HedgeMage |
So, their funding might help if your project has all the people and expertise it needs, but you need the funds for equipment, or to let your personnel spend more time on the project (e.g. because they have flexible jobs and can shift hours from another job to open source work if funded). |
15:48 |
|
HedgeMage |
The thing is, that is not all projects. That is well-suited to help *some* projects. |
15:48 |
|
HedgeMage |
ICEI takes a far more individualized approach. |
15:48 |
|
HedgeMage |
In some cases, we fund specific development work using a project's existing developers. |
15:49 |
|
HedgeMage |
In others, we do work that the project couldn't do for itself because it lacks the expertise, but that work is enough of a one-off that it would be silly for the project to spend resources building skill on that front. |
15:49 |
|
HedgeMage |
An example of that is tricking something-to-git migrations. We now have two reposurgeon experts on hand and one person learning it, who can reconstruct very big, complex, and broken-by-multiple-migrations repo histories into a clean git repo. |
15:50 |
|
HedgeMage |
Sometimes a big-picture rescue or re-implementation is needed: those are all complicated and very individual, but I can provide some docs on my approach if anyone's interested. The big picture is that project sustainability is #1... |
15:51 |
|
HedgeMage |
Because of that (and because some of the other projects we need just simply need more manpower), we have a project called New Guard that is actively mentoring early- and mid-career hackers who want to work on infrastructure software. |
15:51 |
|
HedgeMage |
All the money in the world won't help if there's no one with the right skills to hire. |
15:53 |
|
HedgeMage |
We're working on programs that provide secure software development training to existing OSS developers, and that do a sort of review-help-and-move-on for projects that aren't in crisis but need to improve in one or two areas. Those are both a bit experimental at this stage. |
15:53 |
|
pdurbin |
It certainly does sound like https://icei.org and https://www.coreinfrastructure.org are quite different. Thanks. |
15:54 |
|
pdurbin |
HedgeMage: it sounds like the main way we can help is by sending hackers your way :) |
15:54 |
|
HedgeMage |
We also have the ability to step in and deal with some of the weird security needs that OSS projects sometimes run into but can't handle, like vulnerability report escrow and such (i.e. edge cases they were unprepared for). |
15:55 |
|
HedgeMage |
pdurbin: Thanks! Send hackers, and send donations. The IRS is now reviewing our 501(c)3 again (long story) and the broader our donation base is, the more likely we are to succeed. (i.e. the more individual donors that make up our donor pool, even if they are $5-$10 a pop, the safer we are) |
15:57 |
|
pdurbin |
HedgeMage: so if I send a hacker your way, she'd look at https://icei.org/activities/projects/ and assume that she's be helping with NTP. Is that right? Is there other software to fix? Is there a list on your website? |
16:00 |
|
HedgeMage |
pdurbin: We've got a lot more planned for 2017, but we're in the holiday lull right now. We have a general rule of not spinning up anything new between approx Dec 1 and Jan 15 (though existing projects continue) unless there's an emergency because people are too swamped with year-end stuff and family commitments. |
16:01 |
|
HedgeMage |
pdurbin: early 2017 plans include a re-implementation of rsync, some more NTPSec work, a security review for gitolite, and trying to hash out a better way to approach evaluating/prioritizing rescue projects so we're more systematic about it. Also, more new guard activities :D |
16:04 |
|
pdurbin |
Ok, hearing about stuff like rsync and gitolite is interesting. I'm just looking for the names of software that might be worked on so the hackers and pick and choose. |
16:06 |
|
pdurbin |
There are probably viable alternatives to Gitolite such as GitLab. |
16:11 |
|
HedgeMage |
gitolite isn't in trouble, the author reached out to us to check out its security because he doesn't have a security background |
16:11 |
|
pdurbin |
Ah, ok. That makes sense. |
16:11 |
|
HedgeMage |
And no, gitolite doesn't have an alternative right now... gitlab, github, any of the "alternatives" lack gitolite's granular permissions scheme, which means that they are unsuitable for maintaining infrastructure software such as the Linux kernel |
16:12 |
|
pdurbin |
The Linux kernel uses gitolite? Huh. I always assumed they used vanilla git. |
16:12 |
|
HedgeMage |
gitolite is protecting a LOT of critical code right now, because it's the only thing that recognizes granular permissions to the level of per-branch workflows and separate "can write" vs "can destroy history" perms and so on. |
16:12 |
|
HedgeMage |
Nope. |
16:12 |
|
HedgeMage |
They use git hosted behind a gitolite instance. |
16:13 |
|
pdurbin |
"We are using an access control system called gitolite" https://www.kernel.org/faq.html |
16:13 |
|
pdurbin |
interesting |
16:13 |
|
HedgeMage |
But, it's maintained by one guy with no security training, so we're doing a security review for him and looking to get him some help, not because he's not doing well but because if he gets hit by a bus we are all screwed. |
16:14 |
|
HedgeMage |
That's the thing about infrastructure software...most people aren't very aware of it until something goes horribly wrong. :) |
16:15 |
|
pdurbin |
Yeah. Have you ever considered trying to get interviewed for the RFC podcast? This one: Request For Commits with Nadia Eghbal and Mikeal Rogers | Changelog - https://changelog.com/rfc |
16:16 |
|
HedgeMage |
Someone pointed them out recently. I should consider dropping a note. I'm not familiar with the podcast, but i used to be on Nadia's email list and have met her. |
16:17 |
|
pdurbin |
Nice. I've been meaning to read her "Roads and Bridges" report at http://www.fordfoundation.org/library/reports-and-studies/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure . I've heard it's good. |
16:22 |
|
pdurbin |
I wonder if she's on freenode. |
16:25 |
|
pdurbin |
Or the co-host ( http://mikealrogers.com ). |
16:33 |
|
pdurbin |
I just opened this issue: Susan Sons from ICEI as a guest on the Request For Commits (RFC) podcast · Issue #615 · thechangelog/ping - https://github.com/thechangelog/ping/issues/615 |
16:34 |
|
pdurbin |
After seeing "Submit an issue to our open inbox on GitHub. Share your projects, news, feedback, or tips." at https://changelog.com/contact |
16:34 |
|
pdurbin |
my hot tip :) |
16:48 |
|
pdurbin |
HedgeMage: oh, is https://snowdrift.coop on your radar? |
16:51 |
|
sivoais |
huh, gitolite. Good piece of software. We used it at the lab I worked at after many years of SVN. |
16:52 |
|
sivoais |
And reimp of rsync? I'd love to read about that. Didn't know it needed one since it seemed so stable. |
16:57 |
|
HedgeMage |
sivoais: It's been suffering from developer inattention. It *could* be rescued in-place, but we intend to use it as a test case for re-implementing a C tool in Rust to make it easier for junior and intermediate devs to work alongside senior systems devs and get a better mentorship pipeline going. |
16:57 |
|
HedgeMage |
sivoais: The learning curve to become a junior committer on a systems project in C is pretty long. |
17:01 |
|
sivoais |
ah, I can see that. |
17:03 |
|
HedgeMage |
So, yeah, it could have been fixed in place rather than re-implemented. But, it was the just-right size and scope to experiment on, so we decided to go for it. |
17:06 |
|
sivoais |
I'm not sure if I have the time, but I do frequently code in Perl and C. It'd be nice to have some small tasks to hop on from time to time. |
17:50 |
|
pdurbin |
HedgeMage: is there any URL to keep any eye on for the rewrite-rsync-in-rust project? |
17:53 |
|
sivoais |
I signed up for the mailing list that pdurbin linked earlier in the chat |
17:53 |
|
sivoais |
:-) |
17:54 |
|
pdurbin |
It feels like only yesterday: http://irclog.greptilian.com/sourcefu/2016-12-07 :) |
18:14 |
|
pdurbin |
prologic: it looks like you and sivoais chatted about systems programming languages back at http://irclog.greptilian.com/sourcefu/2015-03-09#i_101177 |