Re: Status of Debian accounts and legal agreements with cloud providers

To: Luca Filipozzi <vicepresident@spi-inc.org>, debian-cloud@lists.debian.org, leader@debian.org
Subject: Re: Status of Debian accounts and legal agreements with cloud providers
From: Jimmy Kaplowitz <president@spi-inc.org>
Date: Sun, 3 Feb 2019 23:11:52 -0500
Message-id: <[🔎] 20190204041152.7swcsnlhbwlvpgv5@kaplowitz.org>
In-reply-to: <[🔎] 20190202112914.7pnete5tje6iion2@shell.thinkmo.de>
References: <20190130190532.5fzh5vumb2xgcbqi@shell.thinkmo.de> <20190131213025.tdfbqx33mypwnhfr@kaplowitz.org> <[🔎] 20190202112914.7pnete5tje6iion2@shell.thinkmo.de>

Hi Bastian,

On Sat, Feb 02, 2019 at 12:29:14PM +0100, Bastian Blank wrote:
> On Thu, Jan 31, 2019 at 04:30:25PM -0500, Jimmy Kaplowitz wrote:
> > One slightly good thing is that the transition freeze is less of an
> > important deadline for this legal task than the later freeze deadlines,
> > so we can still get this done in time for buster if someone has the
> > necessary time.
> 
> It was just the deadline we set to ourselves to have enough time for the
> actual transition.

OK.

> > If nobody has more time to pursue this than I currently do, I will do my
> > best to initiate the necessary conversations by the end of next week and
> > pursue them as required. If someone does have spare time to pursue this
> > (with a CC to me as SPI President), that'd be great.
> 
> I think the largest problem is to define what exactly needs to be done.
> You wanted to get input from an attorney on the agreements.  And that
> sounded like a long process.  If it's just the technical doing, then
> it's rather easy.

The attorney advice was specifically targeted at reviewing the terms of
service and getting some indemnification for some of the provisions of
the marketplace agreements, if I remember right.

I've just synced on IRC with the person who recommended this approach,
and I'll be getting the necessary context from them in a call this week.

My guess is it wouldn't be horrible for us to sign up with the standard
terms, but these things do get negotiated for cases like us where the
terms don't have quite the intended effect. They're more written to
target commercial proprietary software than our case.

My plan: (1) get context about what the recommendation was, so that I
can present it correctly to our lawyer; (2) get our lawyer to advise
based on the standard terms and the context from step 1; (3) do whatever
we can do between now and end of the buster cycle.

> The technical todo list AFAIK is:
> - Create an owner e-mail alias somewhere in spi-inc.org or debian.org,
>   which can be used as account owner for multiple AWS accounts and
>   Azure (so the alias needs to support address extension somehow).

Can the owner email alias be changed later in unlikely hypothetical situations
like where Debian stops working with SPI? If yes, I think it should be
under @spi-inc.org since certain notices tied to the contractual
relationship would likely get sent there.

For an account that is only used by Debian and not other SPI
projects, a @debian.org address would be okay too, but SPI people would
need to be on it as well.

Either way, SPI needs to (non-exclusively) receive all emails about legal,
contractual, and billing/payment topics.

My tentative thought is that you should get a @debian.org created for
the Debian humans/lists that need to receive cloud provider account
notices, and that I'll then get that alias plus some SPI people added to
an new @spi-inc.org for use as the owner email address. Does that work?

> - Create AWS accounts and accept
>   - https://aws.amazon.com/agreement/
>   - https://aws.amazon.com/service-terms/

This will happen as soon as we figure out the indemnification / attorney
advice, but I'm going to proceed on those prerequisites and look forward
to creating the accounts.

>   This step needs a billing method assigned temporariliy.  After that
>   David can somehow move the projects into the Amazon OEM organization.

If it's a brief temporary need with no charges expected, we can probably
use the SPI debit card. We should still get lamby to confirm as DPL that
any charges during the temporary period can be paid from Debian's funds,
but this should be no more of a problem than it was for the Debian Salsa
arrangement on GCP.

> - Create debian.org (or SPI with debian.org[1]) Azure Active Directory for
>   authentication.

Hm. I don't know Azure AD enough to have an opinion right now about
which way this should happen. My ideal is that SPI would retain ultimate
control of the root of the hierarchy, that DSA would share control of
the Debian portion, and that Debian and SPI each have a way to
separately sync account/group info from (e.g.) Debian LDAP and from
anything SPI chooses to use.

I see your note here:

> [1]: If the AAD is debian or spi+debian+others depends on how we want to
> automatically manage users in the future.  Permissions for user
> management are global, so an automatic process can't be restricted to
> debian.org.

How would this line up with my preferences above? I realize not
everything always is possible or easy.

- Jimmy Kaplowitz
president@spi-inc.org

Reply to:

Follow-Ups:
- Re: Status of Debian accounts and legal agreements with cloud providers
  - From: Bastian Blank <waldi@debian.org>
- Re: Status of Debian accounts and legal agreements with cloud providers
  - From: Bastian Blank <waldi@debian.org>

References:
- Re: Status of Debian accounts and legal agreements with cloud providers
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: Status of Debian accounts and legal agreements with cloud providers
Next by Date: Re: Status of Debian accounts and legal agreements with cloud providers
Previous by thread: Re: Status of Debian accounts and legal agreements with cloud providers
Next by thread: Re: Status of Debian accounts and legal agreements with cloud providers
Index(es):
- Date
- Thread