[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Cloud Team delegation updates



On Wed, Jun 03, 2020 at 03:54:18PM -0700, Noah Meyerhans wrote:
> On Thu, Jun 04, 2020 at 12:42:47AM +0200, Thomas Goirand wrote:
> > > IMHO, this requirement makes more difficult to find as someone from the
> > > people, as AFAIK many of us are working in a  way for a cloud provider,
> > > or a partner.
> > > 
> > > What are we actually afraid of here ? As far as the build process of the
> > > images is in the open.
> > 
> > We're afraid of conflict of interest. There's been multiple times where
> > we saw it could happen, and by having the delegates not involved with a
> > provider, we're hoping to reduce that risk.
> 
> Can you cite a specific example?  I cannot think of one.

A major cloud provider contracted a consultancy* to prepare official
Debian cloud images for that platform. These were published under an
account owned by that consultancy rather than by Debian. I had to repeat
myself a few times at that Seattle sprint when explaining how that
situtation was not appropriate, to the blank stares of some sprint
participants**.

> If *all* delegates were affiliated with a single cloud provider or other
> similar entity, then I'd be more inclined to share your concern.  As it
> is, I think calling out that our restrictions on the delegations are
> unusual in the broader context of DPL delegations is an interesting
> point, and we should consider the possibility that we're excluding
> people who might otherwise be well suited to this role.

I remain of the opinion that the delegate should be independent. The DPL
is free to think through whether to remove these restrictions (which
isn't the same as removing a delegated authority, to be clear).

> Practically speaking, the cloud team delegates have little real power
> and very few actual responsibilities.  The possibility of abuse is
> minimal.  Transparency in our decision making processes should be more
> than sufficient to address any potential concerns.

See above example, now thankfully corrected + a few similar examples. My
opinion is that the delegate has the responsibility to ensure that these
accounts are held by Debian (via TO), at the very least. I would like
there never to be a situtation where one person or consultancy controls
Debian's presence on a platform, even if that person is employed by the
owner of said platform.

I have spoken. (Meaning, I'm unlikely to repeat myself again. :) )

Ciao,

Luca

* I really like that consultancy. They do good work and have good
people. They contribute a lot to the community. That's not the point.

** Not necessarily from that consultancy.

-- 
Luca Filipozzi


Reply to: