[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Cloud Team delegation updates

On Wed, Jun 03, 2020 at 11:22:26PM +0000, Luca Filipozzi wrote:
> > > We're afraid of conflict of interest. There's been multiple times where
> > > we saw it could happen, and by having the delegates not involved with a
> > > provider, we're hoping to reduce that risk.
> > 
> > Can you cite a specific example?  I cannot think of one.
> 
> A major cloud provider contracted a consultancy* to prepare official
> Debian cloud images for that platform. These were published under an
> account owned by that consultancy rather than by Debian. I had to repeat
> myself a few times at that Seattle sprint when explaining how that
> situtation was not appropriate, to the blank stares of some sprint
> participants**.

Keep in mind that that consultancy's work predated the existence of the
cloud team and of the DPL delegation.  Also keep in mind that you had
not yet been delegated (or even officially nominated) as a DPL delegate
for the cloud team.  My point is that it does not take a formal
delegation to recognize a problem and work to fix it.

> See above example, now thankfully corrected + a few similar examples. My
> opinion is that the delegate has the responsibility to ensure that these
> accounts are held by Debian (via TO), at the very least. I would like
> there never to be a situtation where one person or consultancy controls
> Debian's presence on a platform, even if that person is employed by the
> owner of said platform.

I completely agree that Debian must control what goes into official
images for any cloud provider.  However, I can also envision a future in
which the cloud provider acts similarly to a traditional CD vendor.  The
cloud team is responsible for the content, but the physical media (or in
this case the image in the provider's infrastructure) is "published" by
the provider.  I can see plenty of ways for things to change over time,
if everybody is acting in good faith and being transparent about their
relationships with Debian and with cloud providers.

The point that Emmanuel made earlier is worth repeating: "this
requirement makes more difficult to find as someone from the
people, as AFAIK many of us are working in a  way for a cloud provider,
or a partner."

It doesn't seem particularly far-fetched to imagine that the very people
who are most enthusiastic about running Debian in "the cloud" are going
to end up doing something to that end on behalf of a cloud service
provider or related entity.  Excluding those people seems counter
productive.  Acknowledging and compensating for conflicts of interest
seems both worthwhile and feasible.

noah
Reply to: