[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed GR: Repeal the 2005 vote for declassification of the debian-private mailing list

On Fri, Sep 09, 2016 at 05:53:23PM +0100, Ian Jackson wrote:
> Something like that, yes.  It might even be possible to, for example,
> infer what the topic of an activity spike was likely to be, and then
> infer from timing who was giving input into sensitive discussions;
> [...]

> Detailed traffic data is a surprisingly revealing.  IMO -private's
> should remain private.

This seems ridiculous to me -- "-private" isn't secret: it's sent over
cleartext to hundreds of people, and in any event anyone interested in
what's going on can fairly easily join the project as a non-uploading
contributor to gain access. [0] Okay, the handful of people who've been
kicked out of the project might not be able to join directly, but that's
not much of a safeguard. Pretending that -private is actually meaningfully
private (to the point of trying to defend it from traffic analysis?)
is really just security theatre. [1]

I proposed the original declassification GR a decade ago so maybe
it's worth trying to explain my thinking behind it. My view of Debian
was that it was a way of doing software right -- usable by everyone,
for everything, where everything would be done to super high standards,
where anyone could contribute, and everyone who contributed got a say in
how things worked. As a result my view of Debian was as a shining beacon
for how unrelated projects should work too; here's a really good way of
doing things, if you can manage to copy it, you'll be way better off.

Personally, I think having communications happen in public (or at least
get declassified eventually) is a good way of holding powerful people
to account. Debian almost entirely does that already, and IMO, doesn't
get any benefit whatsoever from the little bits where it doesn't do
it. Further, the change would only mean bringing Debian up to the same
transparency processes that groups like the CIA already do for their
secrets, which surely doesn't seem like a big ask. Meanwhile, at least
historically, it has been difficult to hold some people within Debian
accountable. So, two birds right?

But I'm not sure Debian today even wants to be that sort of shining beacon
of how to do things right, so much as just wanting to keep putting out a
decent free distribution with minimal hassle. If you just want the latter,
then it's certainly easiest to just not publish archives of -private,
but leave it open for whatever. There's no need for a GR to achieve
that, it's what we've already been doing. 

In that sense, my reading of the original version of the GR that just
failed was pretty much "eh, we don't care that much about transparency
when it comes to ourselves and it's time we admit that". Which is fine,
I suppose -- almost every other company and organisation would say the
same if they were honest. People always want transparency from other
people and privacy for themselves.

If I were going to propose something that would be more on the "right
way to do things" with 10 years of hindsight, I think it would be more
along the lines of:

 - after 2017/01/01 00:00:00 UTC, every post to -private will be published
   publically 3.14159 years after receipt
    * no exceptions. 
    * posting to -private on any topic is okay if there's some reason
      for it to be private rather than immediately public.
    * if you can't deal with what you post being public relatively soon,
      don't post it to a list of hundreds of people most of whom you don't
      actually know.
    * (possibly:) require mails to -private be signed by a DD/DC key,
      and bounce any mails with anyone else in the To: or Cc: headers
      to reduce non-DDs getting cc'ed on the entire thread without being
      able to participate

 - make and publish a cryptographic commitment for all prior months of
   -private archives (ie, from 1996/01 onward) [2]

 - write some code to build a database of the historical messages to
   -private, that validates against the merkle root to ensure completeness,
   and for each message track:
      a) whether the DPL/DPL's delegates think the message is spam
         or uninteresting
      b) which previous emails the message quotes
      c) whether the sender seems to be a current DD/DC with a key in the
         keyring, and if they've supplied a gpg signed publish/keep-secret
      d) whether the sender has been contacted, their reply, and if
         the DPL/DPL's delegates interpreted the reply as "okay to publish"
         or a "don't reveal" request

 - write some code that allows a DD to scroll through any emails in said
   database that they sent and easily supply gpg signed publish/keep-secret

 - publish things that have been acked, verifiably against the
   cryptographic commitment (taking into account quoted messages and
   their acks)

 - review interesting historical topics that haven't been acked and
   attempt to contact authors to get acks and publish them

 - provide some way for DDs and DCs to review things that have been
   NAKed and see if there's anything iteresting to know, or if the
   reasons for keeping whatever it was private at one time are really
   still important

It's been about 19 years since the threads on -private that resulted
in Debian's Social Contract and Free Software Guidelines; it'd be kind
of nice if there was a rough consensus on some process to reveal that
discussion for its 20th anniversary [3].

There have been plenty of emails with "never declassify me!" footers
since the original GR in 2005; and I suspect some of the authors of
those messages would automatically sign (machine parsable) NAKs for all
their mails now, up to 10 years later, as well. I think there's enough
interesting threads prior to then to work on publishing that it'd be a
few years work before anyone working on declassifying -private would even
get up to any of those threads so arguing whether those things should
stay private forever or should get published anyway can be deferred for
a fair while.


[0] Why isn't "you want to read -private, just join!" good enough? For
    the same reason "you want to download the source? just signup to our
    free affiliate programme!" isn't. "But -private isn't source code"
    -- no, but it's either an important facet of how Debian works and
    therefore how our software gets to the end user, or it's not actually
    important to how Debian works, and can and should be shuttered.

[1] There's a "security through obscurity" argument to be made, of course
    -- not giving out your vacation information to everyone might be a
    helpful addition to locks on your doors at stopping you from getting
    robbed, but traffic analysis isn't going to make much difference
    there, and I don't think it works as an argument against publication
    years after the fact either... (if you reveal on -private you go
    on vacation every year at the same time, that might be still valid
    information in a few years, but a thief who's local enough to rob
    you could figure that pattern out directly pretty easily too)

[2] ie a sha256 checksum serving as a merkle root. To be really clever,
    calculate the merkle tree so that emails can be partially revealed
    without necessarily revealing text quoted from other emails [4]

[3] June 1997, "social contract" in the subject

[4] There's not really any actual benefit to a cryptographic commitment,
    but it's kind of neat, and working with neat technology is half the
    fun in Debian anyway. I'm sure the publicity team could get some
    bites with "declassifying debian-private via blockchain technology"

Reply to: