Re: Proposed GR: Repeal the 2005 vote for declassification of the debian-private mailing list

[Anthony Towns <aj@erisian.com.au>]

On Mon, Sep 12, 2016 at 09:36:24AM -0700, Russ Allbery wrote:
> Didier 'OdyX' Raboud <odyx@debian.org> writes:
> > I now also tend to think that we, as a collection of individuals, also
> > need some sort of "safe space" to discuss certain things, [...]
> Furthermore, I think it's unrealistic that such a space won't exist.  If
> we remove debian-private on the grounds that it's contrary to project
> goals, that email will just move into private email threads cc'd to
> leader@ or DAM, and become even less transparent.

If we improved the transparency of project-wide discussions by removing
or (eventually) disclosing -private; then it'd make sense to improve
the transparency of leader@ and DAM mails as well (and DSA, ftpmaster,
keyring, security, etc). All those roles should be accountable to project
members and our users and the free software community.

Also compared to how things were ten or so years ago, all those things
have improved: eg, keyring has a git history of all their work, and uses
rt to field requests; leader@ has a /srv/ directory that tracks things
going on. The release team seems a good example too -- they use the BTS,
public IRC, public meetbot logs, and public mailing lists, and (from
what I've seen) tend to post summaries of in person discussions to lists.

> This is a human thing, not a technical thing.

Keeping things secret is definitely a human tendency, but it's not
generally a good one. Sometime it's the best of bad options -- giving
developers time to release fixes to security problems vs immediate
disclosure, is a trivial example; but I honestly can't think of anything
related to Debian that warrants more than a few years of temporary
secrecy.

> Likewise, that's why the correct points about how non-private
> debian-private is in practice aren't really on point.  Often the concern
> isn't full-blown confidentiality, but casual searchability or just the
> desire to not have to immediately deal with reactions (including via
> private email) from the general Internet.

Both those problems ("casual searchability" and "not having to immediately
deal with reactions") seem solved by delayed publication. Just mentioning
someone's name on a Debian list isn't enough to have whatever you say
on the first page of google anymore.

I really do appreciate the desire to avoid overwrought criticism, a la
the systemd nonsense, or just regular modern day social media dogpiles,
but ultimately, as a project Debian's meant to be accountable to our
users and the free softare community, and for that to happen we can't
hide our discussions from them, even if that does mean having to develop
thick enough skins to cope with nonsense.

I don't think "just develop a thick skin" is the only answer though. In
particular, private/internal discussion with delayed but automatic
publication seems to me like an easy and good compromise on that front;
in both reducing the nonsense, while still being accountable to our
users and the free software community.

Cheers,
aj

(I don't think "if you don't like Debian you can just use/contribute to
 Red Hat or Ubuntu or whatever" is sufficient accountability or engagement
 with our users or the free software community, but if you do, then my
 argument probably isn't terribly persuasive)