TL;DR: I think Debian probably wants a foundation for legal protection. I think doing this as a DPL platform is all sorts of wrong. I'm speaking as an individual, although my thoughts are influenced by my time as DPL. Hi. I've generally been coming to the conclusion that we probably need to have a foundation, but my reasoning is different than Brian's. I'd first like to address our relationship with SPI. Martin asks why DPLs haven't been attending the SPI meetings. For myself two reasons. First, I never thought of doing so. If it makes it way into the DPL hand-off notes as something to consider, then I probably would have at least shown up and introduced myself. Honestly, though, from the DPL standpoint I am not at all sure the DPL really needs to get involved. Presumably Chris did attend the SPI board meetings at least once he was elected to the board:-) When I look at http://spi-inc.org/corporate/board/ I see a lot of familiar names. Three of the five board members are clearly heavily involved in Debian. And I think I've seen a couple of those officers around too in my Debian work:-) So if Debian has some concerns to work through--and we do have a couple--we can and should bring them up with the SPI board. My interactions with the SPI board fall into one of two categories: 1) When I've asked for achievable things or given feedback, I've gotten reasonably prompt answers. 2) balls got dropped. As an example we'd like to understand the implications of a SPI project working with/taking money from Huawei. That's complex and the board dropped my question with no answer. I believe a couple of others also asked this question. I'll write to -project separately about the handling of DebConf donations. ---------------------------------------- My big concern is legal liability for people contributing to Debian. I understand that to some extent I'm bringing up an issue that has been making the rounds on certain blogs. I'd like to think that I and we can discuss it more constructively here. What we tell ourselves is that Debian has no legal existence. We're part of SPI, and so we hope that we'd have the same protections as volunteers working for any non-profit. When representing Debian and SPI, the Software Freedom Law Center is very careful to advance this argument as much as possible. But there are alternative ways to look at things. At Libreplanet 2018, I was talking to a lawyer (not receiving legal advice--just a hallway conversation) who I respect. He said that if he wanted to go after Debian, he'd argue that we are a non-incorporated association. That might well mean that all our leaders are liable for all the actions of Debian. I'm not a lawyer. But if someone wanted to make that argument we'd have a fight in court as each individually named defendant tried to argue that they were just acting as a volunteer on a SPI project and tried to get the case dismissed against them. That sounds kind of unfun. There have certainly been things I've done as DPL where I really wish I had better confidence that I am a volunteer for an organized non-profit. I'll certainly note that Debian as an unincorporated association is a lot easier to understand than some more complex story. Perhaps if Debian were just a SPI project it would be easy to explain. Except what about Debian France? Are we a SPI project that happens to have assets held by Debian France? Why would we do that if we're a SPI project? Or are we somehow a SPI project *and* a Debian France project? But wait, how can that work. Recently, SPI introduced Debian to another lawyer. Now even SPI is advancing the idea that Debian has enough independent existence: the vice president recommended that I sign an agreement on behalf of Debian while SPI signed an agreement on their behalf managing any potential conflict of interest that might come up. I think I'm going to be able to avoid that situation and leave it entirely to the next DPL. I'll say that if Debian is legally just part of SPI, it doesn't make sense for Debian to be signing agreements with itself. If Debian is more than just part of SPI, I want that more to be a kind of legal entity that has protection for its officers and volunteers. I don't want the separation between SPI and Debian to be a way for counter-parties to attack us as individuals. And while we're at it, some insurance would be really nice. While working in the IETF, I had insurance. If I made a mistake as a working group chair or IANA expert--let's say related to a patent matter or some antitrust matter--there was insurance to help defend my actions. As DPL, there's no insurance at all. There's no insurance if ftpmaster members make an error around copyright, or if DAM or other parties make an error. Yeah, insurance costs money. It's not clear that Debian's recurring income supports getting the insurance I wish we had. But yet, if we went to our community and demonstrated we would spend that money to protect our community, we might find we had the funding we need. ---------------------------------------- I also think there's something to be said for the idea that Debian is big enough that we want to customize our administrative services. We want better trademark services that SPI currently provides. We want better relationships with lawyers than SPI provides by default to its projects. These things aren't going to be cheap. We probably spend more money if we set up a foundation. But we get more flexibility. That only works if we are willing to pay for the administrative services we need. Some of these things are not things that are working as volunteers. I think it would be a big risk and a big change. But I think it might be the right answer. ---------------------------------------- That said, I think attaching this question to the DPL campaign is harmful to the project. The question of forming a foundation requires planning and effort for the project to make an informed decision. That's more effort than we can make in a two-week campaign period. If we choose to make that effort it will distract from everything else. I do not think that is a responsible way to give the foundation concept the time and energy it deserves while allowing the project to make an informed decision. --Sam
Attachment:
signature.asc
Description: PGP signature