Interesting how the US govt Executive Order on “cybersecurity” (May 2021) is clear and precise when it comes to software supply chain security: “using administratively separate build environments”, “employing automated tools […] to maintain trusted source code supply chains”, etc. (Rings a bell?)
@civodul i think it’s worth looking at how Google responded to that order (with an apparent commitment of $10B): less because I think their approach is better or even valid, but because that position is what we will be swimming in for the next few years https://blog.google/technology/safety-security/why-were-committing-10-billion-to-advance-cybersecurity/
@civodul for instance, I find it fascinating that just as enterprises are finally understanding that perimeter security is a bandaid, and they try to move to “zero-trust” but infra companies like Google are re-defining that as “zero (except for us) trust”.
I went to Michiel about a code of conduct complaint about a grant I was on, and explained that because of it, I was terminating my involvement in the grant, which in itself should have terminated the grant.
Instead of terminating it, he modified the grant to allow it to continue with the other party.
When I found out about that, I went to him about it and he told me a number of things, which I'll outline in the next post.
...
First, he said there's no CoC for NLNet. He said they don't need one. He said that they only consider public things and not things said/done in private.
He also said that it wasn't possible to terminate a grant, which is obviously false.
The way that he and NLNet reacted tells me that they don't take these issues seriously and that while are certainly doing good things, they have a serious issue with ethics that they should address.
@emacsen @mala @civodul I can understand that they do not consider things done in private: It would make it easy to take down anyone's project by making false claims — either by making up claims or by misrepresenting context. If it’s something police cannot do anything about, a funding body has no chance to ascertain truth.
They should have a public process what to do in case of conflict within a group, though.
> If it’s something police cannot do anything about, a funding body has no chance to ascertain truth.
If we set our standards to be "Only as much as a court would handle" then we set the bar *extremely low*.
We don't need to have the standards of a court because we don't have the stakes of a court either.
@emacsen @mala @civodul The stakes are effectively „you lose your job“, right? To me these are side-projects, but to some these are their whole income. In Germany if you have a permanent position such things are handled in court (there are courts specialized in employment law). If it’s a project and you wrongly throw someone out, I’m not sure about the legal implications.
This is a difference between the US and European countries.
There are only a few exceptions to that within the bounds of the US.
Even in Canada, which differs from the US, an employer can terminate an employee as long as there is "just cause", and violation of company policies around things like harassment, racism, etc. would certainly quality as just cause, especially since in most companies you sign a contract to abide by company policy.
@be @ArneBab @mala Sure that’d be great. :-)
A lot has already happened, partly through volunteer work and partly thanks to @NGIZero grants and the tireless work of @janneke (with #Mes for the C toolchain), @roptat (Java, OCaml), and others (for Rust, Racket, ARM support in Mes, etc.):
https://guix.gnu.org/en/blog/tags/bootstrapping/
#Bootstrapping work is a huge endeavor though and it’s never “finished”—at least not until “bootstrappable” software is the norm!