mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

371K
active users

Interesting how the US govt Executive Order on “cybersecurity” (May 2021) is clear and precise when it comes to software supply chain security: “using administratively separate build environments”, “employing automated tools […] to maintain trusted source code supply chains”, etc. (Rings a bell?)

whitehouse.gov/briefing-room/p

The White House · Executive Order on Improving the Nation's Cybersecurity | The White HouseBy the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:Section 1.
Danny O'B

@civodul i think it’s worth looking at how Google responded to that order (with an apparent commitment of $10B): less because I think their approach is better or even valid, but because that position is what we will be swimming in for the next few years blog.google/technology/safety-

blog.googleWhy we’re committing $10 billion to advance cybersecurityToday, we are announcing that we will invest $10 billion over the next five years to strengthen cybersecurity.

@civodul for instance, I find it fascinating that just as enterprises are finally understanding that perimeter security is a bandaid, and they try to move to “zero-trust” but infra companies like Google are re-defining that as “zero (except for us) trust”.

@mala @civodul If they want to spend that the most efficient way, they should donate much of it to #nlnet. Those folks know what they are doing and have a proven track record of improving the status quo.

@ArneBab @civodul i would love to see what would do with $10 billion

@mala @ArneBab @civodul

Maybe they use the money could finally make a Code of Conduct and not claim they don't need one and or that they only consider public activities and not private ones in their decision making!

@ArneBab @mala @civodul

I went to Michiel about a code of conduct complaint about a grant I was on, and explained that because of it, I was terminating my involvement in the grant, which in itself should have terminated the grant.

Instead of terminating it, he modified the grant to allow it to continue with the other party.

When I found out about that, I went to him about it and he told me a number of things, which I'll outline in the next post.

...

@ArneBab @mala @civodul

First, he said there's no CoC for NLNet. He said they don't need one. He said that they only consider public things and not things said/done in private.

He also said that it wasn't possible to terminate a grant, which is obviously false.

The way that he and NLNet reacted tells me that they don't take these issues seriously and that while are certainly doing good things, they have a serious issue with ethics that they should address.

@emacsen @mala @civodul I can understand that they do not consider things done in private: It would make it easy to take down anyone's project by making false claims — either by making up claims or by misrepresenting context. If it’s something police cannot do anything about, a funding body has no chance to ascertain truth.

They should have a public process what to do in case of conflict within a group, though.

@emacsen @mala @civodul I’m sure that’s annoying (and I’m sorry for that), but dealing with misbehavior in a way that does not enable people to turn your process into a weapon against those who comply is pretty hard.

@ArneBab @mala @civodul

> If it’s something police cannot do anything about, a funding body has no chance to ascertain truth.

If we set our standards to be "Only as much as a court would handle" then we set the bar *extremely low*.

We don't need to have the standards of a court because we don't have the stakes of a court either.

@emacsen @mala @civodul The stakes are effectively „you lose your job“, right? To me these are side-projects, but to some these are their whole income. In Germany if you have a permanent position such things are handled in court (there are courts specialized in employment law). If it’s a project and you wrongly throw someone out, I’m not sure about the legal implications.

@ArneBab @mala @civodul

This is a difference between the US and European countries.

There are only a few exceptions to that within the bounds of the US.

Even in Canada, which differs from the US, an employer can terminate an employee as long as there is "just cause", and violation of company policies around things like harassment, racism, etc. would certainly quality as just cause, especially since in most companies you sign a contract to abide by company policy.

@emacsen @mala @civodul In Germany (and I guess in the netherlands, too, whose laws apply to nlnet), you have to prove wrongdoing to fire someone. This can get ugly for both sides if the employee feels that the firing was unjust and goes to court.

@ArneBab @mala @civodul

A grant isn't an employment contract AFAIK, but this also gets into specifics whereby the grant had to be modified when I left, which Michiel said was impossible to do. NLNet never brought up the issue of employment contracts or employment law.

@emacsen @mala @civodul I didn’t expect them to bring that up, but that’s the constraints they might be operating in.

But anyway: I might be wrong about this. There might just be something to fix that can be fixed.

@mala @ArneBab @civodul Hire a bunch of people to work on bootstrapping Guix? That would be great.

@mala @ArneBab @civodul @vagrantc has a point. There's an opportunity here to get government funding for work like that.

@be @ArneBab @mala Sure that’d be great. :-)

A lot has already happened, partly through volunteer work and partly thanks to @NGIZero grants and the tireless work of @janneke (with #Mes for the C toolchain), @roptat (Java, OCaml), and others (for Rust, Racket, ARM support in Mes, etc.):

guix.gnu.org/en/blog/tags/boot

#Bootstrapping work is a huge endeavor though and it’s never “finished”—at least not until “bootstrappable” software is the norm!

guix.gnu.orgPage 1 — Bootstrapping — Blog — GNU GuixBlog posts about Bootstrapping on GNU Guix.

@mala @civodul
> Extending the zero-trust security model

Wow that's awesome, great job big G, now how about notarizing your chromebook update packages so I know I'm not getting a special signed update Just For Me...