Dear Mr Bohm,
Some answers in the text :
Le 30/05/2014 23:52, Jakob Bohm a écrit :
Dear Mr. Delaage,
You are getting things massively wrong, details inline.
On 5/30/2014 11:03 PM, Pierre DELAAGE wrote:
Dear Gentlemen,
I am taking this conversation not from the beginning, as it seems to be
now quite long.
Of course I understand various moral aspects of the discussion, no doubt
about that.
This particular discussion is not about morals as much as it is about
maintaining the OpenSSL project's and the OpenSSL Foundations's
reputation as providing a high quality crypto libraries not crippled or
sabotaged by or for the benefit of Governments or spies of any kind.
Yes, of course, but to protect its reputation, Openssl team presently
feels like having to state on the morality of its financial contributors.
This is where the discussion is now.
But I really think that Openssl acts as a kind of apolotical foundation,
and NOT as an association.
Indeed the donations in question go into an actual apolitical
foundation.
Ok, good, perfect.
The difference is important :
in an association, the openssl organization WOULD REQUIRE some
constraints on its MEMBERS.
We are discussing self-imposed constraints on the Foundation's
acceptance of funds from various sources, not constraints on
any persons.
Ok,but "who" will decide and "how" ?
How will you make this process objective and transparent and NOT time
consuming...
and, I would say, "politically" time consuming (in various talks,
meetings and so on )
But acting as a foundation, this discussion is OUT OF SCOPE.
An example from the true life :
do you think that UNESCO or RED CROSS or RED CROISSANT do refuse money
from this or this country depending on its political orientation ?
The different organizations named Red Cross/Crescent DO impose
limitations on who they accept money from. Some sections accept only
from Governments, some never from Governments, some impose limits on
the proportions of either. This is clearly stated on their respective
web pages.
This is not exactly the contrary of what I said :
Those criteria you list ARE NOT at all related to "political
orientation" of the fiancial contributors, but JUST THEIR INSTITUTIONNAL
STATUS.
"some sections accepts from Government...other not at all"...
Well, ok, but you will not find any sections ONLY accepting from CERTAIN
GOV and NOT OTHERS.
And I suggest we do something like that, but with an accounting
transparency and NO contractual link between TEAM and DONATORS.
This is the hard point, related or not to the present discussion around
"bad" countries :
How can OPENSSL team guarante it is REALLY independent from govs and/or
big organization :
just by publishing the name and CV of its members.
Or just by respecting GPL ? but it seems it has not prevented some
organization to inject weaknesses in the code...
On the contrary, as any non lucrative POLITICALLY NEUTRAL international
institution, openssl MAY ACT as a meeting point between parties,
contributors, that are basically far from each other...And somehow, it
is a GOOD thing if it helps people from different cultures to cooperate
and lower their level of distrust..
Reducing levels of mutual distrust is NOT the business of OpenSSL.
This is anyway the spirit of open source and GPL:
Let me re-word like this : "increase the level of trust" in private
communications between people from everywhere...
On the contrary it is to provide means of protection in the presence of
maximum distrust amongst people. Therefore OpenSSL needs to be seen as
doing no favors to the people most distrusted.
I am talking about contributors, by money or code, you are talking about
users.
we are not saying the contrary of one the other.
Will you perform morality inquiries about your code contributors ? no, I
don't think so.
Should you ? unless you are a gov agency, you have no mean to do that...
On the forums, I can see here many people from various countries ....
On another hand, I can often see some obvious hackers from POLITICALLY
CORRECT countries that just try to know how to create backdoors in
systems :
So, what will "we" do : refuse some good people (and/or their money)
from not politically correct countries,
and accept bad people (and/or money) from politically correct
countries ?
Absurd.
Which is why my suggestion was to refuse money from ANY Government,
regardless of political sympathies.
Ok, this is an option.
But what about big companies ?
or small "fake" companies ?
or "suspect" individuals that are very rich people coming from nowhere?
How will you make serious and deep inquiries about all of these "sources" ?
you can't.
Because it is the *legitimate* and accepted job of Governments to spy
on their enemies, domestic as well as foreign, subject only to their
own self-imposed limitations. Even the Vatican Government has at
least one investigative branch.
of course, "the world is stone"...
Absurd in fact in the sense that THE SAME way we CANNOT state on the
morality of INDIVIDUALS participating on the forums,
we can not, or at least we should not state on State or people from some
States ...morality.
Specifically to address this, I was careful to choose examples from
multiple countries, and none from the country that sparked the debate.
I also deliberately listed some much trusted (in FOSS circles)
Government entities as NO examples and some frequently distrusted
non-Government entities as YES examples.
I see...
I can hear some of you be hurt by this...but let me finish.
Then, if we accept money from everywhere AS WE ALREADY accept forum or
code contributions from EVERYWHERE,
there remains the problem of "publicity" ...
Well, this is simple : we SHOULD NOT MAKE ANY PUBLICITY for the
donations.
I was thinking about an exception for individuals or some entreprises,
but forget it : at a time or another one individual or entreprise will
make us uncomfortable.
That would be even worse in terms of protecting the project and
foundations reputation as not being bribed by anyone with sinister
motives.
Not worse than RED CROSS/CROISSANT.
That way, we will see if there are donators interested in "open source
movement and code/knowledge sharing" for the progress of humankind,
or just by publicity....
BUT : you will FAIL if you think you CAN state about the morality or
honesty from that person/state or that other :
It is not about morality of the donors at all. It is about the morality
and reputation of OpenSSL itself, and avoiding any suspicion of
corruption.
Only transparency on openssl accounting and active members (and links to
gov/industries) will assure that,
like in ANY other organization on that planet.
Will you one day try to investigate to know if that individual has paid
all his taxes in his country ?
No, you will not.
So :
Take the money without any publicity.
But...the 1st question is in fact ....: do you need money ?
If yes....take it and say nothing ; as UNESCO or RED CROSS/CROISSANT.
Look again at what I wrote about that example.
And it is not about taking a drop of money in a collection box and
anonymous donations from complete unknowns (as many Red Cross/Crescent
organizations do),
we should...
but about accepting significant portions of the
budget from any single entity which can be reasonably accused (even if
wrongly) of giving it as a bribe on behalf of itself or its masters.
All would be simple if openssl team was NOT relying on donation for
strategic activities,
but JUST accepting donations as "nice to have".
If 200 unrelated entities donate a million each into the pool, it
doesn't matter if one or two might be suspected of wanting to bribe
OpenSSL because we can openly say that it would matter little if we
got that particular million or not.
But if just 2 unrelated entities each provide $10.000 and those are
the largest ever donations to the foundation, it matters a lot if
either of those is financially associated with an entity known to
openly want OpenSSL to be less secure (such as any Government capable
of deploying safer crypto for its own purposes while having at
least one wiretapping or spying department).
Like some "good" gov we know...
I understand what you mean...but "HOW" will you state about this in the
real world :
is openssl team going to inquire on any donator ?
you will need your own intelligence agency !
Really bad people/gov will come under cover, not brutally, to influence
openssl...
the only protection is openess of the code and frequent reviews of new
code by independant people (I mean at least two separate teams of
reviewers),
independent testing also...
Another question anyway, from a basic contributor as I am (involved in
WCE port of openssl) :
How do I know that the foundation is really independant from States or
"BIG companies" (that are sometimes not really politically correct)...?
Maybe the list of contributors and amounts should be published annually
on some webpage in a "neutral" form,
WITHOUT any "golden" or "platine" award...
A good compromise I think...
Yours sincerely,
Pierre Delaage
Le 30/05/2014 22:22, Jakob Bohm a écrit :
On 5/30/2014 12:24 AM, Geoffrey Thorpe wrote:
...
The only way to to avoid any political overtones in such a
situation (if
that really is your intention, because "doing the right thing" is
not an
apolitical notion) is to blindly accept all comers or refuse all
comers.
(Subject to the obvious outliers, ie. nothing criminal/illegal, no
conflict of interest, etc.) By erecting criteria beyond "no strings
attached" (which *is* a very explicit necessary condition), you are in
fact condemning yourself to the problem you are chastising us for.
I believe the additional criteria suggested would be "donor is not an
aspect of any government, military or intelligence organization,
anywhere". So for example DARPA, the USPS, the city of Munich and (a
few years ago) Northern Rock Bank would all be out of the question,
while IBM, Google, Samsung and Goldman Sachs would be OK.
Wow...
The above paragraph is my non-political list of examples of government
versus non-government examples.
Any intermediary organization would need to do more than just launder
the money. They would need to pool it with many other donations,
distribute to many other projects and give the donors no influence on
which projects benefit from their donations, thus obviously and
provably denying the donors even the appearance of a potential ability
to threaten to reward or punish a project via the purse strings.
Enjoy
Jakob
Coming back to the basics :
Do openssl team NEED money ? and how (is it / does it wish to be)
financed ?
Regards,
Pierre
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
