Hi Bastian, On Sat, Feb 02, 2019 at 12:29:14PM +0100, Bastian Blank wrote: > On Thu, Jan 31, 2019 at 04:30:25PM -0500, Jimmy Kaplowitz wrote: > > One slightly good thing is that the transition freeze is less of an > > important deadline for this legal task than the later freeze deadlines, > > so we can still get this done in time for buster if someone has the > > necessary time. > > It was just the deadline we set to ourselves to have enough time for the > actual transition.
OK. > > If nobody has more time to pursue this than I currently do, I will do my > > best to initiate the necessary conversations by the end of next week and > > pursue them as required. If someone does have spare time to pursue this > > (with a CC to me as SPI President), that'd be great. > > I think the largest problem is to define what exactly needs to be done. > You wanted to get input from an attorney on the agreements. And that > sounded like a long process. If it's just the technical doing, then > it's rather easy. The attorney advice was specifically targeted at reviewing the terms of service and getting some indemnification for some of the provisions of the marketplace agreements, if I remember right. I've just synced on IRC with the person who recommended this approach, and I'll be getting the necessary context from them in a call this week. My guess is it wouldn't be horrible for us to sign up with the standard terms, but these things do get negotiated for cases like us where the terms don't have quite the intended effect. They're more written to target commercial proprietary software than our case. My plan: (1) get context about what the recommendation was, so that I can present it correctly to our lawyer; (2) get our lawyer to advise based on the standard terms and the context from step 1; (3) do whatever we can do between now and end of the buster cycle. > The technical todo list AFAIK is: > - Create an owner e-mail alias somewhere in spi-inc.org or debian.org, > which can be used as account owner for multiple AWS accounts and > Azure (so the alias needs to support address extension somehow). Can the owner email alias be changed later in unlikely hypothetical situations like where Debian stops working with SPI? If yes, I think it should be under @spi-inc.org since certain notices tied to the contractual relationship would likely get sent there. For an account that is only used by Debian and not other SPI projects, a @debian.org address would be okay too, but SPI people would need to be on it as well. Either way, SPI needs to (non-exclusively) receive all emails about legal, contractual, and billing/payment topics. My tentative thought is that you should get a @debian.org created for the Debian humans/lists that need to receive cloud provider account notices, and that I'll then get that alias plus some SPI people added to an new @spi-inc.org for use as the owner email address. Does that work? > - Create AWS accounts and accept > - https://aws.amazon.com/agreement/ > - https://aws.amazon.com/service-terms/ This will happen as soon as we figure out the indemnification / attorney advice, but I'm going to proceed on those prerequisites and look forward to creating the accounts. > This step needs a billing method assigned temporariliy. After that > David can somehow move the projects into the Amazon OEM organization. If it's a brief temporary need with no charges expected, we can probably use the SPI debit card. We should still get lamby to confirm as DPL that any charges during the temporary period can be paid from Debian's funds, but this should be no more of a problem than it was for the Debian Salsa arrangement on GCP. > - Create debian.org (or SPI with debian.org[1]) Azure Active Directory for > authentication. Hm. I don't know Azure AD enough to have an opinion right now about which way this should happen. My ideal is that SPI would retain ultimate control of the root of the hierarchy, that DSA would share control of the Debian portion, and that Debian and SPI each have a way to separately sync account/group info from (e.g.) Debian LDAP and from anything SPI chooses to use. I see your note here: > [1]: If the AAD is debian or spi+debian+others depends on how we want to > automatically manage users in the future. Permissions for user > management are global, so an automatic process can't be restricted to > debian.org. How would this line up with my preferences above? I realize not everything always is possible or easy. - Jimmy Kaplowitz [email protected]
