On Wed, Jun 03, 2020 at 03:54:18PM -0700, Noah Meyerhans wrote: > On Thu, Jun 04, 2020 at 12:42:47AM +0200, Thomas Goirand wrote: > > > IMHO, this requirement makes more difficult to find as someone from the > > > people, as AFAIK many of us are working in a way for a cloud provider, > > > or a partner. > > > > > > What are we actually afraid of here ? As far as the build process of the > > > images is in the open. > > > > We're afraid of conflict of interest. There's been multiple times where > > we saw it could happen, and by having the delegates not involved with a > > provider, we're hoping to reduce that risk. > > Can you cite a specific example? I cannot think of one.
A major cloud provider contracted a consultancy* to prepare official Debian cloud images for that platform. These were published under an account owned by that consultancy rather than by Debian. I had to repeat myself a few times at that Seattle sprint when explaining how that situtation was not appropriate, to the blank stares of some sprint participants**. > If *all* delegates were affiliated with a single cloud provider or other > similar entity, then I'd be more inclined to share your concern. As it > is, I think calling out that our restrictions on the delegations are > unusual in the broader context of DPL delegations is an interesting > point, and we should consider the possibility that we're excluding > people who might otherwise be well suited to this role. I remain of the opinion that the delegate should be independent. The DPL is free to think through whether to remove these restrictions (which isn't the same as removing a delegated authority, to be clear). > Practically speaking, the cloud team delegates have little real power > and very few actual responsibilities. The possibility of abuse is > minimal. Transparency in our decision making processes should be more > than sufficient to address any potential concerns. See above example, now thankfully corrected + a few similar examples. My opinion is that the delegate has the responsibility to ensure that these accounts are held by Debian (via TO), at the very least. I would like there never to be a situtation where one person or consultancy controls Debian's presence on a platform, even if that person is employed by the owner of said platform. I have spoken. (Meaning, I'm unlikely to repeat myself again. :) ) Ciao, Luca * I really like that consultancy. They do good work and have good people. They contribute a lot to the community. That's not the point. ** Not necessarily from that consultancy. -- Luca Filipozzi
