On Wed, Jun 03, 2020 at 11:22:26PM +0000, Luca Filipozzi wrote: > > > We're afraid of conflict of interest. There's been multiple times where > > > we saw it could happen, and by having the delegates not involved with a > > > provider, we're hoping to reduce that risk. > > > > Can you cite a specific example? I cannot think of one. > > A major cloud provider contracted a consultancy* to prepare official > Debian cloud images for that platform. These were published under an > account owned by that consultancy rather than by Debian. I had to repeat > myself a few times at that Seattle sprint when explaining how that > situtation was not appropriate, to the blank stares of some sprint > participants**.
Keep in mind that that consultancy's work predated the existence of the cloud team and of the DPL delegation. Also keep in mind that you had not yet been delegated (or even officially nominated) as a DPL delegate for the cloud team. My point is that it does not take a formal delegation to recognize a problem and work to fix it. > See above example, now thankfully corrected + a few similar examples. My > opinion is that the delegate has the responsibility to ensure that these > accounts are held by Debian (via TO), at the very least. I would like > there never to be a situtation where one person or consultancy controls > Debian's presence on a platform, even if that person is employed by the > owner of said platform. I completely agree that Debian must control what goes into official images for any cloud provider. However, I can also envision a future in which the cloud provider acts similarly to a traditional CD vendor. The cloud team is responsible for the content, but the physical media (or in this case the image in the provider's infrastructure) is "published" by the provider. I can see plenty of ways for things to change over time, if everybody is acting in good faith and being transparent about their relationships with Debian and with cloud providers. The point that Emmanuel made earlier is worth repeating: "this requirement makes more difficult to find as someone from the people, as AFAIK many of us are working in a way for a cloud provider, or a partner." It doesn't seem particularly far-fetched to imagine that the very people who are most enthusiastic about running Debian in "the cloud" are going to end up doing something to that end on behalf of a cloud service provider or related entity. Excluding those people seems counter productive. Acknowledging and compensating for conflicts of interest seems both worthwhile and feasible. noah