I floated an idea in today's meeting that I am bringing to the email list
for discussion.
We continue to have security vulnerabilities reported (several came in this
week) as is to be expected for a successful project.
So far the companies reporting security issues show no sign of being
willing to pay to have these issues addressed. In a sense they have already
contributed by hiring a security firm to review the code and report these
failures to us.
The vast majority of fixes have been addressed by service providers on
behalf of their customers, boundless on behalf of its product, or community
volunteers (often trying to get a release out).
This approach is not able to sustain the high quality we have all come to
expect from the GeoServer project.
>From a sustainability point of view it does not matter who fixes these
issues so long as they are fixed. I would like feedback on the following
proposal to ensure it does not step on anyone's business model or
livelihood.
We have used OSGeo to run funding for code sprints. We can also add an
OSGeo PayPal donate button to our page. Both of these approaches treat
GeoServer as a charity and undervalue what GeoServer offers (see
references). I would like to find a middle ground between charity and
accidentally competing with service providers.
Idea:
1) Set up "security fund" to put towards security fixes
- operate half way between "code sprint sponsorship" and SAC small contract
model
2) Participants buy in and receive
- Need to set the price high enough to be useful, say $5000 annually
- Offers access to the geoserver security email list, which collects and
discusses vulnerability reports as they reported.
- We are "selling" visibility into security issues, not specific fixes
- Based on issues (participants can now see) options are available
Volunteer their own staff and resources to address the security concern
Fast lane: engage one of our commercial support providers
Slow lane: wait for issue to be collected by a small contract
- security email list offers chance to coordinate testing with those
working on fix.
- open to any incidental perks ("secure geoserver" logo, t-shirt,
souvenir handcuffs ...)
3) GeoServer Team
- Contributors interested in security issues have already signed up to
geoserver security. Currently work is divided up across contributors /
organizations based on availability.
- For issue of interest to your employer, you personally, or your customers
you may have the availability or budget to respond
- Set up a small contract each time there is enough issues (and enough
budget) to address outstanding vulnerabilities.
4) Small security focused contracts
- Looking a T&M contract as security issues are hard to predict and we are
not looking short change developer
- Willing to set up a contract "paying full price" for short-term high
priority turn around in event of active exploit. Budget permitting of
course.
- Majority of contracts expected to 'sweetheart rate" to be handled as a
background activity to fit in-between normal "customer" work.
The above is based on security being a "roads and bridges" concern. Do not
want to compete with contributors on new feature development or general bug
fixes.
Sustainability references:
- Please Sell Something
<https://drive.google.com/open?id=1K1LzA3n6wZHDdP2C_LAGxnQpg9e-5EtBVjN-Ndyd7zM>
(Piero
Toffanin)
- the middle passage
<https://docs.google.com/presentation/d/1-PAgIk9--nedCdfMGEwhcnqxqy1fGYUXwWhxzMfqJZg/edit?usp=sharing>
(Paul
Ramsey)
- Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure
<https://www.fordfoundation.org/media/2976/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure.pdf>
(Ford
Foundation)
- Sustaining Membership Program
<https://www.qgis.org/en/site/getinvolved/governance/sustaining_members/sustaining_members.html#qgis-sustaining-memberships>
(qgis.org)
- Budget and Money Guidance for projects, committees, initiatives and events
<https://github.com/OSGeo/osgeo/blob/master/board/documents/osgeo_financial_guidence.pdf>
(osgeo)
--
Jody Garnett
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
