Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
-Original Message- From: Clark Boylan [mailto:cboy...@sapwetik.org] Sent: Tuesday, February 17, 2015 6:06 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it) On Tue, Feb 17, 2015, at 09:32 AM, Stefano Maffulli wrote: Changing the subject since Flavio's call for openness was broader than just private IRC channels. On Tue, 2015-02-17 at 10:37 +, Daniel P. Berrange wrote: If cases of bad community behaviour, such as use of passwd protected IRC channels, are always primarily dealt with via further private communications, then we are denying the voters the information they need to hold people to account. I can understand the desire to avoid publically shaming people right away, because the accusations may be false, or may be arising from a simple mis-understanding, but at some point genuine issues like this need to be public. Without this we make it difficult for contributors to make an informed decision at future elections. You got my intention right: I wanted to understand better what lead some people to create a private channel, what were their needs. For that objective, having an accusatory tone won't go anywhere and instead I needed to provide them a safe place to discuss and then I would report back in the open. So far, I've only received comments in private from only one person, concerned about public logging of channels without notification. I wished the people hanging out on at least one of such private channels would provide more insights on their choice but so far they have not. Regarding the why at least one person told me they prefer not to use official openstack IRC channels because there is no notification if a channel is being publicly logged. Together with freenode not obfuscating host names, and eavesdrop logs available to any spammer, one person at least is concerned that private information may leak. There may also be legal implications in Europe, under the Data Protection Directive, since IP addresses and hostnames can be considered sensitive data. Not to mention the casual dropping of emails or phone numbers in public+logged channels. I think these points are worth discussing. One easy fix this person suggests is to make it default that all channels are logged and write a warning on wiki/IRC page. Another is to make the channel bot announce whether the channel is logged. Cleaning up the hostname details on join/parts from eavesdrop and put the logs behind a login (to hide them from spam harvesters). Thoughts? It is worth noting that just about everything else is logged too. Git repos track changes individuals have made, this mailing list post will be publicly available, and so on. At the very least I think the assumption should be that any openstack IRC channel is logged and since assumptions are bad we should be explicit about this. I don't think this means we require all channels actually be logged, just advertise than many are and any can be (because really any individual with freenode access can set up public logging). I don't think we should need to explicitly cleanup our logs. Mostly because any individual can set up public logs that are not sanitized. Instead IRC users should use tools like cloaks or Tor to get the level of obfuscation and security that they desire. Freenode has docs for both, see https://freenode.net/faq.shtml#cloaks and https://freenode.net/irc_servers.shtml#tor Hope this helps, Clark Hi Clark, Sorry to say, but the above is totally irrelevant regarding the current legislation. The legal system does not care individual assumptions like everybody should know we are breaking law here. What comes to individuals setting up such services, the responsibility of those records are on that individual and that individual could potentially get off the hook quite easy by claiming not knowing. What comes to OpenStack Foundation doing such activity, one could argue how far that but we did not know-attitude carries in court. [1] The Directive is based on the 1980 OECD Recommendations of the Council Concerning guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data. These recommendations are founded on seven principles, since enshrined in EU Directive 94/46/EC: Notice: subjects whose data is being collected should be given notice of such collection. Purpose: data collected should be used only for stated purpose(s) and for no other purposes. Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s). Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss. Disclosure: subjects whose personal data is being collected should be informed as to the
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
On 17/02/15 09:32 -0800, Stefano Maffulli wrote: Changing the subject since Flavio's call for openness was broader than just private IRC channels. On Tue, 2015-02-17 at 10:37 +, Daniel P. Berrange wrote: If cases of bad community behaviour, such as use of passwd protected IRC channels, are always primarily dealt with via further private communications, then we are denying the voters the information they need to hold people to account. I can understand the desire to avoid publically shaming people right away, because the accusations may be false, or may be arising from a simple mis-understanding, but at some point genuine issues like this need to be public. Without this we make it difficult for contributors to make an informed decision at future elections. You got my intention right: I wanted to understand better what lead some people to create a private channel, what were their needs. For that objective, having an accusatory tone won't go anywhere and instead I needed to provide them a safe place to discuss and then I would report back in the open. So far, I've only received comments in private from only one person, concerned about public logging of channels without notification. I wished the people hanging out on at least one of such private channels would provide more insights on their choice but so far they have not. Right, but that isn't a valid point for a private, *password protected*, IRC channel. Regarding the why at least one person told me they prefer not to use official openstack IRC channels because there is no notification if a channel is being publicly logged. Together with freenode not obfuscating host names, and eavesdrop logs available to any spammer, one person at least is concerned that private information may leak. There may also be legal implications in Europe, under the Data Protection Directive, since IP addresses and hostnames can be considered sensitive data. Not to mention the casual dropping of emails or phone numbers in public+logged channels. With regards to logging, there are ways to hide hostnames and FWIW, I believe logging IRC channels is part of our open principles. It allows for historical research - it certainly helpped building a good point for this thread ;)- that are useful for our community and reference for future development. I don't think anyone reads IRC logs everyday but I've seen them linked and used as a reference enough times to consider them a valuable resource for our community. That said, I believe people working in a open community like OpenStack's should stop worrying about IRC logged channels - which I honestly believe are the least of their openness problems - and focus on more important things. This is an open community and in order to make it work we need to keep it as such. Honestly, this is like joining a mailing list and worrying about possible leacks in logged emails. I think these points are worth discussing. One easy fix this person suggests is to make it default that all channels are logged and write a warning on wiki/IRC page. Another is to make the channel bot announce whether the channel is logged. Cleaning up the hostname details on join/parts from eavesdrop and put the logs behind a login (to hide them from spam harvesters). Thoughts? I've proposed this several times already and I still think some consistency here is worth it. I'd vote to enable logging on all channels. Fla. P.S: Join the open side of the force #badumps -- @flaper87 Flavio Percoco pgp6m7o2MC6PB.pgp Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
On Tue, Feb 17, 2015 at 09:32:53AM -0800, Stefano Maffulli wrote: Changing the subject since Flavio's call for openness was broader than just private IRC channels. On Tue, 2015-02-17 at 10:37 +, Daniel P. Berrange wrote: If cases of bad community behaviour, such as use of passwd protected IRC channels, are always primarily dealt with via further private communications, then we are denying the voters the information they need to hold people to account. I can understand the desire to avoid publically shaming people right away, because the accusations may be false, or may be arising from a simple mis-understanding, but at some point genuine issues like this need to be public. Without this we make it difficult for contributors to make an informed decision at future elections. You got my intention right: I wanted to understand better what lead some people to create a private channel, what were their needs. For that objective, having an accusatory tone won't go anywhere and instead I needed to provide them a safe place to discuss and then I would report back in the open. Reporting back on the explanations is great, but what I'm trying to understand is at what point would you consider saying *who* was running the private IRC channels ? Would you intend for that be private forever, or would you make a judgement call on whether explanations provided are acceptable, or something else ? If it is kept private, then I think we are unable to meaningfully participate in project elections, because the information that is directly relevant to the people we are potentially voting for in future elections, is withheld from us. I'm sure you would make a decision that you considered to be in the best interests of the project, but ultimately it will always be a subjective decision. So far, I've only received comments in private from only one person, concerned about public logging of channels without notification. I wished the people hanging out on at least one of such private channels would provide more insights on their choice but so far they have not. Regarding the why at least one person told me they prefer not to use official openstack IRC channels because there is no notification if a channel is being publicly logged. Together with freenode not obfuscating host names, and eavesdrop logs available to any spammer, one person at least is concerned that private information may leak. There may also be legal implications in Europe, under the Data Protection Directive, since IP addresses and hostnames can be considered sensitive data. Not to mention the casual dropping of emails or phone numbers in public+logged channels. To me this all just feels like an attempt to come up with justification of action after the fact. Further, everything said there applies just as much to participation over email than via IRC. The spammer problem and information leakage is arguably far worse over email. Ultimately this is supposed to be an open collaborative project, so by its very nature you have to accept that information discussions in the open and so subject to viewing by anyone and at any, whether they are other contributors, users, or spammers. Ultimately though, this is just my personal POV on the matter, and other contributors in the community may feel this justification that was provided is acceptable to them. Everyone is entitled to make up their own mind on the matter. This is why I feel that if the issue reported is confirmed to be true, then the explanations offered should be made in public to allow each person to make their own subjective decision. I think these points are worth discussing. One easy fix this person suggests is to make it default that all channels are logged and write a warning on wiki/IRC page. Another is to make the channel bot announce whether the channel is logged. Cleaning up the hostname details on join/parts from eavesdrop and put the logs behind a login (to hide them from spam harvesters). Personally I think all our IRC channels should be logged. There is really no expectation of privacy when using IRC in an open collaborative project. Scrubbing hostnames/ip addresses from logs is pretty reasonable. As a comparison with email, mailman archives will typically have email addresses either scrubbed or obfuscated. I would object to them being put behind a login of any kind, because that turns the logs into an information blackhole as it prevents google, etc from indexing them. There are plenty of times when search results end up taking you to IRC logs and this is too valuable to loose just because people want some security through obscurity for their hostnames. It sucks that there are spammers on the internet, but the basis of an open project is that of openness to anyone and sadly that includes spammers that we'd all really rather went away. As soon as you start trying to close it off to certain people, you cause harm to the community as a whole,
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
Daniel P. Berrange berra...@redhat.com writes: Personally I think all our IRC channels should be logged. There is really no expectation of privacy when using IRC in an open collaborative project. Agreed with Daniel. I am not sure how a publicly available forum/channel can be assumed that there is not going to be any records available publicly. Chmouel __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/18/2015 05:07 PM, Michael Krotscheck wrote: You got my intention right: I wanted to understand better what lead some people to create a private channel, what were their needs. I'm in a passworded channel, where the majority of members work on OpenStack, but whose common denominator is We're in the same organizational unit in HP. We talk about openstack, we talk about HP, we talk about burning man, we talk about movies, good places to drink - it's a nice little backchannel of idle chatter. There have been a few times when things related to OpenStack came up, and in that case we've booted the topic to a public channel (There was an example just yesterday). Either way, in this case a private channel was created because we could potentially be discussing corporate things, it's more analogous to your Teams' internal Hipchat or IRC server (in fact, it started in HipChat, and then we were all 'why do we have to use another chat client' and that ended that). So there's one use case. Michael I think the use case is very valid. I think most (all?) companies have internal channels. That said, those should be concerned about downstream only work and burning men. If an upstream topic arises, people should have discipline to move discussion to upstream channels. AFAIK that's what we try to do in Red Hat, and I guess it's a valid approach that helps both a company in question to get attention to issues downstream teams are interested in, and the community. Cheers, /Ihar -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJU5Lp+AAoJEC5aWaUY1u57xDAIAJisbHHDsm1CAAWpi+eb+Bsg /QeVotuBDj1dNsSeIHU42/eI7S36Rlwfv8700YQcomwQPNTgXhiQU0y6F3anC62c rg1nXGpmSY0JFg9VaKzwZGfhN0tAMLK/IdgqSooyJwBGGGnasZCYcVQrcNyPgCjY q7vHd+1d1QEaYeJbO/CQNN9cjjVtjkclXg8DBU+yL6M1i+z60aPExEVE/b9VnrTB VfttbOi1WH6tm5bkBR4tmsGGy8UsVZ/VEEgcLOCryIy0kuJYAJ6i61Fs+AcSySyr lEPJCNTjn4t73DkGBD5NIM78wxorJ9nvNTxGyb3VdDYwnkWMpjloBTv9/DBSSCU= =fxQR -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
You got my intention right: I wanted to understand better what lead some people to create a private channel, what were their needs. I'm in a passworded channel, where the majority of members work on OpenStack, but whose common denominator is We're in the same organizational unit in HP. We talk about openstack, we talk about HP, we talk about burning man, we talk about movies, good places to drink - it's a nice little backchannel of idle chatter. There have been a few times when things related to OpenStack came up, and in that case we've booted the topic to a public channel (There was an example just yesterday). Either way, in this case a private channel was created because we could potentially be discussing corporate things, it's more analogous to your Teams' internal Hipchat or IRC server (in fact, it started in HipChat, and then we were all 'why do we have to use another chat client' and that ended that). So there's one use case. Michael __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
Story time. (For the record, the -swift channel is logged and I don't know of any private Swift IRC channels. I fully support logging every OpenStack IRC channel.) I can understand why people might be hesitant to have a publicly logged channel. About a year ago, one of the Swift core devs said something offhand out of frustration in our channel. His employer, a prominent OpenStack contributing company, did not like what was said, and he was confronted about his comment in person at the office.[1] Now, that might have been a one-time thing. And I think it was horrible and terrible to think that our contributors cannot be open and must self-censor in case something is said that can be misinterpreted or negatively used against them or their project. I know I personally self-sensor what I say in OpenStack IRC channels. Text-based mediums lose a lot for communication, even more when it's historical logs, and I don't want to say something that is easily taken out of context or used against me or Swift. My point is that while I support logging every OpenStack channel, please realize that it does come with a cost. Think back to the conversations that happen over drinks late at night at OpenStack Summits. I've had many of those with many of you. What's said there is private and wouldn't be said in a public IRC channel. And that's ok. People need a way to brainstorm ideas and express frustration, and a public place isn't generally where that happens. --John [1] I leave it at that for now, since it was a long time ago and the details aren't important for the point of this email. Actually I'm glad that it happened briefly before our channel was logged, so you can't go back and find it. I've not heard of any other incidents like this happening before or since. On Feb 18, 2015, at 3:16 AM, Chmouel Boudjnah chmo...@enovance.com wrote: Daniel P. Berrange berra...@redhat.com writes: Personally I think all our IRC channels should be logged. There is really no expectation of privacy when using IRC in an open collaborative project. Agreed with Daniel. I am not sure how a publicly available forum/channel can be assumed that there is not going to be any records available publicly. Chmouel __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev signature.asc Description: Message signed with OpenPGP using GPGMail __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
On 02/18/2015 09:58 AM, John Dickinson wrote: My point is that while I support logging every OpenStack channel, please realize that it does come with a cost. Think back to the conversations that happen over drinks late at night at OpenStack Summits. I've had many of those with many of you. What's said there is private and wouldn't be said in a public IRC channel. And that's ok. People need a way to brainstorm ideas and express frustration, and a public place isn't generally where that happens. Good point. I agree that it comes at a cost. I originally resisted logging #openstack-nova because of that cost. The channel used to be much smaller and originally felt like a much more casual environment like bonding with the team over some beers. That's not the reality anymore. It's a very public forum (as it should be) and useful discussions happen there. I support logging all of our OpenStack channels and have re-proposed doing so for -nova. https://review.openstack.org/#/c/156979/ -- Russell Bryant __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
On 18/02/15 16:07 +, Michael Krotscheck wrote: You got my intention right: I wanted to understand better what lead some people to create a private channel, what were their needs. I'm in a passworded channel, where the majority of members work on OpenStack, but whose common denominator is We're in the same organizational unit in HP. We talk about openstack, we talk about HP, we talk about burning man, we talk about movies, good places to drink - it's a nice little backchannel of idle chatter. There have been a few times when things related to OpenStack came up, and in that case we've booted the topic to a public channel (There was an example just yesterday). Either way, in this case a private channel was created because we could potentially be discussing corporate things, it's more analogous to your Teams' internal Hipchat or IRC server (in fact, it started in HipChat, and then we were all 'why do we have to use another chat client' and that ended that). So there's one use case. I think the above is perfectly fine and it has nothing to do with OpenStack. What Stefano (and all of us) is trying to understand is why part of our community needed a private IRC channel for core reviewers to hangout together. For the later, I don't think there's a use case. I'm not arguing on the general use case for a private IRC channel, I'm arguing on the need of such channels for a specific set of core reviewers. Fla. -- @flaper87 Flavio Percoco pgpnqFoZzBFvF.pgp Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
On Tue, Feb 17, 2015, at 09:32 AM, Stefano Maffulli wrote: Changing the subject since Flavio's call for openness was broader than just private IRC channels. On Tue, 2015-02-17 at 10:37 +, Daniel P. Berrange wrote: If cases of bad community behaviour, such as use of passwd protected IRC channels, are always primarily dealt with via further private communications, then we are denying the voters the information they need to hold people to account. I can understand the desire to avoid publically shaming people right away, because the accusations may be false, or may be arising from a simple mis-understanding, but at some point genuine issues like this need to be public. Without this we make it difficult for contributors to make an informed decision at future elections. You got my intention right: I wanted to understand better what lead some people to create a private channel, what were their needs. For that objective, having an accusatory tone won't go anywhere and instead I needed to provide them a safe place to discuss and then I would report back in the open. So far, I've only received comments in private from only one person, concerned about public logging of channels without notification. I wished the people hanging out on at least one of such private channels would provide more insights on their choice but so far they have not. Regarding the why at least one person told me they prefer not to use official openstack IRC channels because there is no notification if a channel is being publicly logged. Together with freenode not obfuscating host names, and eavesdrop logs available to any spammer, one person at least is concerned that private information may leak. There may also be legal implications in Europe, under the Data Protection Directive, since IP addresses and hostnames can be considered sensitive data. Not to mention the casual dropping of emails or phone numbers in public+logged channels. I think these points are worth discussing. One easy fix this person suggests is to make it default that all channels are logged and write a warning on wiki/IRC page. Another is to make the channel bot announce whether the channel is logged. Cleaning up the hostname details on join/parts from eavesdrop and put the logs behind a login (to hide them from spam harvesters). Thoughts? It is worth noting that just about everything else is logged too. Git repos track changes individuals have made, this mailing list post will be publicly available, and so on. At the very least I think the assumption should be that any openstack IRC channel is logged and since assumptions are bad we should be explicit about this. I don't think this means we require all channels actually be logged, just advertise than many are and any can be (because really any individual with freenode access can set up public logging). I don't think we should need to explicitly cleanup our logs. Mostly because any individual can set up public logs that are not sanitized. Instead IRC users should use tools like cloaks or Tor to get the level of obfuscation and security that they desire. Freenode has docs for both, see https://freenode.net/faq.shtml#cloaks and https://freenode.net/irc_servers.shtml#tor Hope this helps, Clark __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] The root-cause for IRC private channels (was Re: [all][tc] Lets keep our community open, lets fight for it)
Changing the subject since Flavio's call for openness was broader than just private IRC channels. On Tue, 2015-02-17 at 10:37 +, Daniel P. Berrange wrote: If cases of bad community behaviour, such as use of passwd protected IRC channels, are always primarily dealt with via further private communications, then we are denying the voters the information they need to hold people to account. I can understand the desire to avoid publically shaming people right away, because the accusations may be false, or may be arising from a simple mis-understanding, but at some point genuine issues like this need to be public. Without this we make it difficult for contributors to make an informed decision at future elections. You got my intention right: I wanted to understand better what lead some people to create a private channel, what were their needs. For that objective, having an accusatory tone won't go anywhere and instead I needed to provide them a safe place to discuss and then I would report back in the open. So far, I've only received comments in private from only one person, concerned about public logging of channels without notification. I wished the people hanging out on at least one of such private channels would provide more insights on their choice but so far they have not. Regarding the why at least one person told me they prefer not to use official openstack IRC channels because there is no notification if a channel is being publicly logged. Together with freenode not obfuscating host names, and eavesdrop logs available to any spammer, one person at least is concerned that private information may leak. There may also be legal implications in Europe, under the Data Protection Directive, since IP addresses and hostnames can be considered sensitive data. Not to mention the casual dropping of emails or phone numbers in public+logged channels. I think these points are worth discussing. One easy fix this person suggests is to make it default that all channels are logged and write a warning on wiki/IRC page. Another is to make the channel bot announce whether the channel is logged. Cleaning up the hostname details on join/parts from eavesdrop and put the logs behind a login (to hide them from spam harvesters). Thoughts? /stef __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
