Re: DDG Tasks Bug Bounty Proposal

2017-05-09 Thread Arne Babenhauserheide 

Steve Dougherty  writes:

> I don't think anyone is proposing that new developers get push access
> or bypass review by existing developers. We're all in agreement that
> it would not be acceptable. Matthew's question of how to avoid long
> review delays doesn't have a great answer; I can't think of anything
> beyond keeping the tasks much smaller than purge-db4o was.

We can request that the pull request be designed to be easy to
review. If it takes more than an hour for review, that’s too
long.

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken


signature.asc
Description: PGP signature

Re: DDG Tasks Bug Bounty Proposal

2017-05-09 Thread Steve Dougherty 
I don't think anyone is proposing that new developers get push access or bypass 
review by existing developers. We're all in agreement that it would not be 
acceptable. Matthew's question of how to avoid long review delays doesn't have 
a great answer; I can't think of anything beyond keeping the tasks much smaller 
than purge-db4o was.

Sent from ProtonMail mobile

 Original Message 
On May 9, 2017, 3:21 AM, wrote:
On Tuesday, May 09, 2017 09:12:21 AM x...@freenetproject.org wrote:
> On Monday, May 08, 2017 04:57:10 PM Ian wrote:
> > There is also a trust issue, since we would probably need to give them
> > access to source repos and other things - and it would be irresponsible to
> > do that with someone we know nothing about.
>
> For security reasons I don't think any of the core contributors will accept
> giving direct push and/or release privileges to someone who hasn't been on
> the project for years, me included.
>
> If we hire a stranger they will have to commit to their own repository and
> send pull requests just like any other unknown new contributor.
>
> Further, for code quality reasons, payment should only be sent once their
> code has been reviewed and accepted by the core team.
> Freenet is a complex project, we cannot blindly merge code from someone who
> hasn't proven to be familiar with the codebase yet. Proving this takes
> years.

I'm sorry, I wasn't clear enough:

You seemed to say that hiring a non-anonymous person would solve this problem.

I meant to reply that knowing their real name does *not* solve it:
Any new contributor will have to prove their skill by sending PRs for a long
time, anonymous or non-anonymous. Direct push/release access and payment is
not an option IMHO.

Re: DDG Tasks Bug Bounty Proposal

2017-05-09 Thread xor 
On Tuesday, May 09, 2017 09:12:21 AM x...@freenetproject.org wrote:
> On Monday, May 08, 2017 04:57:10 PM Ian wrote:
> > There is also a trust issue, since we would probably need to give them
> > access to source repos and other things - and it would be irresponsible to
> > do that with someone we know nothing about.
> 
> For security reasons I don't think any of the core contributors will accept
> giving direct push and/or release privileges to someone who hasn't been on
> the project for years, me included.
> 
> If we hire a stranger they will have to commit to their own repository and
> send pull requests just like any other unknown new contributor.
> 
> Further, for code quality reasons, payment should only be sent once their
> code has been reviewed and accepted by the core team.
> Freenet is a complex project, we cannot blindly merge code from someone who
> hasn't proven to be familiar with the codebase yet. Proving this takes
> years.

I'm sorry, I wasn't clear enough:

You seemed to say that hiring a non-anonymous person would solve this problem.

I meant to reply that knowing their real name does *not* solve it:
Any new contributor will have to prove their skill by sending PRs for a long 
time, anonymous or non-anonymous. Direct push/release access and payment is 
not an option IMHO.

signature.asc
Description: This is a digitally signed message part.

Re: DDG Tasks Bug Bounty Proposal

2017-05-09 Thread xor 
On Monday, May 08, 2017 08:29:45 PM Matthew Toseland wrote:
> Having said that, review capacity has been a problem in the past. My
> purge-db4o work was delayed for an entire year, for example. How can we
> minimise this?

Just because our existing core contributors with review privileges aren't up 
for hire to implement the planned new features perhaps doesn't necessarily 
mean that they wouldn't accept at least being paid to review them once a new 
external developer has done the larger work of writing the code?

I feel like their primary problem is that they already have a job and thus 
lack the time for being hired for Freenet full-time development, but reviewing 
code takes less time than writing it.

Arne? Florent? Steve? You?


signature.asc
Description: This is a digitally signed message part.

Re: DDG Tasks Bug Bounty Proposal

2017-05-09 Thread xor 
If the USA would consider paying anonymous people money laundering then I'd 
agree that we shouldn't risk this.

Nevertheless you raised an interesting issue which will also be relevant to 
non-anonymous employees, I'd like to say something about it:

On Monday, May 08, 2017 04:57:10 PM Ian wrote:
> There is also a trust issue, since we would probably need to give them
> access to source repos and other things - and it would be irresponsible to
> do that with someone we know nothing about.

For security reasons I don't think any of the core contributors will accept 
giving direct push and/or release privileges to someone who hasn't been on the 
project for years, me included.

If we hire a stranger they will have to commit to their own repository and 
send pull requests just like any other unknown new contributor.

Further, for code quality reasons, payment should only be sent once their code 
has been reviewed and accepted by the core team.
Freenet is a complex project, we cannot blindly merge code from someone who 
hasn't proven to be familiar with the codebase yet. Proving this takes years.

signature.asc
Description: This is a digitally signed message part.

Re: DDG Tasks Bug Bounty Proposal

2017-05-08 Thread Matthew Toseland 
On 08/05/17 18:21, Steve Dougherty wrote:
>  Original Message 
> Subject: Re: DDG Tasks Bug Bounty Proposal
> Local Time: May 8, 2017 1:09 PM
> UTC Time: May 8, 2017 5:09 PM
> From: free...@nullvoid.me
> To: devl@freenetproject.org
>
> Can you provide the minimum identification requirements to be able to
> get a bug bounty from FPI? If you have to report to the IRS does that
> mean only citizens of the United States are eligible to work on Freenet
> for pay?

No, FPI can pay foreign developers, and has done in the past.
> As for access to the source code, is it not open source? If you mean
> push access to the repo, I thought most of the bug bounties are to fix
> bugs and submit code, not review and merge code. There is no security
> concern regarding anonymous vs known developers submitting code. At the
> end of the day the code should be reviewed line for line, whether it's
> by a "trusted" name or not.
>
> Right - I propose paying someone to write code which is then reviewed and 
> merged by existing community members with push access.

This is the correct approach - if somebody goes to the lengths to craft
some subtle vulnerability (Heartbleed!) they are not going to be
deterred by needing a name and address.

Having said that, review capacity has been a problem in the past. My
purge-db4o work was delayed for an entire year, for example. How can we
minimise this?




signature.asc
Description: OpenPGP digital signature

Re: DDG Tasks Bug Bounty Proposal

2017-05-08 Thread Steve Dougherty 
 Original Message 
Subject: Re: DDG Tasks Bug Bounty Proposal
Local Time: May 8, 2017 1:09 PM
UTC Time: May 8, 2017 5:09 PM
From: free...@nullvoid.me
To: devl@freenetproject.org

Can you provide the minimum identification requirements to be able to
get a bug bounty from FPI? If you have to report to the IRS does that
mean only citizens of the United States are eligible to work on Freenet
for pay?

As for access to the source code, is it not open source? If you mean
push access to the repo, I thought most of the bug bounties are to fix
bugs and submit code, not review and merge code. There is no security
concern regarding anonymous vs known developers submitting code. At the
end of the day the code should be reviewed line for line, whether it's
by a "trusted" name or not.

Right - I propose paying someone to write code which is then reviewed and 
merged by existing community members with push access.

Re: DDG Tasks Bug Bounty Proposal

2017-05-08 Thread Freenet 
Can you provide the minimum identification requirements to be able to
get a bug bounty from FPI? If you have to report to the IRS does that
mean only citizens of the United States are eligible to work on Freenet
for pay?

As for access to the source code, is it not open source? If you mean
push access to the repo, I thought most of the bug bounties are to fix
bugs and submit code, not review and merge code. There is no security
concern regarding anonymous vs known developers submitting code. At the
end of the day the code should be reviewed line for line, whether it's
by a "trusted" name or not.

Ian:
> I think Matthew is right, it might cause legal issues if we're paying someone
> anonymously, we have to report all expenditures to the IRS and they might not
> react too well to us paying significant amounts of money to anonymous bitcoin
> addresses.  It could be considered money-laundering, for example.
> There is also a trust issue, since we would probably need to give them access 
> to
> source repos and other things - and it would be irresponsible to do that with
> someone we know nothing about.
> Ian.  
> 
> 
> 
> 
> 
> On Sun, May 7, 2017 6:26 PM, Steve Dougherty st...@asksteved.com  wrote:
> Is your understanding consistent with Matthew's that FPI cannot pay a 
> developer
> who remains anonymous to FPI?
> 
> Are you willing to have FPI offer bug bounties? If so, I can put out the call.
> Would you rather that we engage individual non-proven developers one at a time
> and offer them lump sums for merged code instead? That would make setting a
> deadline reasonable, at least, which would be nice.
> 
> 
> 
>  Original Message 
> Subject: Re: DDG Tasks Bug Bounty Proposal
> Local Time: May 6, 2017 3:46 PM
> UTC Time: May 6, 2017 7:46 PM
> From: i...@locut.us
> To: devl@freenetproject.org
> 
> Interesting idea, but isn't there a danger of duplicated effort with this
> approach?
> 
> It would be annoying to put a bunch of work into something only to be beaten 
> to
> the finish line by someone else.   From a developer's perspective that would 
> add
> to the risk and may be a disincentive to try.
> 
> On Sat, May 6, 2017, 4:53 AM Steve Dougherty <st...@asksteved.com> wrote:
> Hi everyone,
> 
> To my understanding, at least currently xor does not want FPI to pay him for 
> his
> work. Some developers on FMS have proposed bug bounties - say, $1000 - for
> completing a task like "fix Windows tray / installer to work with 64-bit 
> Java."
> This would be in a "first to get reviewed and merged gets paid" fashion, the
> idea being we can pay people not yet familiar with the project to familiarize
> themselves and not have to commit to paying an unknown developer hourly. At
> least one developer has asked that payment be available in crypto currency; 
> this
> seems reasonable to me.
> 
> Thoughts?
> 
> - Steve
>

Re: DDG Tasks Bug Bounty Proposal

2017-05-08 Thread Ian 
I think Matthew is right, it might cause legal issues if we're paying someone
anonymously, we have to report all expenditures to the IRS and they might not
react too well to us paying significant amounts of money to anonymous bitcoin
addresses.  It could be considered money-laundering, for example.
There is also a trust issue, since we would probably need to give them access to
source repos and other things - and it would be irresponsible to do that with
someone we know nothing about.
Ian.  





On Sun, May 7, 2017 6:26 PM, Steve Dougherty st...@asksteved.com  wrote:
Is your understanding consistent with Matthew's that FPI cannot pay a developer
who remains anonymous to FPI?

Are you willing to have FPI offer bug bounties? If so, I can put out the call.
Would you rather that we engage individual non-proven developers one at a time
and offer them lump sums for merged code instead? That would make setting a
deadline reasonable, at least, which would be nice.



 Original Message 
Subject: Re: DDG Tasks Bug Bounty Proposal
Local Time: May 6, 2017 3:46 PM
UTC Time: May 6, 2017 7:46 PM
From: i...@locut.us
To: devl@freenetproject.org

Interesting idea, but isn't there a danger of duplicated effort with this
approach?

It would be annoying to put a bunch of work into something only to be beaten to
the finish line by someone else.   From a developer's perspective that would add
to the risk and may be a disincentive to try.

On Sat, May 6, 2017, 4:53 AM Steve Dougherty <st...@asksteved.com> wrote:
Hi everyone,

To my understanding, at least currently xor does not want FPI to pay him for his
work. Some developers on FMS have proposed bug bounties - say, $1000 - for
completing a task like "fix Windows tray / installer to work with 64-bit Java."
This would be in a "first to get reviewed and merged gets paid" fashion, the
idea being we can pay people not yet familiar with the project to familiarize
themselves and not have to commit to paying an unknown developer hourly. At
least one developer has asked that payment be available in crypto currency; this
seems reasonable to me.

Thoughts?

- Steve
-- 
Stacks
http://trystacks.com/  - Our AI will save you money

Re: DDG Tasks Bug Bounty Proposal

2017-05-08 Thread xor 
On Saturday, May 06, 2017 05:53:31 AM Steve Dougherty wrote:
> To my understanding, at least currently xor does not want FPI to pay him for
> his work. 

Yes, I'm only temporarily not available for hire as I've decided to instead 
work for free for some months, see [1].
Once this is finished I will possibly be available for hire again if our work 
atmosphere continues to improve as it already has :)

I've been pushing code for my chosen task almost every day for some months and 
the more complex half of it is close to being finished.
I'd say it may take ~2 more months for the rest - though please be aware that 
I'm bad at time estimates.

So if FPI doesn't hire someone with a permanent contract but instead merely 
offers temporary bounty-like tasks the advantage may be that after I'm 
finished with my volunteering FPI could hire me again to reap the benefit of 
my lengthy experience with Freenet.

If I'm not hired again I will nevertheless continue to volunteer, just with 
less hours than as an employee, so feel as free as possible in your decision 
:)

Greetings,
xor

[1]
During the poll I had decided to revoke my votes for the WoT task I had 
considered the most important and to instead implement it for free as a 
volunteer.
I did this to disprove suspicions about whether my primary interest with my 
votes and suggestion to cancel the poll was money.

The chosen piece of work is:

> Web of Trust: Finish first iteration of most critical speed fixes (1
> bugtracker entry: https://bugs.freenetproject.org/view.php?id=3816). Was
> subject of previous 2 years of paid work. Ensures this work is not left
> unfinished. Needed for Sone / Freetalk / filesharing / ...


signature.asc
Description: This is a digitally signed message part.

Re: DDG Tasks Bug Bounty Proposal

2017-05-07 Thread Steve Dougherty 
Is your understanding consistent with Matthew's that FPI cannot pay a developer 
who remains anonymous to FPI?

Are you willing to have FPI offer bug bounties? If so, I can put out the call. 
Would you rather that we engage individual non-proven developers one at a time 
and offer them lump sums for merged code instead? That would make setting a 
deadline reasonable, at least, which would be nice.

 Original Message 
Subject: Re: DDG Tasks Bug Bounty Proposal
Local Time: May 6, 2017 3:46 PM
UTC Time: May 6, 2017 7:46 PM
From: i...@locut.us
To: devl@freenetproject.org

Interesting idea, but isn't there a danger of duplicated effort with this 
approach?

It would be annoying to put a bunch of work into something only to be beaten to 
the finish line by someone else. From a developer's perspective that would add 
to the risk and may be a disincentive to try.

On Sat, May 6, 2017, 4:53 AM Steve Dougherty <st...@asksteved.com> wrote:
Hi everyone,

To my understanding, at least currently xor does not want FPI to pay him for 
his work. Some developers on FMS have proposed bug bounties - say, $1000 - for 
completing a task like "fix Windows tray / installer to work with 64-bit Java." 
This would be in a "first to get reviewed and merged gets paid" fashion, the 
idea being we can pay people not yet familiar with the project to familiarize 
themselves and not have to commit to paying an unknown developer hourly. At 
least one developer has asked that payment be available in crypto currency; 
this seems reasonable to me.

Thoughts?

- Steve
--

Stacks
http://trystacks.com/ - Our AI will save you money

Re: DDG Tasks Bug Bounty Proposal

2017-05-06 Thread Steve Dougherty 
That is a general disadvantage to bounties, yes, but we are not in a situation 
where there are known-qualified developers with time available to be paid 
hourly for these things.

 Original Message 
Subject: Re: DDG Tasks Bug Bounty Proposal
Local Time: May 6, 2017 3:46 PM
UTC Time: May 6, 2017 7:46 PM
From: i...@locut.us
To: devl@freenetproject.org

Interesting idea, but isn't there a danger of duplicated effort with this 
approach?

It would be annoying to put a bunch of work into something only to be beaten to 
the finish line by someone else. From a developer's perspective that would add 
to the risk and may be a disincentive to try.

On Sat, May 6, 2017, 4:53 AM Steve Dougherty <st...@asksteved.com> wrote:
Hi everyone,

To my understanding, at least currently xor does not want FPI to pay him for 
his work. Some developers on FMS have proposed bug bounties - say, $1000 - for 
completing a task like "fix Windows tray / installer to work with 64-bit Java." 
This would be in a "first to get reviewed and merged gets paid" fashion, the 
idea being we can pay people not yet familiar with the project to familiarize 
themselves and not have to commit to paying an unknown developer hourly. At 
least one developer has asked that payment be available in crypto currency; 
this seems reasonable to me.

Thoughts?

- Steve
--

Stacks
http://trystacks.com/ - Our AI will save you money

Re: DDG Tasks Bug Bounty Proposal

2017-05-06 Thread Ian 
Interesting idea, but isn't there a danger of duplicated effort with this
approach?

It would be annoying to put a bunch of work into something only to be
beaten to the finish line by someone else.   From a developer's perspective
that would add to the risk and may be a disincentive to try.

On Sat, May 6, 2017, 4:53 AM Steve Dougherty  wrote:

> Hi everyone,
>
> To my understanding, at least currently xor does not want FPI to pay him
> for his work. Some developers on FMS have proposed bug bounties - say,
> $1000 - for completing a task like "fix Windows tray / installer to work
> with 64-bit Java." This would be in a "first to get reviewed and merged
> gets paid" fashion, the idea being we can pay people not yet familiar with
> the project to familiarize themselves and not have to commit to paying an
> unknown developer hourly. At least one developer has asked that payment be
> available in crypto currency; this seems reasonable to me.
>
> Thoughts?
>
> - Steve
>
-- 
Stacks
http://trystacks.com/ - Our AI will save you money

Re: DDG Tasks Bug Bounty Proposal

2017-05-06 Thread Matthew Toseland 
On 06/05/17 14:11, Freenet wrote:
> Could this be solved by paying a known third party? Such as bountysource
> or something?
>
> And from there the developer who creates the patch could still remain
> anonymous and gain the funds?

Bountysource FAQ:

> As part of the cash out process we require a full name, address, and
email address. We may also require that you fill out a W-8/W-9 form for
tax obligations (see "Do I have to pay taxes on bounties I collect?") below.


If you want to avoid this, you need to raise the funds anonymously, and
build an infrastructure for managing them anonymously. This is quite
feasible and people have tried; the catch is people will use it for
other things too. But it doesn't apply to money given publicly to FPI, a
registered non-profit. The basic concept of money laundering is using
"black" money to pay for "white" services. Doing the opposite is still a
bad idea if you're a charity. If you want to spend it anonymously, you
need to raise it anonymously.



signature.asc
Description: OpenPGP digital signature

Re: DDG Tasks Bug Bounty Proposal

2017-05-06 Thread Freenet 
Could this be solved by paying a known third party? Such as bountysource
or something?

And from there the developer who creates the patch could still remain
anonymous and gain the funds?

Matthew Toseland:
> On 06/05/17 10:53, Steve Dougherty wrote:
>> Hi everyone,
>>
>> To my understanding, at least currently xor does not want FPI to pay him for 
>> his work. Some developers on FMS have proposed bug bounties - say, $1000 - 
>> for completing a task like "fix Windows tray / installer to work with 64-bit 
>> Java." This would be in a "first to get reviewed and merged gets paid" 
>> fashion, the idea being we can pay people not yet familiar with the project 
>> to familiarize themselves and not have to commit to paying an unknown 
>> developer hourly. At least one developer has asked that payment be available 
>> in crypto currency; this seems reasonable to me.
> 
> Legally you have to be able to identify them for tax purposes (since
> you're doing this as FPI, not building some anonymous infrastructure for
> it). Or you end up liable for their taxes.
> 
> Apart from that, bounties sound like a good idea. But IANAFD.
>

Re: DDG Tasks Bug Bounty Proposal

2017-05-06 Thread Matthew Toseland 
On 06/05/17 12:36, Matthew Toseland wrote:
> On 06/05/17 10:53, Steve Dougherty wrote:
>> Hi everyone,
>>
>> To my understanding, at least currently xor does not want FPI to pay him for 
>> his work. Some developers on FMS have proposed bug bounties - say, $1000 - 
>> for completing a task like "fix Windows tray / installer to work with 64-bit 
>> Java." This would be in a "first to get reviewed and merged gets paid" 
>> fashion, the idea being we can pay people not yet familiar with the project 
>> to familiarize themselves and not have to commit to paying an unknown 
>> developer hourly. At least one developer has asked that payment be available 
>> in crypto currency; this seems reasonable to me.
> Legally you have to be able to identify them for tax purposes (since
> you're doing this as FPI, not building some anonymous infrastructure for
> it). Or you end up liable for their taxes.
>
> Apart from that, bounties sound like a good idea. But IANAFD.

IANAL too :)




signature.asc
Description: OpenPGP digital signature

Re: DDG Tasks Bug Bounty Proposal

2017-05-06 Thread Matthew Toseland 
On 06/05/17 10:53, Steve Dougherty wrote:
> Hi everyone,
>
> To my understanding, at least currently xor does not want FPI to pay him for 
> his work. Some developers on FMS have proposed bug bounties - say, $1000 - 
> for completing a task like "fix Windows tray / installer to work with 64-bit 
> Java." This would be in a "first to get reviewed and merged gets paid" 
> fashion, the idea being we can pay people not yet familiar with the project 
> to familiarize themselves and not have to commit to paying an unknown 
> developer hourly. At least one developer has asked that payment be available 
> in crypto currency; this seems reasonable to me.

Legally you have to be able to identify them for tax purposes (since
you're doing this as FPI, not building some anonymous infrastructure for
it). Or you end up liable for their taxes.

Apart from that, bounties sound like a good idea. But IANAFD.



signature.asc
Description: OpenPGP digital signature