Re: About possible participation in Rest the Net campaign
I have now asked the board to take a decision in this matter. On Tue, May 20, 2014 at 12:39 PM, Oliver Propst oliver.pro...@gmail.com wrote: Hi, its great to see the all the activities around the upcoming Board election, I hope we still are able to focus on day-today things. There is right now a campaign, Reset the Net [1] about remind people about government surveillance and the the importance of privacy on June 5 [2], one year after the NSA/Snowden revelations. Some participants include: Demand progress, Freepress.net, Free Software Foundation, Open Technology Institute, Reddit and Duck Duck Go. With our commitment to privacy and recently improved tools in this area (the new privacy setting panel and new privacy features in Web for exemple) [3] I think its makes sense for GNOME to participate. This would include: Display a banner on GNOME.org, 5 June with link to https://www.resetthenet.org/ Promote our participation on the campaign website Promote our our participation and our work in this area in our own channels (gnome.org och twitter). On the last Engagement Team Meeting [4] we agreed that this something interesting. What do you foundation members think? If there is no serious concerns I plan to ask the Board for approval. 1 https://www.resetthenet.org/ 2http://resetthenet.tumblr.com/?t=dXNlcmlkPTU0MzA3MDcxLGVtYWlsaWQ9NzU1MQ== 3 https://www.resetthenet.org/#add-yourself 4 https://etherpad.gnome.org/p/etm-2014-05-08 -- -mvh Oliver Propst ___ foundation-list mailing list foundation-list@gnome.org https://mail.gnome.org/mailman/listinfo/foundation-list
Re: About possible participation in Rest the Net campaign
On Tue, 2014-05-20 at 20:24 -0500, Michael Catanzaro wrote: I'm basically satisfied as long as our Bugzilla uses SSL Our Bugzilla has many other flaws as we run an unsupported version. andre -- Andre Klapper | ak...@gmx.net http://blogs.gnome.org/aklapper/ ___ foundation-list mailing list foundation-list@gnome.org https://mail.gnome.org/mailman/listinfo/foundation-list
Re: About possible participation in Rest the Net campaign
On Tue, 2014-05-20 at 20:24 -0500, Michael Catanzaro wrote: On Wed, 2014-05-21 at 00:33 +0200, Andrea Veri wrote: snip (It'd also be a bit silly to run a $2 privacy campaign and then not participate in this, but I guess there are real disadvantages to abusing SSL: increased power costs, correct?) We don't pay the power costs (even if they would exist with SSL). I imaging that the problem is rather the cost of administration. ___ foundation-list mailing list foundation-list@gnome.org https://mail.gnome.org/mailman/listinfo/foundation-list
Re: About possible participation in Rest the Net campaign
I agree whole heartidly that this is a valuable and good use of GNOME time and resources. As a free software project ostensibly committed to freedom, privacy and security, it behooves us to participate. Emily Gonyer On Tue, May 20, 2014 at 6:39 AM, Oliver Propst oliver.pro...@gmail.com wrote: Hi, its great to see the all the activities around the upcoming Board election, I hope we still are able to focus on day-today things. There is right now a campaign, Reset the Net [1] about remind people about government surveillance and the the importance of privacy on June 5 [2], one year after the NSA/Snowden revelations. Some participants include: Demand progress, Freepress.net, Free Software Foundation, Open Technology Institute, Reddit and Duck Duck Go. With our commitment to privacy and recently improved tools in this area (the new privacy setting panel and new privacy features in Web for exemple) [3] I think its makes sense for GNOME to participate. This would include: Display a banner on GNOME.org, 5 June with link to https://www.resetthenet.org/ Promote our participation on the campaign website Promote our our participation and our work in this area in our own channels (gnome.org och twitter). On the last Engagement Team Meeting [4] we agreed that this something interesting. What do you foundation members think? If there is no serious concerns I plan to ask the Board for approval. 1 https://www.resetthenet.org/ 2http://resetthenet.tumblr.com/?t=dXNlcmlkPTU0MzA3MDcxLGVtYWlsaWQ9NzU1MQ== 3 https://www.resetthenet.org/#add-yourself 4 https://etherpad.gnome.org/p/etm-2014-05-08 ___ foundation-list mailing list foundation-list@gnome.org https://mail.gnome.org/mailman/listinfo/foundation-list -- Whatever you can do, or dream you can, begin it. Boldness has genius, power and magic in it. - Goethe Be who you are and say what you feel because those who mind don't matter and those who matter don't mind. - Dr.Seuss Not everything that can be counted counts, and not everything that counts can be counted. - Albert Einstein ___ foundation-list mailing list foundation-list@gnome.org https://mail.gnome.org/mailman/listinfo/foundation-list
Re: About possible participation in Rest the Net campaign
On Tue, 2014-05-20 at 12:39 +0200, Oliver Propst wrote: This would include: Display a banner on GNOME.org, 5 June with link to https://www.resetthenet.org/ Promote our participation on the campaign website Promote our our participation and our work in this area in our own channels (gnome.org och twitter). On the last Engagement Team Meeting [4] we agreed that this something interesting. What do you foundation members think? If there is no serious concerns I plan to ask the Board for approval. I support joining this campaign, but their website says: Pledge to add SSL, HSTS PFS protection this year; it matters! Then, on June 5th, run the splash screen to promote free software for end-to-end encryption. Already rocking SSL HSTS? Consider approaches to end-to-end crypto. Currently gnome.org does not even use HTTPS by default, let alone HSTS or PFS. If we are planning to endorse this campaign, I think we should also implement their recommendations. signature.asc Description: This is a digitally signed message part ___ foundation-list mailing list foundation-list@gnome.org https://mail.gnome.org/mailman/listinfo/foundation-list
Re: About possible participation in Rest the Net campaign
2014-05-20 21:47 GMT+02:00 Michael Catanzaro mcatanz...@gnome.org: Currently gnome.org does not even use HTTPS by default, let alone HSTS or PFS. If we are planning to endorse this campaign, I think we should also implement their recommendations. Assuming gnome.org stands for www.gnome.org I'm asking you whether it makes sense to abuse the use of SSL even when not really needed? the main GNOME website hosts news, articles, Foundation and Foundation Membership information, no sensitive information is being sent over the wire unencrypted and eavesdropping such information would be harmless. That said except the whole website being covered with SSL on demand if the user really wants every single byte encrypted the relevant areas (being wp-login and wp-admin) are automatically redirected to HTTPS for secure logins to happen. It has to be said a few other websites (like help.gnome.org and planet.gnome.org) are currently being served through HTTPS by default (even if they are serving static pages with no sensitive information or login form exposed to the public) but the reason behind it is merely related to the fact we have a permanent redirect rule on our proxies that forward all the requests being sent to the unencrypted wires to a SSL-enabled vhost which then reverse proxies the requests to the internal network. Honestly I don't think SSL should be abused when it's not really needed and most of all I still think the GNOME Infrastructure would care deeply about the privacy and security of its users even without serving the planet, the documentation website and the main GNOME website with HTTPS by default. -- Cheers, Andrea Debian Developer, Fedora / EPEL packager, GNOME Sysadmin, GNOME Foundation Membership Elections Committee Chairman Homepage: http://www.gnome.org/~av ___ foundation-list mailing list foundation-list@gnome.org https://mail.gnome.org/mailman/listinfo/foundation-list
Re: About possible participation in Rest the Net campaign
On Wed, 2014-05-21 at 00:33 +0200, Andrea Veri wrote: Assuming gnome.org stands for www.gnome.org I'm asking you whether it makes sense to abuse the use of SSL even when not really needed? From your response, I can see that you're concerned primarily with protecting users' personal information. From that perspective, I'm basically satisfied as long as our Bugzilla uses SSL, and it does, so great! In contrast, Reset the Net is interested in countering pervasive surveillance, which really does require HTTPS/HSTS to be used on all pages. Their goal is not to protect users' passwords, it's to prevent the NSA from determining whether our users are visiting http://www.gnome.org/gnome-3 or http://www.gnome.org/news/. It's an encrypt the web campaign, and it'd be silly for GNOME to sign up if we don't really mean it. (It'd also be a bit silly to run a $2 privacy campaign and then not participate in this, but I guess there are real disadvantages to abusing SSL: increased power costs, correct?) signature.asc Description: This is a digitally signed message part ___ foundation-list mailing list foundation-list@gnome.org https://mail.gnome.org/mailman/listinfo/foundation-list