Re: No two reviewers from same company

2019-05-24 Thread Salz, Rich
>   In that example the potential conflict of interest comes from the 
> individual's
employment with the third party organisation, not because they are fellows.
  
Do you disagree with my contention that the OMC represents the project, and not 
the fellows?

Regardless of where the conflict of interest comes from, the end result is the 
same, and I encourage the OMC to make the same policy for *its* employees that 
it does for other companies's employees.  Or perhaps this is a matter for the 
foundation to make for its employees.




Re: No two reviewers from same company

2019-05-23 Thread Tim Hudson
We have discussed this at numerous OMC meetings in terms of how to managed
potential *perceived *conflicts of interest that might arise if people
outside of the fellows come from the same company and hence can effectively
turn the OMC review control mechanism into a single control rather than a
dual control.

We discussed tooling changes to make checking this possible given that in
each instance we have had the individuals involved make a commitment to
avoid that situation (through their own actions).
Occasionally that didn't happen and the person "corrected" it when pointed
out.

We haven't formally voted to make such a change - however it is something
that I think we should have in place and I do support.
Making a formal policy change of course will go through our usual decision
making process.

What I was expecting tooling-wise is that the scripts would detect this
situation and advise - at the very least warn - and potentially blocking
things.

The OpenSSL fellows are in a completely different context - the company
they work for is directed by the OMC - so there isn't a separate external
third party source of influence so there is no reasonable mechanism to
*perceive* a potential conflict of interest.

Note - this is all about *perceptions* of a *potential* situation - not
about something we are actually concerned about for the individuals
involved.
However it is prudent to address even the perception of a path for
potential conflicts of interest in my view.

Tim.




On Fri, May 24, 2019 at 8:16 AM Paul Dale  wrote:

> There hasn't been a vote about this, however both Shane and I have
> committed to not approve each other's PRs.
>
> I also asked Richard if this could be mechanically enforced, which I
> expect will happen eventually.
>
>
> Pauli
> --
> Oracle
> Dr Paul Dale | Cryptographer | Network Security & Encryption
> Phone +61 7 3031 7217
> Oracle Australia
>
>
> -Original Message-
> From: Salz, Rich [mailto:rs...@akamai.com]
> Sent: Friday, 24 May 2019 1:01 AM
> To: openssl-project@openssl.org
> Subject: Re: No two reviewers from same company
>
> > I understand that OpenSSL is changing things so that, by mechanism
> (and maybe by
> > policy although it’s not published yet), two members of the same
> company cannot
> > approve the same PR.  That’s great.  (I never approved Akamai
> requests unless it
> > was trivial back when I was on the OMC.)
>
> No such decision has been made as far as I know although it has been
> discussed
> at various times.
>
> In private email, and
> https://github.com/openssl/openssl/pull/8886#issuecomment-494624313 the
> implication is that this was a policy.
>
> > Should this policy be extended to OpenSSL’s fellows?
>
> IMO, no.
>
> Why not?  I understand build process is always handled by Matt and Richard
> (despite many attempts in the past to expand this), but I think if Oracle
> or Akamai can't "force a change" then it seems to me that the OMC shouldn't
> either.
>
>
>


RE: No two reviewers from same company

2019-05-23 Thread Paul Dale
There hasn't been a vote about this, however both Shane and I have committed to 
not approve each other's PRs.

I also asked Richard if this could be mechanically enforced, which I expect 
will happen eventually.


Pauli
-- 
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia


-Original Message-
From: Salz, Rich [mailto:rs...@akamai.com] 
Sent: Friday, 24 May 2019 1:01 AM
To: openssl-project@openssl.org
Subject: Re: No two reviewers from same company

> I understand that OpenSSL is changing things so that, by mechanism (and 
maybe by
> policy although it’s not published yet), two members of the same company 
cannot
> approve the same PR.  That’s great.  (I never approved Akamai requests 
unless it
> was trivial back when I was on the OMC.)

No such decision has been made as far as I know although it has been 
discussed
at various times.

In private email, and 
https://github.com/openssl/openssl/pull/8886#issuecomment-494624313 the 
implication is that this was a policy.

> Should this policy be extended to OpenSSL’s fellows?

IMO, no.

Why not?  I understand build process is always handled by Matt and Richard 
(despite many attempts in the past to expand this), but I think if Oracle or 
Akamai can't "force a change" then it seems to me that the OMC shouldn't either.




AW: No two reviewers from same company

2019-05-23 Thread Dr. Matthias St. Pierre
> No such decision has been made as far as I know although it has been discussed
> at various times.
> 
> > Should this policy be extended to OpenSSL’s fellows?
> 
> IMO, no.

I agree with Matt: While this policy makes sense for employers of third party 
companies,
because these companies might have conflicting interests in theory, It's a 
different case
for OpenSSL fellows. In my opinion, such a rule would only block Matt's and 
Richard's
daily work unnecessarily. Also, I see no danger of misuse, because the OMC 
members
still have the possibility to block a merge with their veto.

Matthias



Re: No two reviewers from same company

2019-05-23 Thread Viktor Dukhovni
On Thu, May 23, 2019 at 03:45:48PM +0100, Matt Caswell wrote:

> IMO, no.

I also don't see a need for this at present, and it is not clear
that there are enough active part-time reviewers in place to keep
up with commits from the fellows in a timely manner.

-- 
Viktor.


Re: No two reviewers from same company

2019-05-23 Thread Richard Levitte
On Thu, 23 May 2019 17:42:46 +0200,
Matt Caswell wrote:
> 
> On 23/05/2019 16:31, Salz, Rich wrote:
> > > In private email, and 
> > https://github.com/openssl/openssl/pull/8886#issuecomment-494624313 the 
> > implication is that this was a policy.
> > 
> > AFAIK this is not the case.
> > 
> > Is the comment wrong, either factually or because it is implementing 
> > something that isn't an official policy?
> 
> There have been no votes on changing official policy. I'm not aware of any
> planned changes to the tooling, but maybe there are conversations I am 
> unaware of.

I have been asked privately if it's possible to adjust the tooling to
allow that level of control.  It certainly is possible to do!  That
is, however, as far as it has come from my perspective.


-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/


Re: No two reviewers from same company

2019-05-23 Thread Matt Caswell



On 23/05/2019 18:14, Tomas Mraz wrote:
> On Thu, 2019-05-23 at 17:17 +0200, Richard Levitte wrote:
>> On Thu, 23 May 2019 16:25:07 +0200,
>> Salz, Rich wrote:
>>> I understand that OpenSSL is changing things so that, by mechanism
>>> (and maybe by policy although
>>> it’s not published yet), two members of the same company cannot
>>> approve the same PR.  That’s
>>> great.  (I never approved Akamai requests unless it was trivial
>>> back when I was on the OMC.)
>>
>> We mostly seem to agree that it's morally dubious to approve stuff
>> from people of the same company, and as far as I've heard so far,
>> it's
>> to ensure that the project's interests are over-ridden by company
>> interests (including involuntary bias, which no one is really free
>> from).
> 
> Does this also apply to non-committers submitting a PR being the same
> company as one of the two required reviewers?

IMO: no it should not apply.

Matt


Re: No two reviewers from same company

2019-05-23 Thread Tomas Mraz
On Thu, 2019-05-23 at 17:17 +0200, Richard Levitte wrote:
> On Thu, 23 May 2019 16:25:07 +0200,
> Salz, Rich wrote:
> > I understand that OpenSSL is changing things so that, by mechanism
> > (and maybe by policy although
> > it’s not published yet), two members of the same company cannot
> > approve the same PR.  That’s
> > great.  (I never approved Akamai requests unless it was trivial
> > back when I was on the OMC.)
> 
> We mostly seem to agree that it's morally dubious to approve stuff
> from people of the same company, and as far as I've heard so far,
> it's
> to ensure that the project's interests are over-ridden by company
> interests (including involuntary bias, which no one is really free
> from).

Does this also apply to non-committers submitting a PR being the same
company as one of the two required reviewers? I would have a problem if
there was only a single review required for non-committers but given
there are two reviews required one of them being from OMC member I
would not see much conflict of interest.

> > Should this policy be extended to OpenSSL’s fellows?
> 
> I believe it's assumed that fellows have the project's interests in
> mind before any other work, so no conflicting bias there, i.e. not
> quite the same.  If this is a possible point of dispute, we should
> discuss it, of course.

+1 - I also don't see the reasons for conflict of interest applying to
fellows.

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]




Re: No two reviewers from same company

2019-05-23 Thread Matt Caswell



On 23/05/2019 16:54, Salz, Rich wrote:
>> In that example the potential conflict of interest comes from the
>> individual's
> employment with the third party organisation, not because they are fellows.
> 
> Do you disagree with my contention that the OMC represents the project, and
> not the fellows?

The OMC represents the official voice of the project. The OMC contracts the
fellows to work on the project and in the interests of the project. Any
interests that the fellows have by virtue of the fact that they are fellows
*are* the interests of the project.

They may have other interests external to that (e.g. personal interests). This
is true of any committer, except most committers also have an additional set of
interests they inherit from their employer. This is not the case for the 
fellows.

What is important is that there should be no conflict between the interests of
the project and any other interests an individual may have.

If a fellow has a conflict of interest then it will not be *because* they are a
fellow. It will be because of some external factor. Therefore making a policy
that requires the fellows to not review each others code just because they are
fellows is pointless and counter productive. A broader policy about conflicts of
interests in general that could apply to any committer (that might include
fellows in certain circumstances such as your hypothetical example), may be
appropriate.

Matt


Re: No two reviewers from same company

2019-05-23 Thread Matt Caswell



On 23/05/2019 16:31, Salz, Rich wrote:
> > In private email, and 
> https://github.com/openssl/openssl/pull/8886#issuecomment-494624313 the 
> implication is that this was a policy.
> 
> AFAIK this is not the case.
> 
> Is the comment wrong, either factually or because it is implementing 
> something that isn't an official policy?

There have been no votes on changing official policy. I'm not aware of any
planned changes to the tooling, but maybe there are conversations I am unaware 
of.

> 
>> In the case of the fellows, they
> represent the project directly so there can be no conflict.
>   
> The OMC represents the project not individual fellows.  Fellows are employees 
> of the OMC.  Therefore there can be conflicts. A hypothetical example, some 
> hires a fellow or two to port OpenSSL to a new unique platform, not currently 
> supported. The OMC doesn't want to support this platform, but it ends up in 
> the source.

In that example the potential conflict of interest comes from the individual's
employment with the third party organisation, not because they are fellows.

Matt


Re: No two reviewers from same company

2019-05-23 Thread Salz, Rich
> In private email, and 
https://github.com/openssl/openssl/pull/8886#issuecomment-494624313 the 
implication is that this was a policy.

AFAIK this is not the case.

Is the comment wrong, either factually or because it is implementing something 
that isn't an official policy?

> In the case of the fellows, they
represent the project directly so there can be no conflict.
  
The OMC represents the project not individual fellows.  Fellows are employees 
of the OMC.  Therefore there can be conflicts. A hypothetical example, some 
hires a fellow or two to port OpenSSL to a new unique platform, not currently 
supported. The OMC doesn't want to support this platform, but it ends up in the 
source.

I encourage the OMC to consider this question carefully.




Re: No two reviewers from same company

2019-05-23 Thread Matt Caswell



On 23/05/2019 16:01, Salz, Rich wrote:
> > I understand that OpenSSL is changing things so that, by mechanism (and 
> maybe by
> > policy although it’s not published yet), two members of the same 
> company cannot
> > approve the same PR.  That’s great.  (I never approved Akamai requests 
> unless it
> > was trivial back when I was on the OMC.)
> 
> No such decision has been made as far as I know although it has been 
> discussed
> at various times.
> 
> In private email, and 
> https://github.com/openssl/openssl/pull/8886#issuecomment-494624313 the 
> implication is that this was a policy.

AFAIK this is not the case.

> 
> > Should this policy be extended to OpenSSL’s fellows?
> 
> IMO, no.
> 
> Why not?  I understand build process is always handled by Matt and Richard 
> (despite many attempts in the past to expand this), but I think if Oracle or 
> Akamai can't "force a change" then it seems to me that the OMC shouldn't 
> either.

The only reason to have the "no two reviewers from the same company" policy is
to avoid a potential conflict of interest, i.e. where the interests of said
company conflict with the interests of openssl, two people from the same company
could collude to push a change through. In the case of the fellows, they
represent the project directly so there can be no conflict.

Matt



Re: No two reviewers from same company

2019-05-23 Thread Salz, Rich
> I understand that OpenSSL is changing things so that, by mechanism (and 
maybe by
> policy although it’s not published yet), two members of the same company 
cannot
> approve the same PR.  That’s great.  (I never approved Akamai requests 
unless it
> was trivial back when I was on the OMC.)

No such decision has been made as far as I know although it has been 
discussed
at various times.

In private email, and 
https://github.com/openssl/openssl/pull/8886#issuecomment-494624313 the 
implication is that this was a policy.

> Should this policy be extended to OpenSSL’s fellows?

IMO, no.

Why not?  I understand build process is always handled by Matt and Richard 
(despite many attempts in the past to expand this), but I think if Oracle or 
Akamai can't "force a change" then it seems to me that the OMC shouldn't either.




Re: No two reviewers from same company

2019-05-23 Thread Richard Levitte
On Thu, 23 May 2019 16:25:07 +0200,
Salz, Rich wrote:
> I understand that OpenSSL is changing things so that, by mechanism (and maybe 
> by policy although
> it’s not published yet), two members of the same company cannot approve the 
> same PR.  That’s
> great.  (I never approved Akamai requests unless it was trivial back when I 
> was on the OMC.)

We mostly seem to agree that it's morally dubious to approve stuff
from people of the same company, and as far as I've heard so far, it's
to ensure that the project's interests are over-ridden by company
interests (including involuntary bias, which no one is really free
from).

> Should this policy be extended to OpenSSL’s fellows?

I believe it's assumed that fellows have the project's interests in
mind before any other work, so no conflicting bias there, i.e. not
quite the same.  If this is a possible point of dispute, we should
discuss it, of course.

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/


Re: No two reviewers from same company

2019-05-23 Thread Matt Caswell



On 23/05/2019 15:25, Salz, Rich wrote:
> I understand that OpenSSL is changing things so that, by mechanism (and maybe 
> by
> policy although it’s not published yet), two members of the same company 
> cannot
> approve the same PR.  That’s great.  (I never approved Akamai requests unless 
> it
> was trivial back when I was on the OMC.)

No such decision has been made as far as I know although it has been discussed
at various times.

> Should this policy be extended to OpenSSL’s fellows?

IMO, no.

Matt


No two reviewers from same company

2019-05-23 Thread Salz, Rich
I understand that OpenSSL is changing things so that, by mechanism (and maybe 
by policy although it’s not published yet), two members of the same company 
cannot approve the same PR.  That’s great.  (I never approved Akamai requests 
unless it was trivial back when I was on the OMC.)

Should this policy be extended to OpenSSL’s fellows?