----- Forwarded message from Rick Moen rick@linuxmafia.com -----
Date: Fri, 22 Jun 2018 14:18:56 -0700 From: Rick Moen rick@linuxmafia.com To: conspire@linuxmafia.com Subject: [conspire] (forw) Re: [License-review] Fwd: [Non-DoD Source] Resolution on NOSA 2.0 Organization: If you lived here, you'd be $HOME already.
OSI had been pondering moving discussion of licence-approval discussion to the 'issue'-handling software on GitHub. I mildly responded on OSI's license-review mailing list that this might cost them some participants, and why. The following e-mail side-discussion then ensued, which might be of interest here and also bears on topics discussed during this past week's BALUG meeting.
----- Forwarded message from Rick Moen rick@linuxmafia.com -----
Date: Fri, 22 Jun 2018 14:14:34 -0700 From: Rick Moen rick@linuxmafia.com To: [a valued friend on OSI's mailing lists] Subject: Re: [License-review] Fwd: [Non-DoD Source] Resolution on NOSA 2.0 Organization: If you lived here, you'd be $HOME already.
Quoting [my friend]:
On Thu, Jun 21, 2018 at 8:20 PM, Rick Moen rick@linuxmafia.com wrote:
[1] More at http://linuxmafia.com/faq/Essays/meetup.html
I duly read this essay and am moved to protest mildly and off-list.
Without particular objection, and with (as always) interest in what you have to say, you're at some risk of arguing with positions I didn't actually take in that essay. But let's get to particulars:
While it's true that Meetup leaches (or leeches) data from its users and resells it, we make very similar agreements with "for-profit companies in New York" (where I also have the privilege of residing) as a condition of getting paid. The days of "The cash is under the MicroVAX" (which had wheels, as you may recall) are regrettably over. The ship of not-interacting-with-bastards has definitively sailed.
Life is always a series of thorny problems with grey areas, but I can spot some sharp-ish lines among some that are not so.
Let us say that BayLISA had chosen to move its membership-facing Internet operations to a VPS host. Technically, it would not _absolutely_ control its production infrastructure at that point, though it would have had root, but from my perspective as a meeting attendee and Board member, the difference in hosting would not affect me and I might not even notice. BayLISA's contractual and business-operations dealings with the VPS firm would be a back-end deal not adversely affecting me to the best of my ability to tell. (At least, otherwise would require a pretty far-fetched scenario.) So, the disgust I accumulated against BayLISA's management policies around 2013 onwards would not have applied.
Shifting the hypothetical, suppose instead that BayLISA had opted to move its membership-facing Internet operations to a shared ISP host where it had a few canned services (some virtual domain Web content, Mailman mailing lists administerable only via CPanel, SMTP aliases and webmail ditto, MTA services for the baylisa.org domain totally inaccessible for administration except by ISP NOC people who don't give a rat's ass about BayLISA specifically, and zero access to logs or ability to configure Internet-facing software other than the few things that can be tweaked to a limited degree using CPanel and the Mailman admin webUI.
I have personal experience of this exact arrangement as the listadmin of a local SF convention that made the horrific decision to move to shared hosting at Bluehost, a Utah specialty WordPress-hosting vendor that does an absolutely abysmal job at everything _but_ WordPress, and (among other problems) is on about 80% of the SMTP industry's RBLs because of a well-deserved reputation as a spamhaus (I gather, because they do little or nothing to avoid scummy customers). In this case, I would as a BayLISA member and Board member become moderately disenchanted with BayLISA's hapless inability to run consistently run competent Internet operations, with them continually falling back on 'Sorry, but our vendor doesn't support that' as an excuse. Can't tell me why GMail appears to be refusing all mail from the Bluehost MTA IP address? Sorry, we don't have access to Bluehost's logs, and can't tell you what's happening to the mail from our end. And why is it that BayLISA is forced to abandon and delete the entire cumulative archives of Mailman mailing lists if they need to be renamed or otherwise migrated? Sorry, our vendor doesn't give us access to the underlying mboxes and we don't have shell access on the shared server.
But, as bad as that situation would be, especially for a guild of sysadmins to have to act that haplessly all the time, _at least_ members and other users of BayLISA Internet services would not be required to enter into contractual business relationships with Bluehost, consent to one-sided terms of service with that firm they've never heard of, and give away a big bundle of legal rights -- just in order to deal with BayLISA. From the member / outsider perspective, BayLISA's hosting may be lame and incompetent, but at least the outsourced hosting would, like the VPS example, be a back-end deal, not one where the member is expected to be a literal legal party on a take-it-or-leave-it basis.
In this regard, a shared-hosting ISP like Bluehost has a _small_ sampling of the ills I detailed in my essay -- 'inflexible', 'is some other guy), but not the rest ('nudzh', 'has the AOL nature', 'nosy', 'expensive'). As noted, the 'is some other guy' nature is merely the normal 'back-end deal' variety where _you_ as a BayLISA member aren't required to sign a contract with Bluehost, and the suckiness of Bluehost's business services is ultimately BayLISA's problem and not directly yours.
So grey areas, but in the shared-hosting case only a light shade of grey. Add the rest of the ills, by making the outsourcing entity be specifically a Web 2.0 network-effect-obsessed, pushy, nosy, manipulative social-networking vendor like Meetup, Inc., and I maintain that it's a really dark shade of grey for the external Internet user -- however convenient it might be to BayLISA as the (actual) customer.
The point of my hypotheticals is that my objection is specifically _not_ to outsourcing of Internet infrastructure to for-profit companies. It's an objection to such outsourcing to a particularly obnoxious subcategory typified by Meetup, Inc., for the reasons cited, and expecting external people like me to put up with such firms, ones _we_ never decided we wished to deal with, being manipulated and treated like product by them. My point to us external users is that we should (and I do) stop putting up with that bullshit, and just say no. My point to institutions like my former non-profit corporation, BayLISA, Inc., is that, when you do that, the smarter and more-competent audience you hppe to reach is rather likely at some point to get fed up and say 'Bite me'.
But, actually, as I said in the essay, that is not directly the main thrust of the essay, fundamentally. The essay is merely a declaration of policy about what sort of meetup.com-listed events I'm willing to cover on the BALE calendar, which ones I'm not, and why.
(I make no apologies for taking a swing at BayLISA, along the way. They deserve it.)
In addition, whereas you can trust a corporation to be as evil as it says it will be, it is often the case that you cannot trust your fellow human beings not to be *negligently* evil.
So, let's talk for just a moment about contractual relations and the implied covenant of good faith and fair dealing, and similar matters. There's a fine point I continue to be curious about, and am unlikely to get fully answered without the ability to abuse a Lexis account for a long weekend -- but I'll mention it anyway.
I'm curious about how strong, how far reaching, how enforceable the obligations of a Web 2.0 social networking company are to protect the interest of users, given that the users are not paying for service.
On a practical level if not one of ultimate enforceability, I have reasonable but not limitless confidence in the willingness and competence of the ADSL provider, Raw Bandwidth Communications, Inc. (that issues the upstream link and static IPs for my linuxmafia.com server and my residence) to look after my interests as a customer, provided that my interests and the company's do not excessively clash. My money buys some (conditional) loyalty, _and_ I know that established caselaw means that the firm's principal, Mike Durkin, knows that if he acts in provable bad faith, I have strong remedies and not just the ability to complain about him. (Mike has a sterling reputation for customer good faith and also competence, part of the reason I've remained a customer for decades.)
I do know that I'm somewhat at risk if Mike's company _were_ hostile, or if Mike were served with a National Security Letter requiring him to log and hand over all IP information transiting between his DSLAM and my ADSL bridge device. (SSL and SSH mitigate the information leakage potential, but No Such Agency would certainly get traffic analysis data, plus anything sensitive I was stupid enough to put into plaintext traffic.
What I'm wondering is whether my strong legal enforcement rights arising from my paid-customer relationship with Mike's firm differ much from, say, the rights of a non-paying GMail user against Google, Inc.
Yes, of course they do to the extent they are derived from contractual details, where my contract with Mike is not one-sided, and a GMail user's in laughably so. But beyond that? Taking as given that a GMail user has a contractual relationship where he gives up something qualifying as consideration (his/her privacy, if nothing else), is a judge going to nonetheless side-eye a GMail user's complaints of Google violating the covenant of good faith and fair dealing (and similar protections) more than the judge would me if I sought recourse against Mike's company?
I cannot say this for certain, and cannot point to any relevant caselaw at all, but I rather suspect non-paying customers are likely to get disregarded in court, in any such action, because they simply don't come across as 'real' customers. My intuition tells me that the more one's business relationship is structured as traditional fee-for-service, the more one is likely to be able to successfully assert one's right to equitable treatment.
Negligence among one's technical community is of course a dreadful problem, but it is also a separate one that has its own obvious remedies. The error or trusting everything to just one guy, and then being surprised and disappointed when that guy breaks, is avoidable.
It is actually substantially _more_ and more easily avoidable in the _technical_ community than it is in others. Failure to take those steps in advance is a management/oversight failure, and IMO is the real problem. I speak on this point in my capacity as a senior sysadmin, where one of the difference between a junior SA and a senior one is that the senior tends to know in his/her bones that 90% of professional problems are rooted in people/planning failures.
The Scheme community is missing a big chunk of its history because the mailserver during a critical period has gone offlline seemingly permanently, and the person who ran it is ghosting us, probably because he is ashamed to admit there are no backups.
The Scheme community failed to take basic steps to ensure that there was functional, periodically tested failover to independent machine resources, and also tested offsite backups.
Life is imperfect, so I know these things usually amount to 'We didn't have time and energy to do more than a half-assed job, so that's what we did', but, seriously, consider what the low-hanging fruit would have been, just an afternoon's work on the failover problem:
1. Separate person sets up a *ix machine on static IP in his/her (separate) premises. Today, this could be on a junk P4 or PIII.
2. That person coordinates with the first guy to do daily rsyncs of all important data to the failover box.
3. In the ideal case, the failover box would also be fully configured as a hot spare, but this is a fine point. It would probably suffice for a few qualified experts to agree that all essential data are being captured daily. If production host fails or the guy in charge goes crazy, parties able to control DNS flip it, and if necessary there's a mad scramble to make the failover host fully functional. The main thing that cannot be done without is the data.
4. Some ongoing monitoring is required, to make sure failover replication doesn't silently break.
For extra credit, once every six months, _deliberately_ flip the failover switch. Nothing is quite as good at proving ability to failover as doing failover.
When I hear a group of volunteers say 'We entrusted everything important to one guy, never checked in any way, never arranged redundancy or failover, and one day that one guy disappointed us', what I see is a fundamental process failure. Didn't anyone else read Conrad's _Nostromo_?
Since then, we are hosted on Google Groups, Github, and Bitbucket. Is that a risk? It certainly is, but in my judgment a lesser risk.
Google Groups doesn't have most of the list of ills I listed in my essay. You can even subscribe a non-GMail, non-Googlemail e-mail address to one, although Google, Inc. obnoxiously makes the information about how to do that obscure and difficult to use.
As a result, if you look at the membership roster of a Google Group, you typically find that either all or almost all members are using GMail/Googlemail subscription addresses. There are a couple of these operated by LUGs in the S.F. Bay Area where rick@linuxmafia.com (me) is _literally_ the only subscriber not sucking off the teat of Auntie Google for personal mail services.
I'm curious, did your Scheme community lose most of its non-GMail, non-Googlemail users when it moved to Google Groups?
But, aside from that common... membership skew in Google Groups, the passive-aggressive hostility to non-Google mail systems built into the infrastructure, it's not a horrible choice for those not willing to just put up a spare machine on a static IP and run Exim/Postfix and Mailman. (_Plus failover_, if you have any common sense.) And on a quick glance, exactly zero of my essay's list of Meetup's ills apply to it.
I wish to also make a point in passing about the _ease_ of arranging backup and failover of relatively simple, commodity Internet services like SMTP & mailing lists based on the GNU Mailman MLM: Here in the Bay Area, I for many years hosted (and still host) on linuxmafia.com a Mailman list for a San Francisco LUG called SF-LUG. During those many years, I repeatedly pleaded with the leadership of that group to work with me to set up periodic, automated backups of the membership roster and cumulative mbox -- with no result except avoidance and excuses. A few years ago, I had a couple of months of downtime because of an improbable motherboard failure right in the middle of a major system upgrade. This happened right immediately following my losing my job, so I was a bit demoralised, and was then barraged by rather clueless complaints from SF-LUG insiders, e.g., suddenly demanding copies of my backup data but being unwilling to travel 30 miles to my house to get it. (Apparently, I was supposed to drive to _them_, or something.) The more the SF-LUG people barraged me with complaints and totally useless suggestions, the more I put off rebuilding my server, which actually wasn't that much work. I figure I delayed about two months longer before bothering to fix the situation because of the annoying commmunication than I otherwise would have, as suddenly I was rather enjoying the vacation from running an Internet server giving free-of-charge services to ingrates.
Tellingly, the reason I offered hosting to SF-LUG's mailing list in the first place is that the main guy _had_ created a Mailman list, ran it for a brief while, and had some sort of hardware failure that caused the total loss of everything. Nobody had even so much as bothered to occasionally copy the cumulative mbox off to a USB flash drive, which would have been dead-simple and was totally flippin' obvious. The guy was devastated and demoralised by the experience -- but, as became apparent later, learned nothing. I wished the group well and so gladly offered it a mailing list home to replace the lost one -- and immediately got ignored, for years and years, as I repeatedly implored them not to make _again_ the mistake that had destroyed them the first time. Which rather tells you something, nei?
When I _did_ get my linuxmafia.com server back online after about four months, a technical person _not_ among the somewhat useless people heretofore running SF-LUG stepped forward and worked out _really simple_ means to make the membershop rosters periodically sent offsite. (He also gave key help in recovering my server from its failed software upgrade, which helped motivate me to bother.) For the rosters, it's a simple weekly cron job that e-mails the rosters to a list of people. For the mbox, it's (IIRC) an rsync cron job. Very simple, highly reliable, _and_ provably that is totally sufficient to rehost the SF-LUG mailing list if a meteor lands on my server.
Low-hanging fruit, you will note. Not clever, not even totally comprehensive (e.g., subscriber-specific state data are not backed up). But sufficient. As the late Adam Osborne of Osborne Computer used to say, 'Adequacy is sufficient.'
As to GitHub and Bitbucket, my vague recollection is that public access to the hosted repos is possible without a signup and login. The latter entail, as mentioned in my essay, a new business relationship with a company you never planned specifically to deal with at all, agreeing to a one-sided service agreement, and being subjected to a bunch of rules dictated to you by a bunch of strangers (who, again, you never heard of otherwise or particularly wanted to deal with). If I were a member of the Scheme community, and wanted, say, to share code, I'd have a problem with that, and might very well say 'no, thanks'. I might then treat the organised Scheme community as damage and route around it (RIP, Mr. Barlow), e.g., share my code with other individuals via direct exchange between their git repos and mine, and they would of course be free to share that further with GitHub and Bitbucket if they're willing to put up with corporate B&D, but that'd be not my problem.
I have an analogy from my own experience in the community: I'm a longtime HOWTO maintainer with the Linux Documentation Project. About five years ago, a new guy at LDP said that he'd decided LDP wasn't going to process HOWTO updates via incoming SMTP submissions of SGML any more, and we should all please just check them into GitHub.
I said, I don't have a GitHub account and have no intention of entering a business relationship with GitHub, Inc. to have one. If LDP is interested in my further HOWTO updates, I'm open to any other reasonable arrangement, and perhaps someone on LDP staff who _does_ have a GitHub account will be kind enough to check in my updates when I send them, as always, to submit@en.tldp.org .
I've continued to do just that, and the mail gets delivered, but LDP has not in the last five years bothered to check my SGML into its repo. So, basically _now_ the more-recent versions of my HOWTOs and the SGML source for them are available on linuxmafia.com and from anywhere that chooses to mirror them (licensing encourages that), but LDP is ignoring them. I figure it's their loss, and the community's, but that their imposing of a sudden demand for external business relations was not reasonable, and that the resulting damage to LDP from their poor decisions was regrettable but ultimately self-inflicted.
----- End forwarded message -----
_______________________________________________ conspire mailing list conspire@linuxmafia.com http://linuxmafia.com/mailman/listinfo/conspire
----- End forwarded message -----