lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20180920231823.46d282ce40c91f39988bd34e@christoph-conrads.name>
Date:   Thu, 20 Sep 2018 23:18:23 +0200
From:   Christoph Conrads <contact@...istoph-conrads.name>
To:     linux-kernel@...r.kernel.org
Subject: Re: Code of Conduct: Let's revamp it.

The CoC is extremely ambiguously written for an enforceable document, any
behavior disliked by the maintainers can be punished, and the level of
naivete of the maintainers defending it is suprising for such a far reaching
document.

> In the interest of fostering an open and welcoming environment, we as
> contributors and maintainers pledge to making participation in our project
> and our community a harassment-free experience for everyone, [snip].

The CoC is an enforceable document but harassment is not defined. In the state
of New York, harassment used to be defined as written communication "in a
manner likely to cause annoyance or alarm" before the state's highest court
struck down this clause [1]. Rejecting a submitted patch is clearly annoying,
especially if it comes with a negative review attached to it.

> Examples of unacceptable behavior by participants include:
> [snip]
> * Other conduct which could reasonably be considered inappropriate in a
>   professional setting

There are already two major problems in this statement. The first problem is
that behavior is deemed unacceptable if it "could" be considered inappropriate.
In Singapore, littering the street with cigarette butts is punished with a 300$
fine or prison whereas it is legal and socially accepted in most Western
countries. Again, this is sloppy wording in an enforceable document. The second
major problem is the term "Other conduct" which includes anything done private.
That is, by contributing to the Linux kernel, you are submitting to a sloppily
written set of rules that apply in a professional setting somewhere on earth
and that cover all activities of your life. This is intolerable.

You may argue now that the private life is out of scope based on the following
sentence in the Section "Scope":

> This Code of Conduct applies both within project spaces and in public spaces
> when an individual is representing the project or its community.

Who qualifies as an individual who can represent the Linux kernel developers?
Is this every person who has ever contributed code to the Linux? Is this only
the maintainers? Do you "represent" if you mention in an online profile that
you are a contributor to Linux kernel development? If so, then you opened the
door for another OpalGate [6]. (The founder of the Contributor Covenant CoC
filed a GitHub issue because of a Twitter statement by someone advertising
himself as Opal developer.)

Finally, let us review the responsibilities of the project maintainers.
> Project maintainers have the right and responsibility to remove, edit, or
> reject comments, commits, code, wiki edits, issues, and other contributions
> that are not aligned to this Code of Conduct, or to ban temporarily or
> permanently any contributor for other behaviors that they deem
> inappropriate, threatening, offensive, or harmful.

Notice the "or". With this CoC the project maintainers have the
*responsibility* to remove content that does not meet the CoC criteria
AND they can ban anyone for ANY OTHER BEHAVIOR THEY DEEM INAPPROPRIATE.
Right there the CoC kicks any pretense of due process out of the window.
With this CoC it does not matter if you actually harassed someone or
not, only the perception of the maintainers is important. Harassment is just a
pretext.

This goes on in the next section where "unacceptable" behavior can be
reported to the Linux Foundation Technical Advisory Board (TAB). Again,
what is deemed unacceptable is never defined in the CoC.

> Instances of abusive, harassing, or otherwise unacceptable behavior
> may be reported by contacting the Technical Advisory Board (TAB) at
> <tab@...ts.linux-foundation.org>. All complaints will be reviewed and
> investigated and will result in a response that is deemed necessary
> and appropriate to the circumstances.

How is the TAB supposed to "investigate"? Call hotels for the videos of
their surveillance cameras? Ask telephone companies for phone protocols?

> The project team is obligated to maintain confidentiality with regard
> to the reporter of an incident.

This confidentiality is not compatible with many legal systems and can
be viewed as obstruction of punishment. The TAB is neither a law
enforcement agency nor a law office nor are the TAB members acting as
journalists.

In addition, in many countries an accuser has to reveal itself and we
can already see at US universities how anonymous accusations followed by
investigations and rulings within universities lead to wrong decisions
and made them liable to lawsuits. The Linux Foundation (LF) is based in
the US. I wonder if the LF with its more than thousand corporate members
can be held accountable for decisions made by the TAB.


Some TAB members already stated they only want the best for kernel
development but this kind of thinking is naivete bordering on
negligence. Every supporter of every idea ever only wanted the best,
just ask the fans of Donald Trump and Hillary Clinton.

One TAB member writes [5]:
> I personally find it unlikely that relevant pressure could be applied
> on TAB members; I don't find it a prestigious role such that it is worth
> holding on to against my own values or best judgement.

The TAB gets to decide who participates in the development of an
operating system software with an estimated worth of 500 million US$, it has
a 40% market share in the server market, and it forms the basis of Android
with an 88% market share in mobile devices. Add to that political interests
and you have an uncountable number of reasons to subvert the TAB.


Now if you still think the CoC is just a set rules, let me correct you by
quoting the founder of the Contributor Covenant [2]:
> Some people are saying that the Contributor Covenant is a political
> document, and they’re right.

In another tweet, the founder writes [4]:
> Breakfast conversation with my daughter about the impossibility of
> “reverse racism” and why “all lives matter” is problematic

You may argue now that I judge the CoC by its author but I do not
believe that a person with these views wrote this document without
embedding some of these ideas in it.


Finally, Edward Cree wrote [7]
> I absolutely cannot sign up to this 'Pledge' nor accept the
> 'Responsibilities' to police the speech of others that it makes a duty
> of maintainership

Will Edward Cree face repercussions for his non-enforcement of the CoC?

> Maintainers who do not follow or enforce the Code of Conduct in good
> faith may face temporary or permanent repercussions as determined by
> other members of the project’s leadership.


[1] https://www.nytimes.com/2014/05/14/nyregion/top-court-champions-freedom-to-annoy.html 
[2] https://archive.is/xZOZ3
[3] https://lkml.org/lkml/2018/9/19/602
[4] https://archive.fo/oV4Tu
[5] https://lkml.org/lkml/2018/9/20/93
[6] https://archive.is/o/XRnb9/https://github.com/opal/opal/issues/941
[7] https://lkml.org/lkml/2018/9/19/234

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ