lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5490402b-8b9f-f52d-3896-41090e639e51@linux-m68k.org>
Date:   Wed, 21 Jun 2023 11:51:19 +1000 (AEST)
From:   Finn Thain <fthain@...ux-m68k.org>
To:     Theodore Ts'o <tytso@....edu>
cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jonathan Corbet <corbet@....net>,
        tech-board-discuss@...ts.linux-foundation.org,
        Kees Cook <keescook@...omium.org>,
        Dan Williams <dan.j.williams@...el.com>,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Documentation: Linux Contribution Maturity Model and
 the wider community

On Tue, 20 Jun 2023, Theodore Ts'o wrote:

> On Tue, Jun 20, 2023 at 01:54:23PM +1000, Finn Thain wrote:
> > 
> > I suspect that counting commits may be the wrong metric (I can think 
> > of better ones).
> 
> As far as whether counting commits is the wrong metric, it doesn't 
> matter if you look at lines of code changes, attendance at conferences 
> such as the Linux Plumbers Conference, or participation on weekly 
> subsystem calls or video conferences, it's fair to say that that the 
> vast majority of those current developers work for companies.
> 

The metric I'd use would be one that considers the benefit to the wider 
community. The proportion of developers who are on a payroll is relevant 
to that -- inasmuchas users are customers.

In general, FLOSS users are not customers because if they could buy what 
they wanted, they would not have to build, modify, integrate or support 
it.

> > But if that's what we have, the lack of commits from non-profit 
> > organizations is a situation that might actually be improved by 
> > changes like the ones I'm advocating.
> 
> Not only have you not provided any evidence for your thesis (which to be 
> fair is hard since what you are positing is a hypothetical), but you 
> haven't even provided a theory why you believe that to be true!
> 

Well, evidence is good. The literature has evidence to support the 
effectiveness of other maturity models when put into practice in an open 
source setting.

Is there evidence to support the notion that your Linux Contributor 
Maturity Model (in its present, unpatched form) will bring the anticipated 
benefits, should companies choose to embrace it (and perhaps replace 
whatever methodologies they presently use)?

The technical projects under the purview of FINOS require a contributor 
license agreement. This has historically been a difficult pill for some 
contributors to swallow, so it's hard to imagine widespread adoption of 
the entire FINOS methodolgy (absent some kind of leverage).

AFAICT, non-profit organizations are not considered by the FINOS 
formulation of an open source maturity model, whereas, the other open 
source maturity models I came across when skimming the literature do 
indeed consider those organizations.

The FINOS OSMM is designed to "ensure maximum profitability" while 
minimizing risk. 
https://github.com/finos-labs/osmm/blob/main/docs/user/OSMM-Explanations.md

> I *do* have a theory for what we've observed, which is that developers 
> like to have food with their meals, and the amount of time and effort to 
> do serious kernel work is significant.  And so companies are the ones 
> who can fund the engineers which are spending a good proportion of their 
> time working on Linux kerenl development.  These is why we see a huge 
> amount of work from people who work for Linaro, Intel, Red Hat, Google, 
> IBM, Nvidia, Facebook, Oracle, etc. both in terms of code contributed to 
> the kernel, code reviews of other people's code submission, design 
> discussions on LKML and in various "hallway track conversations" at the 
> verious Linux conferences/workshops, etc.
> 
> As far as non-profit organizations are concerned, most of them have very 
> tightly defined mission.  That mission might be mostly unrelated to the 
> kernel, except as a customer of the kernel --- for example, the Mozilla 
> and Eclipse Foundation --- or it might be Linux adjacent, such as "make 
> a good distributions ala Debian, Arch, Fedora, etc."  The people at 
> these non-profits might be volunteers (this is mostly the case for 
> Debian), or they might be paid engineers based on the corporate 
> sponsoprs of the non-profits (for example) or engineers who are paid by 
> a company, but who are "on loan" to the non-profit organization (for 
> example, in the Apache Software Foundation this is a common pattern).  
> Either way, though, those non-profits tend to have a very tightly 
> focused mission, and it tends not to be one which requires a large 
> amount of kernel development.
> 
> You appear to have a very different model of how non-profits might 
> approach the Linux kernel --- could you go into more detail about why 
> they might want to contribute to the Linux kernel, and how we might 
> encourage them to contribute more engineering effort?
> 

Sure. Here's a recent example, in which a not-for-profit volunteer might 
have been granted an opportunity to work upstream: 
https://lore.kernel.org/all/129c9d5e-213a-80c9-092e-dc1dcf38ae3e@linux-m68k.org/

The driver in question may may not be commercially viable, but that 
doesn't matter, if the intention is to foster new maintainers and increase 
the talent pool. And the problem ostensibly being addressed in the Linux 
Contributor Maturity Model is a shortage of maintainers.

I don't have a magic bullet to solve that problem (which is not just a 
Linux problem) but I'll make a few observations.

- Maintainers should be "automating themselves out of a job" to whatever 
  extent this is possible.  git is a good example of this, as is all of 
  the tooling and workflow automation that grew out of that (e.g. gitlab).

  Because the Linux project is structured as a heirarchy, I think Linus 
  and senior maintainers have a crucial role here. I don't think it's a 
  co-incidence that git was the brainchild of the top maintainer.

  Making the maintainer role more lucrative will provide a disincentive 
  for more automation (with or without level 5 performance reviews) unless 
  remuneration is tied to metrics that reflect maintainer effectiveness.

- The roles of maintainer and reviewer should be taught in universities at 
  a post-graduate level to increase the talent pool.

- On the whole, I don't think remuneration or training can solve the 
  problem. I do think automation and tooling can do it.

  To develop that technology, subsystem maintainers must collaborate on 
  process, automation and tooling. That means they must remedy the 
  balkanization that presently exists across subsystems.

  I realize that experimentation and risk-taking are part of the reason 
  why Linux is the success that it is. However, at some point, senior 
  maintainers have to decide, for example, "the model used by subsystem A 
  is _measurably_ better than the process used by subsystem B, so the 
  former technique will become mandatory and then collaboratively improved 
  upon."

  So, we come back to metrics again. (As you would know, "you can't 
  improve what you can't measure.)

> > > I'm not sure how this document would "hinder collaboration" with 
> > > non-profit organizations and individuals.  Could you say more about 
> > > your concern regarding how this undesireable outcome would happen in 
> > > practice?
> > 
> > I believe that I've now addressed this in my message to Greg.
> 
> Well, no, you haven't.  More below....
> 
> On Tue, Jun 20, 2023 at 01:48:59PM +1000, Finn Thain wrote: (in reply to 
> Greg)
> > 
> > Bonuses and salaries are tied to performance reviews so the hazard 
> > here are clear. Level 5 compels companies to seek feedback and 
> > naturally they will seek it from companies who share their goals. You 
> > ask too much of employees if you expect them to put aside the 
> > corporate agendas and pursue the interests of the wider community.
> 
> I was a hobbyist from 1991 to 1999 (I was the first North American linux 
> kernel developer, and at the time my day job was tech lead for the MIT 
> KerBeros Team and I also served on the IETF Security Area Directorate 
> and was one of the IPSEC working group chairs), and then from 1999 until 
> present, I've worked for companies (first VA Linux Systems, then the IBM 
> Linux Technology Cetner, and now at Google).  So I think I know 
> something about how employees balance the needs of the Linux Kernel 
> community and the needs of their employer.
> 

I don't mean to lecture you, Ted. I have great admiration for your 
considerable contributions and insight. Also, I benefit from extfs every 
day and for that I'm grateful.

> > Countless lawsuits over the last few decades made it abundantly clear 
> > that the goals of companies often diverge from those of the wider 
> > FLOSS community.
> > 
> > Consider all of the open source code thrown over the wall, the binary 
> > blobs, the binary modules, the built-in obsolescence, the devices 
> > shipped with vulnerabilities now reduced to e-waste because they 
> > cannot be fixed, the vendor lock-in strategies, the walled gardens, 
> > the surveillance etc.
> 
> There haven't been *that* many lawsuits, and while there have been some 
> bad actors, there have also been many, MANY examples of companies that 
> have contributed in highly positive ways.  For example, well over a 
> decade ago, IBM started requiring that their peripheral card suppliers 
> (e.g., network cards, SCSI host bus adapters, etc.) that it would be a 
> requirement that thosse companies providing those peripherals MUST have 
> upstream Linux device drivers as a condition of the procurement 
> contract.
> 
> And the more enlightened companies *do* understood that out-of-tree 
> patches are technical debt, and to get drivers, patches, etc., upstream 
> in the long run would save them huge amounts of effort.  So there are 
> plenty of ways in which the meeting the goals of the FLOSS comunity is 
> ultimately, good towards achieving the goals of for-profit companies.
> 

Indeed.

> > To my jaded mind, it is obvious that such reprehensible strategies can 
> > be advanced by co-operative employees given inducements from colluding 
> > companies. My patch won't prevent this sort of behaviour but it does 
> > remove a directive that would help facilitate it.
> > 
> > Greg, if you want to see more performance reviews, the maturity model 
> > could compel companies to provide unsolicited feedback, instead of 
> > seek it from an arbitrary source. Would you be amenable to a revised 
> > patch along those lines?
> 
> It was never about *companies* providing unsolicited feedback, but 
> rather the upstream Linux kerenl development community:
> 
> Level 4
> =======
> 
> * Organizations will consider community member feedback in official 
>   performance reviews.
> 
> Level 5
> =======
> 
> * Organizations will actively seek out community member feedback as a 
>   factor in official performance reviews.
> 
> I could see making this be more explicit by spelling out "upstream 
> development community" and "regarding their upstream contributions". But 
> I'm not sure where you thought it was about "getting *from* companies".
> 

I know that was not the intention, but I think that the incentives work 
against the intention, and it need not be so.

> The reality is that many, if not most of the key Linux kernel developer 
> leaders are employed by companies.  And so we are quite well practiced 
> at being able to put on our "open source leader hat" --- and explicitly 
> telling people that this is what we are doing --- as well as being able 
> to explain when we are relying the requirements from a particular 
> company, usually when we are explianing what motiviated a particular 
> code contribution.
> 
> So if I were asked to give a recommendation for an employee working at 
> Company I, and I'm working at Company G, I'm perfectly capable of 
> saying, this is what this person has done as an upstream developer, and 
> based on her upstream contributions, you should definitely promote her.  
> And this has actually happened, BTW.  If we could encourage more 
> companies to sek out or accept more feedback from community members, 
> that would certainly be a good thing.
> 
> Cheers,
> 
> 						- Ted
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ