XSF Discussion - 2012-05-05

00:24:32 Jef has joined
01:35:59 waqas has joined
02:47:55 Neustradamus has joined
03:20:45 Neustradamus has left
04:01:15 Neustradamus has left
04:01:42 Neustradamus has joined
04:22:41 waqas has joined
04:27:45 Neustradamus has left
04:29:55 Neustradamus has joined
04:43:43 Jef has left
05:42:52 Dan Siemon has joined
05:44:44 Dan Siemon has left
05:50:43 Jef has joined
06:21:24 Jef has left
06:21:37 Jef has joined
06:32:12 Jef has left
12:06:13 akuckartz@jabber.org has joined
12:06:52 akuckartz has joined
13:24:10 Zash has joined
13:47:36 winfried has joined
14:31:19 waqas has joined
14:46:41 waqas has left
14:58:42 Florian has joined
14:59:11 Florian BrowserID talks in 4 minutes :)
14:59:32 Zash \o/
15:02:07 dwd Florian, You called the meeting, so you get to chair it. :-)
15:02:16 Florian heh, ok
15:02:23 Florian let me pull up the Wiki page at the same time
15:03:35 Florian let's give it another 5 mins ... Ashley wanted to be here
15:04:17 Florian and Matt
15:04:33 Ashley has joined
15:04:40 dwd Hey Ashley.
15:04:44 Ashley hey there
15:04:47 Florian hey
15:05:12 Ashley how do we want to proceed?
15:05:37 Florian I was thinking of splitting up the RFP into a few parts
15:05:53 Ashley makes sense
15:05:55 Florian 1. Technology
15:05:58 Florian 2. Goals
15:06:03 Link Mauve has joined
15:06:13 Ashley should we have a background section?
15:06:20 Florian 3. What the XSF offers
15:06:24 Kev Just a question ... have we ascertained that no-one has interest in doing this without the XSF paying for it?
15:06:39 Tobias has joined
15:06:51 Florian Kev: we haven't, no.
15:06:59 Kev (I won't, so there's not an ulterior motive)
15:07:15 Florian http://piratepad.net/CMPIY1IvOm
15:08:06 Florian I think the thing is, we basically mention in the RFP that the XSF is willing to pay
15:08:13 Florian at the XSF's discretion
15:08:41 Florian so people who apply can mention that they want X amount for it
15:08:56 Kev K.
15:09:05 Florian and then we can decide if that's worth it, or see if we can find another amount that's mutually beneficial
15:09:51 waqas has joined
15:10:24 Florian do those 4 sections sound alright?
15:10:51 dwd Kev, I do think we'll need to offer cash in some cases to get things done. In some cases, though, we might not need to - that's good too, of course.
15:10:58 waqas FWIW, I for one was thinking of working on this before payment entered the discussion.
15:11:08 Jef has joined
15:11:21 Florian waqas: glad to hear :)
15:11:21 Kev dwd: Right - I'm just raising the issue in case someone is already motivated and the introduction of cash loses us motivation.
15:11:48 Florian Kev: I don't think offering cash would lose motivation
15:12:23 Florian but yeah, should we go through the 4 sections?
15:12:32 Florian starting with Background
15:12:39 Kev Oh, I think there are plenty of cases where it would, but that's OK.
15:12:44 Kev Yes.
15:12:48 dwd Florian, SO the four are background, tech, goals, and what the XSF is offering?
15:13:14 Florian yup, I think that makes sense
15:13:18 Florian maybe time-frame?
15:13:35 Florian however, I think that would fit into goals
15:13:41 dwd Probably.
15:13:52 dwd Does anyone have a clear sense of what the time-frame needs to be?
15:14:18 dwd That is, any existing constraints? (Like, if Mozilla have a clear deadline for getting BrowserID implemented and deployed, say).
15:14:20 akuckartz has left
15:14:24 Ashley i would assume this would line up with mozilla
15:15:11 Florian I don't see a deadline on the page linked on piratepad
15:15:29 Ashley https://wiki.mozilla.org/Identity/Features/Sign_into_the_browser
15:15:33 Ashley this says FF 15
15:15:55 Kev So presumably we need something working far ahead of that.
15:16:12 waqas Two points I'd like to raise: 1. BrowserID is browser neutral. If Mozilla ends up not integrating our work in Firefox, it would be useful to have it work regardless. A signon solution for XMPP would be valuable for the XMPP community in any case. 2. BroswerID allows a lot of freedom to the authenticating party. Captchas, oauth/facebook/twitter login could be tunneled over it without changing XMPP web apps (which happens to be a much requested feature).
15:17:32 Florian right
15:17:53 waqas (this was in response to Winfried Tilanus's email about risk to the XSF)
15:18:08 dwd Right - it occured to me you also probably need an HTTP based API somewhere for the sites to hit.
15:18:21 Florian dwd: BOSH?
15:18:59 dwd Florian, No, I mean something the sites hit, not something the browser hits direct.
15:19:00 Florian but let's stick with the background part for now
15:19:34 Ashley Florian: i was just thinking we could take your board writeup as a background
15:19:47 Florian the blogpost? sure
15:20:04 Ashley yeah
15:20:23 Florian alright
15:20:29 Florian anything else for Background?
15:20:45 Florian else let's move on to Technology :)
15:20:51 Medics has joined
15:21:55 dwd Florian, So the technology is pretty unconstrained from our poitn of view - we just want XMPP.
15:22:02 Florian right
15:22:46 Ashley this may be a goal, but should be internet scale
15:22:52 Florian I think that we should mention that authentication should happen in the "XMPP way"
15:22:56 Kev Well, we want the identity bit of XMPP, while opening the door to using it for other mechanisms later.
15:23:16 Florian as well as federation would be required for this to work
15:23:44 Florian i.e. you can't log in on facebook.com with your Google ID if Facebook doesn't do S2S to google
15:24:01 Florian does that make sense?
15:24:29 Zash But the current BrowserID is based on signing tokens with a private key you hold (which in turn is signed by your provider)
15:24:37 koski has joined
15:25:39 Florian maybe let's skip to Goals first
15:25:42 Florian and come back to technology
15:25:50 Florian that way we know what we want to achieve :)
15:26:18 Florian one goal is obviously authentication
15:26:51 Ashley would being able to leverage the XMPP channel for other uses post-authentication be a goal?
15:26:52 Zash The SignIntoBrowser mentions bookmarks and contacts
15:27:04 Florian Ashley: I think so
15:27:10 dwd Ashley, Yes, I think so too.
15:27:16 Florian I think contacts
15:27:20 Florian as well as push
15:27:34 Florian i.e. notifications
15:27:47 Ashley yes, notifications would be great
15:28:15 Florian for bookmarks, that's data storage
15:28:21 Florian can we do that somehow with PEP?
15:28:36 Florian i.e. do we want to offer a data storage option?
15:28:42 dwd Florian, We've *got* a bookmarks spec. :-)
15:29:04 Zash and it mentions how to store it in PEP
15:29:04 Florian oh, right ... yeah :D
15:29:24 Florian ok, so let me rephrase that ...
15:29:28 waqas This does increase the scope of the project beyond BrowserID. Would Mozilla buy into that initially?
15:29:41 Florian do we want a data storage option, or "just" bookmark storage?
15:30:08 Kev Florian: Do we need to constrain it? Why not be open-ended and see what response the RFP gets?
15:30:18 Florian sure
15:30:19 Ashley well, i think we're just talking about examples of post-auth capabilities over this channel
15:30:34 Kev Ashley: Very probably.
15:30:35 dwd waqas, I don't think we want to paint ourselves into a corner that doesn't include post-auth stuff.
15:30:41 Kev To my mind what we want is:
15:30:43 waqas Also: bookmarks storage. Readable by server admins. I'm not sure how well that would be received, as the existing Firefox bookmark sync stuff makes a point of advertising that it's always encrypted, and they can't see your data.
15:31:16 Kev 1) Primary goal: Auth/identity 2) Secondary goals: taking advantage of other data stuff. Examples would include ...
15:31:19 Ashley fwiw, i need to head out to schlep kids to soccer
15:31:23 Kev And see what comes back to us.
15:31:36 dwd Kev, Seems reasonable.
15:31:40 Florian Ashley: ok ... thanks for dropping by
15:31:49 Florian Kev: makes sense
15:31:58 Ashley sure, let me know what i can do to help after the fact
15:32:09 Kev waqas: Yes. Although I don't think encrypting it is hard, assuming user-held keys of some description.
15:32:20 Ashley has left
15:32:36 waqas Yep
15:32:45 Florian ok, does that look alright for the goals?
15:32:54 Kev So it's a good point to include, but not a hard one to address.
15:33:07 Kev Florian: Happy for me to poke at the pp?
15:33:15 bear is late -sorry
15:33:16 Florian sure
15:33:23 Florian that's what it's there for :)
15:33:43 MattJ has joined
15:33:45 bear browserID is a quarterly goal for mozilla to be used by all our public facing, needs login web sites
15:33:59 bear so that means by end of summer it will be all over moz products
15:34:28 Florian bear: thanks for the info :)
15:34:30 bear tbird has beta code already for "chat" and that includes xmpp
15:34:46 bear and that beta is going to be releases this quarter also
15:35:09 Florian so I think we should have the RFP deadline for end of May
15:35:16 Florian and then get cracking
15:35:30 Kev Florian: OK, I've poked the pp.
15:35:37 Florian Kev: great :)
15:35:43 Kev Agree/disagree/abort/fail.
15:35:57 dwd Florian, Note that winfried said that if we want to get any funding off NLNet, that's also a June thing.
15:36:20 Florian right
15:37:10 Kev I'll ask this just for the sake of it...are we now scrabbling to join a party we're too late to arrive at?
15:37:31 Kev i.e. is it feasible for us to have anything worthwhile in a timeframe that would influence the outcomes we care about?
15:37:39 bear do we want to be clear if this is a browserid client part or also the service part?
15:37:41 Florian Kev: I don't think it's too late, as we've got most of the technology already
15:38:01 Florian but we need to get some fancy demos ready relatively quickly to gain attention / traction
15:38:03 bear browserid itself just became viable the last couple of months
15:38:22 bear the code was baking internally at moz most of the winter
15:38:41 Kev Well, if Moz want to ship this by end June, and we have an RFP process that ends end May, that gives a month to evaluate RFPs, hire someone, get delivery and influence Moz.
15:38:43 dwd bear, I think we need both parts, don't we?
15:38:59 bear moz *internally* is pushing for this
15:39:11 Kev s/Moz to ship this/ship this to Moz/
15:39:16 bear but publicly it's now part of the privacy/persona push that they haven't (or are starting) to push
15:39:24 bear so we are just a bit ahead of the wave
15:39:33 bear dwd - I agree
15:39:44 Florian yeah, we need both
15:39:50 Florian but I think the service side exists
15:40:06 Florian as we're just using XMPP, people have Google Accounts
15:40:06 Kev Florian: Probably does, but saying we need both in the RFP makes it clear.
15:40:16 Florian ah, right
15:40:20 dwd bear, We also need to ensure that either the browserid site-side verification can "pass through" to a XMPP based system, or else that a site could hit a browserid verifier specific to that domain.
15:40:22 MattJ bear, but are we - as in, do we have time to develop proof-of-concepts, etc.?
15:40:25 Kev If the RFPs come back saying "We just use XMPP server as-is".
15:40:39 Kev +then that's great.
15:40:59 dwd bear, I have to say I prefer the latter. Otherwise the browserid.org service can monitor all the sign-ins...
15:41:05 bear yes - my hope/goal in this is that xmpp can be used as a site-side verifier
15:41:57 Florian ah, dwd, you added Compatibility with BrowserID ...
15:42:00 bear mattj - I personally think we are. knowing how moz internals work, they are rarely on time with delivery goals
15:42:13 Florian do we want that, or do we want to define a "new" BrowserID?
15:42:13 Kev bear: Which is useful, thnks.
15:42:28 MattJ bear, shocking :P
15:42:42 bear I would hate if this ends up being a NIH clone of BrowserID
15:42:45 dwd Florian, We want a verifier that's compatible. I don't preclude *other* verifiers...
15:42:58 bear likes how dwd said it
15:43:19 Florian :)
15:43:44 koski +1 what dwd said
15:44:23 dwd Florian, That is, we want a verifier that works - potentially - exactly how the existing POST to https://browserid.org/ works, but if there's an "XMPP way", that's also cool. An option here is to encode additional magicks into the Assertion that tell the site about verifier services to use.
15:44:28 bear I will admit that my bias is that xmpp implements browserid - it would help by adding another open source product that supports the tech which will help Mozilla push it
15:44:49 Kev "XMPP implements browserid" - what does that mean?
15:44:56 dwd bear, You want browserid for signing to XMPP as well? A browserid SASL mech?
15:45:02 Kev In language we can put into the RFP :)
15:45:26 Florian :)
15:45:31 bear yes, but i'm trying not to influence the current enthusiasm or derail it
15:46:28 Kev This is a completely opposite problem I think, isn't it?
15:47:08 bear having never even tried to implement one, I don't know
15:47:15 Kev I'm completely outside my comfort zone with webish stuff.
15:47:18 bear but yes, I suspect it is
15:47:32 bear smacks his own hand for even bringing it up
15:47:43 dwd would note that a browserid SASL mech is pretty simple.
15:47:51 dwd But yeah, different (opposite) problem.
15:48:27 Kev Although has fun recursive effects.
15:49:01 Kev I assert, signing into kev@... that I'm me using browserid, for which I assert I'm me using kevin@...
15:49:01 bear laughs
15:49:26 Florian lol
15:49:54 Kev (Completely pointless as we could do this without browserid, but still ...:)
15:51:34 Florian ok, do we have all the information we want in the PP?
15:52:49 dwd Not quite, hang on.
15:54:05 dwd bear, Is there anyone at Mozilla that would be able to publically work with the XSF (and the guys actually doing this coding)?
15:54:32 bear anyone on the browserid team - they are very open
15:54:47 waqas That would be very useful
15:55:06 bear #identity channel on irc.mozilla.org
15:55:19 dwd Can't they use XMPP?!
15:55:57 bear irc is very much part of mozilla's dna
15:56:16 dwd would like to design a retrovirus to recode that.
15:56:25 bear agree
15:56:39 Florian heh
15:56:42 bear new ways of doing group communication have come and gone, but irc always remains
15:56:44 waqas Good thing no-one suggested IRC for BrowserID. Or did they?
15:56:59 dwd waqas, Authenticate yourself using an unauthenticated network!
15:57:08 bear hell, if we could give them a browserid auth'd xmpp - irc gateway ...
15:57:15 Kev BrowserID by nickserv. Sounds good to me.
15:57:16 waqas dwd, I'm sure it has been tried
15:58:41 dwd OK. FInal question...
15:58:58 dwd How is the XSF going to decide who gets paid?
15:59:23 Florian I think that's something the board should do
15:59:55 dwd I don't think the Board is qualified to do more than ratify decisions made by more technical people, to be honest.
16:00:06 Florian maybe Board + Council?
16:00:07 bear we should get the tech council to rank any contenders and if we have the enjoyable problem of having too many to pick...
16:01:03 Kev I'm trying to think of better ways than relying on Council for this, but am struggling to think of something fair.
16:01:03 dwd The Council could. Or the Board could pick a set of bodies to do the selection.
16:01:39 Kev Some faux-Council chosen by Board is more contentious but probably also more reasonable.
16:01:45 bear each bounty item should have a clear spec - so that it's a simple checklist to see if they met the requirements
16:02:00 Florian dwd: that might be a possibility too ... as that would allow us to maybe get input from Mozilla people as well
16:02:01 dwd Kev, I don't think we can reasonably achieve actual fairness.
16:02:40 Florian i.e. we can have someone from the Mozilla BrowserID team give his input on the projects
16:02:50 dwd Florian, Good point, I'd not thought of that.
16:03:20 bear once we get the rfp in place, I can definitely ask if one of them would like to help be a tech reviewer
16:03:34 Florian so, I'd say the Board should go out and find a group of maybe 5 people, comprising of Council / Board and "industry experts" :)
16:03:59 MattJ and they need to not be people who might submit a proposal themselves (obviously)
16:04:14 Florian I think it's important to have at least 1 board and 1 council member on it though, as the aim is to push forward XMPP
16:04:29 Florian MattJ: correct
16:05:01 dwd MattJ, I'm not sure that's needed. They can't be asking for cash, though they could be offering to do the work gratis.
16:05:22 Florian dwd: fair point
16:05:31 Kev Sure it is.
16:05:38 Kev You can't preclude someone else getting paid.
16:07:06 Florian Kev: huh?
16:07:47 Kev Matt suggested people judging the proposals shouldn't be people themselves submitting proposals. Dave said that was ok if the proposals weren't paid. I said it wasn't.
16:08:04 Florian I think it is
16:08:15 Kev (As choosing your own project precludes someone else getting paid for theirs)
16:08:25 Florian right
16:08:31 Florian hence what Dave said makes sense
16:08:53 Florian they can be on the judging panel if their project idea is not being compensated by the XSF
16:09:07 bear I think Kev is worried that a judge might pick their own gratis work to avoid the XSF from having to pay the bounty
16:09:14 bear or the appearance that is happening
16:09:29 Florian well, the XSF will accept all gratis work
16:09:32 Kev bear: Not that, actually, but a) the appearance is horrid and b) There's more benefit to the winner here than just getting paid.
16:09:36 Florian or at least I think it should
16:10:02 dwd Kev, Right, I suppose it's worth avoiding if possible.
16:10:04 Florian we don't have a limited amount of slots for projects
16:10:10 Kev If a consultant got selected by the XSF to do this, the work went into Mozilla off the back of that, etc., that's a hell of an advert for that consultant. Worth more than the amount we would have paid, I suspect.
16:10:31 bear yes, moz tends to hire folks who are good contributors
16:10:43 bear (as contractors or staff)
16:10:43 Florian hmm, ok
16:11:14 Florian so should we not allow that, or just prefer not to have that
16:11:32 Kev Florian: A bit like if it was left up to the Council Chair to select an official XMPP library - Swiften's available free, so it's fine for me to choose that :)
16:11:57 Florian Kev: right
16:12:06 Kev I think we should avoid it.
16:12:12 Florian ok
16:12:20 Kev I don't think we have so many people on Board/Council who'll be putting their names down for this.
16:12:41 bear yes, when money is involved, we should be 110% clear of those kind of implications
16:13:07 Florian "Jury member can't submit a project."
16:15:07 bear do we want to even begin to say what OS licenses should be used?
16:15:17 Florian hmm
16:15:34 Kev bear: License of the XSF's choice, to be decided later.
16:15:48 bear then we need to be clear that they are giving the XSF all rights to the code
16:15:57 Kev We're going to want something entirely permissive.
16:16:10 Florian right
16:16:23 Florian anyone want to add that to the Legal Mumbo Jumbo section?
16:16:28 Kev I'd suggest two-clause BSD or MIT, although three-clause BSD is probably OK.
16:16:43 bear is a fan of MPLv2
16:16:55 bear but I can how others may not be ;)
16:17:53 Kev I'd like something more permissive than that if we're looking at stumping up money for this.
16:18:07 bear nods
16:18:17 Florian I think that the way bear put it is fine
16:18:27 Florian the XSF gets ownership as this can be seen as contract work
16:18:41 Florian i.e. we're paying people
16:19:01 Florian and the free work can be seen as donations
16:19:21 Florian so I think that makes sense and gives us freedom
16:19:46 bear we may need to get peter to run this by whatever lawyer the xsf uses
16:19:53 Florian right
16:19:57 Kev Right.
16:20:00 dwd I have to admit I don't care - in many respects I'd like to avoid assignment if at all possible.
16:20:11 Florian ok, I think we have a good start though
16:20:18 dwd I think requiring a very liberal license is adequate.
16:20:33 bear dwd - true, just avoiding some messy downstream issues if we say "xsf owns all" and then we assign it a BSD license
16:20:50 Florian bear: right
16:21:17 Florian ok, I think we have a good start here
16:21:21 bear hmm, but I will defer to the lawyer because I can see a scenario where doing that opens us up to more grief
16:21:42 Florian I'd say the next step is to write this up properly ...
16:21:47 Florian on the wiki
16:21:58 Florian any volunteers?
16:22:12 Kev I'd prefer liberal license to assignment, FWIW, but hills, etc.
16:22:15 Florian I'm happy to write the background / what xsf can offer and legal part
16:22:58 bear flips and joins dwd and kev
16:24:04 bear do we need to do more than just cut-n-paste this into a concept/outline page?
16:24:21 Florian I think we should write this up
16:24:40 dwd bear, My problem with assignment is that in the UK, for example, it requires a formal Statutory Instrument, whereas in Canada, you cannot enforce an assignment clause before the fact - it's just legally a bit of a minefield.
16:25:11 bear dwd - understood, I changed my mind about it as I thought about it more than a few seconds
16:25:51 bear florian - i'll start transfering it to the wiki
16:25:59 Florian alright
16:26:07 bear most of it will be brought over the same, just will fill in some words
16:26:33 Florian as I said, I'm more than happy doing the texts for Background, what xsf offers and legal stuff
16:26:40 bear cool
16:26:50 Florian would be great if some people could sit down and write up the 2 other parts
16:27:08 dwd Any volunteers?
16:27:08 bear let me get this first draft on the wiki
16:27:21 Florian http://wiki.xmpp.org/web/BID-RFP
16:28:41 Florian anyone willing to write Technology / Goals?
16:29:10 Kev I'm not offering to do anything for fear that I won't complete it.
16:29:47 bear both of those are part of the etherpad - they just need filling out with more detail
16:30:15 dwd Right, I'll do some work over it.
16:30:25 Florian dwd: awesome, thanks :)
16:30:36 Florian so one last thing ... time?
16:30:45 Florian should we say, all written up by wednesday?
16:30:53 Florian and then another meeting here?
16:31:26 dwd We can do that, I think.
16:31:47 Florian alright ....
16:31:48 Florian AOB?
16:31:48 dwd But maybe arrange the meeting time on a list, to ensure we get everyone who wants to come here.
16:31:59 Florian dwd: sure
16:32:47 Florian alright, I think with 1h30m ... it's time to end :)
16:33:11 dwd Florian, Thanks!
16:33:15 Florian thanks all!
16:33:20 Florian I'll send a mail to the list later
16:33:35 Florian members, jdev, standards, jadmin
16:33:43 bear ok, wiki now has the etherpad contents
16:33:51 Florian great!
16:33:52 Florian thanks bear
16:34:34 Florian thanks all !
16:34:41 Florian Next meeting wednesday ... tbc
16:34:51 bear thanks
16:34:56 Kev Ta.
16:36:10 Florian has left
16:54:01 koski has left
17:22:17 Jef has left
17:22:19 Jef has joined
17:27:58 Jef has left
17:28:03 Jef has joined
17:32:33 Jef has left
17:32:35 Jef has joined
17:35:08 winfried has left
18:15:42 waqas has joined
18:18:09 Medics has left
18:26:35 Tobias has joined
19:30:33 Jef Young man, there's a place you can go
19:30:39 Jef Young man, there's a place you can go
19:30:45 Jef You can stay there and I'm sure you will find Many ways to have a good time
19:30:58 Jef It's fun to stay at the X.S.F
19:31:00 Jef It's fun to stay at the X.S.F
19:31:08 Jef They have everything for young men to enjoy
19:31:18 Jef They have everything for young men to enjoy
21:08:25 dwd Jef, I think you'll find that XMPP is a better acronym for YMCA parodies.
21:08:46 dwd Or IETF, or indeed any four letter acronym.
21:12:41 Jef lol
21:13:22 MiGri ;)
21:23:58 Kev Eeee Tee Ell Aaay
21:38:11 bear in some ways I am glad I had no idea what he was referencing
22:17:06 Tobias has joined
23:11:28 waqas has joined
23:21:48 Zash has left