tac
tac copied to clipboard
ossf
access to public openssf chat channels
Some collaboration is exclusively done on Slack (e.g. the meeting notes say this about SLSA 1.0). But Slack has no feature to make history accessible without an account and creating an account requires making a contract with obligations that I neither want to offer nor can I legally offer. (AFAIK LF is not buying enough for Slack to consider offering other contract terms.)
Please offer a Slack-Matrix bridge. Or do you have any other suggestion how to solve this?
(Perhaps plan ahead for also offering this for the Slack workspaces for other LF projects, if these are somehow procured together. I assume there is quite a bit of interested.)
Example of a vendor for such a bridge: https://element.io/enterprise/matrix-bridging-services
I know a free option that archives slack messages online https://www.linen.dev/landingwould that solve this problem?
We also have meeting notes in google docs and are working on archiving them on GitHub.
I haven't actually tested that, but it looks like it might work somewhat. (There are unsolved bugs, but it might still offer sufficient functionality to be better than not having anything. Development seems to be fully asleep, so no idea how future proof this would be. Slack costs a lot of money and so if saving money is important migrating away to an alternative that is more in line with the mission of OpenSSF would also save money and have longer term viability.)
It reads like an administrator of the OpenSSF Slack needs to set it up. Who would that be?
I was not envisioning it as slack alternative. For example, scroll down to the kotlin example. They use the slack pretty much exclusively and then this linen shell as a more cost effective backup of messages. So from a user perspective there is no change. The issue is there is a privacy concern. People might be expecting their messages to disappear after 90 days or they might not want messages discoverable via SEO.
OpenSSF Slack would in no way change aside from having an integration managed by the admin and a new channel.
I think capturing history in the notes for each of the TIs is the best approach.
Closing - Slack is managed by the staff, and they follow guidelines for adds/changes/deletes. Slack is not recommended for long-term history of notes & conversations; those are better done through mailing lists, meeting minutes, and GH discussions. TAC is working communications excellence guidelines and will publish q3
@SecurityCRob , your reason for closing this seems not be related to this ticket (but another you closed before), can you please reopen? But, thank you for making me aware of staff.
People in @ossf/staff, can you offer a pragmatic solution around the problem that Slack is illegal in the EU? (One way with the least friction is a matrix bridge, but others may help.) (Sorry, trying again with corrected mention.)
Under the GDPR, an EU law, for it to be legal to have you "consent to give your data to third parties" of EU citizens (and visitors in past x years, those employed there, etc.), it may not be bundled with other services. Interestingly Slack costs a lot more per user than services who do not do this. Facebook/Meta was convicted of this at the highest court, with a lot of court cases having decided every argument various companies could come up with. Just recently Slack was in the news for using private messages to train LLM without opt-in, which is similarly not allowed under GDPR.
The law they violate is an implementation of a part of the international bill on human rights, so some companies want to not do business with Slack even in jurisdictions where it would be legal, and have policies against it that require this of their employees. E.g. it is not compatible with https://www.redhat.com/en/about/policies/procurement/supplier-code-of-conduct (has nothing to do with me, just selected it as it is a policy that is public).
Notably in their non-public contracts (one of which Linux Foundation probably signed), Slack also tries to have the paying customer take on the liability of GDPR non-compliance, so the OSSF and thus the Linux Foundation might be liable for any fine against Slack, which seems to be up to around 1.4 billion US$ (4% of the annual worldwide turnover of Salesforce, the owner or Slack).
The items described are hypotheticals. Factually, we operate a free version of Slack. Users opt in as they join freely and leave freely, with complete control over their data. Slack messages are deleted after 90 days, no data is retained. This issue can be closed.
It is not relevant whether or not it is offered for 0 direct monetary cost. See the decision of the CJEU in court case C-252/21, specifically search for the second instance of "free of charge". But these legal details take this far off topic.
My question was if you are willing to allow a pragmatic solution that makes it easier for more people to access the public discussions on the OSSF Slack? As that needs administrator permission.
It’s not illegal just because you’ve personally interpreted the law this way. If Slack actually achieves that status, then i’m sure organizations will reconsider it.
Pragmatism would be you just using Slack. Idealism asking for pragmatism doesn’t make sense to me.
It is not important whether or not we agree on the legal details, because my question wasn't about that.
Are you saying, that adding a permission, so more people are technically allowed to view these discussions, that are organizationally already considered public, will not be considered? Because "my way or the highway" and collaboration where different people contribute to something where each derives a benefit, so making slight tweaks that do not cost much so more can benefit, so more can contribute is an anti-goal of OSSF?
To be clear, I'm not affiliated with the OpenSSF at the moment, so it's not my decision - but https://github.com/ossf/tac/issues/110#issuecomment-2135179120 and your comments seems to suggest to me that adding that permission would actually bypass the data retention policy, which would increase privacy concerns.
@JanZerebecki, to answer your original query, there are no current plans to operate a Matrix instance for the OpenSSF. Meeting notes are persisted in Google docs.
If you'd prefer not to use Slack, you may use our mailing lists instead.
Closing as the original question has now been answered.
