* ACK on moving away from SourceForge mailing lists - though only once a community-welcomed replacement is up and running

* ACK on using LF as a mailing infrastructure provider

* Research secure mailing list models, for bitcoin-security.  The list is not ultra high security - we all use PGP for that - but it would perhaps be nice to find some spiffy cryptosystem where mailing list participants individually hold keys & therefore access.


On Sun, Jun 14, 2015 at 6:12 AM, Warren Togami Jr. <wtogami@gmail.com> wrote:

Discomfort with Sourceforge

For a while now people have been expressing concern about Sourceforge's continued hosting of the bitcoin-dev mailing list.  Downloads were moved completely to bitcoin.org after the Sept 2014 hacking incident of the SF project account.  The company's behavior and perceived stability have been growing to be increasingly questionable.


http://www.theregister.co.uk/2013/11/08/gimp_dumps_sourceforge_over_dodgy_ads_and_installer

November 2013: GIMP flees SourceForge over dodgy ads and installer

https://lwn.net/Articles/646118/

May 28th, 2015: SourceForge replacing GIMP Windows downloads

http://seclists.org/nmap-dev/2015/q2/194

June 3rd, 2015: Sourceforge hijacked nmap's old site and downloads.


When this topic came up over the past two years, it seemed that most people agreed it would be a good idea to move.  Someone always suggests Google Groups as the replacement host.  Google is quickly shot down as too controversial in this community, and it becomes an even more difficult question as to who else should host it.  Realizing this is not so simple, discussion then dies off until the next time somebody brings it up.


http://sourceforge.net/p/bitcoin/mailman/bitcoin-development/thread/1943127.DBnVxmfOIh%401337h4x0r/#msg34192607

Somebody brought it up again this past week.


It seems logical that an open discussion list is not a big deal to continue to be hosted on Sourceforge, as there isn’t much they could do to screw it up.  I personally think moving it away now would be seen as a gesture that we do not consider their behavior to be acceptable.  There are also some benefits in being hosted elsewhere, at an entity able to professionally maintain their infrastructure while also being neutral to the content.


Proposal: Move Bitcoin Dev List to a Neutral Competent Entity


Bitcoin is a global infrastructure development project where it would be politically awkward for any of the existing Bitcoin companies or orgs to host due to questions it would raise about perceived political control.  For example, consider a bizarro parallel universe where MtGox was the inventor of Bitcoin, where they hosted its development infrastructure and dev list under their own name.  Even if what they published was 100% technically and ideologically equivalent to the Bitcoin we know in our dimension, most people wouldn't have trusted it merely due to appearances and it would have easily gone nowhere.


I had a similar thought process last week when sidechains code was approaching release. Sidechains, like Bitcoin itself, are intended to be a generic piece of infrastructure (like ethernet?) that anyone can build upon and use.  We thought about Google Groups or existing orgs that already host various open source infrastructure discussion lists like the IETF or the Linux Foundation.  Google is too controversial in this community, and the IETF is seen as possibly too politically fractured.  The Linux Foundation hosts a bunch of infrastructure lists and it seems that nobody in the Open Source industry considers them to be particularly objectionable.  I talked with LF about the idea of hosting generic Bitcoin-related infrastructure development lists.  They agreed as OSS infrastructure dev is already within their charter, so early this week sidechains-dev list began hosting there.


From the perspective of our community, for bitcoin-dev it seems like a great fit.  Why?  While they are interested in supporting general open source development, the LF has literally zero stake in this.  In addition to neutrality, they seem to be suitable as a competent host.  They have full-time sysadmins maintaining their infrastructure including the Mailman server. They are soon upgrading to Mailman 3, which means mailing lists would benefit from the improved archive browser.  I am not personally familiar with HyperKitty, but the point here is they are a stable non-profit entity who will competently maintain and improve things like their Mailman deployment (a huge improvement over the stagnant Sourceforge).  It seems that LF would be competent, neutral place to host dev lists for the long-term.


To be clear, this proposal is only about hosting the discussion list.  The LF would have no control over the Bitcoin Project, as no single entity should.


Proposed Action Plan


  • Discuss this openly within this community.  Above is one example of a great neutral and competent host.  If the technical leaders here can agree to move to a particular neutral host then we do it.

  • Migration: The current list admins become the new list admins.  We import the entire list archive into the new host's archives for user convenience.

  • http://sourceforge.net/p/bitcoin/mailman/  Kill bitcoin-list and bitcoin-test.  Very few people actually use it.  Actually, let's delete the entire Bitcoin Sourceforge project as its continued existence serves no purpose and it only confuses people who find it.  By deletion, nobody has to monitor it for a repeat of the Sept 2014 hacking incident or GIMP-type hijacking?

  • The toughest question would be the appropriateness of auto-importing the subscriber list to another list server, as mass imports have a tendency to upset people.


Thoughts?


Warren Togami

------------------------------------------------------------------------------

_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development




--
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc.      https://bitpay.com/