Okay, so I talked with Pono a bit on and off about this and it is easier if they purchase it and we give them a list of names. We should just then assign someone to be the "list master" kinda how Tav is with the book program. We can authorize a maximum amount and they don't have to be all at once. But, we do need to specify "which key" to some level or a set of requirements for deciding which one.

So, in that vein, I vote D (and I'm proposing something here but not deadset on any of the values, but hoping this works for folks as I just went down the center) which I'm stealing from the book program (https://alpha.inkscape.org/board/referendums/resolutions/developer_education_book_campaign_2020.html) My goals here are that we need to publicly identify who is eligible, who will make that designation whether they're eligible and what they're eligible for. (basically, no secret programs) I didn't pull over the requirement that people have contributed for a specific amount of time as I didn't feel it was needed, but discuss 😄

1. Create a program to increase the security of Inkscape accounts and

infrastructure by providing authorized users of the accounts with

hardware based 2FA devices. It will be open to any contributor that

regularly needs access to the Inkscape keyrings or has access to

Inkscape repositories on Gitlab. This is including potentially members

of the Inkscape PLC.

2. In total, the Inkscape PLC intends to spend up to $1500 for purchase

of security keys including shipping and handling costs. We anticipate

10-30 people will be eligible at roughly $50 per key.

3. The campaign manager (Marc Jeanmougin, or their designee) will be

empowered to determine eligibility of potential recipients and will

be tasked with building a list of recipients and their appropriate

contact information.

4. A list of eligible keys will be posted by and updated by the campaign

manager in a public location. Each key should have the features to work

with Inkscape infrastructure and tools, and have a preference for keys

that are Open Source. A variety of keys should be chosen for various form

factors (USB-A vs. USB-C, etc.) as determined by the campaign manager.

5. The list of eligible keys, recipient requirements and any deadlines for

application will be posted to the mailing lists and in the appropriate

project chat rooms to ensure all eligible contributors are aware of

6. Recipients must provide a valid name, shipping address, and desired

key to the campaign manager (or their designee), who will then

provide the information to the SFC for purchasing and shipment of

7. Appeal of any of the above should be made to the Inkscape PLC.

So I've asked Pono two procedural questions I'm not sure on here. Just tired of redoing things 😢

Since this authorizes a reimbursement (not just a budget item, but actual monies) I don't know if it needs to be more specific on what it is reimbursing. For instance, which of the two keys or a specific model of key.

When we did the last thing like this with the book program, the SFC strongly preferred us giving them a list of people and them ordering it for us. Not sure if that's the case anymore. Asking.

Anyway, I'm for getting security keys for folks, just want to make sure we get the details correct and didn't want anyone to think I'm ignoring this thread.

Dear leadership committee,

Your attention is required to vote on the following matters:

Background:

Some contributors have, or need to have, access to social media accounts

to post on the behalf of the project, or to infrastructure accounts,

most importantly gitlab. For computer security, we would like to protect

those accesses with a safe 2FA method, and the safest method to avoid

impersonation and phishing attacks is a 2FA hardware token with FIDO2 or

U2F. Then we would be able to set a policy to enforce 2fa when

contributors need access to passwords that would be shared on nextcloud,

or to contributors with "owner" access to gitlab projects.

The most common such token is the Yubikey (45€/$ a piece+10

tax+5shipping) but there are equivalents with open hardware component

and open source software (e.g. solokeys at 35€/$ incl. tax +5€ shipping,

or nitrokey ). As for the amount of people, the vectors team has around

10-15 people with some level of access to passwords of the project, 4

people do not have 2FA and have "owner" access to the whole gitlab

project, + 2 "maintainer" access to inkscape/inkscape (and more in other

sub-projects). We also have the possibility to offer it to all regular

contributors for whom it would be useful.

It is yet to be seen whether we could have a discount by asking, or if

there is a way to pay for the whole order and get a single reimbursement

instead of reimbursing individual contributors

Ballot:

a. Reimburse up to 2000 USD for password and project protection, and

also offering it to contributors who have been in the project for more

than a year and ask for it (implies support for option b)

b. Reimburse up to 1000 USD to protect the project's passwords on

nextcloud and gitlab project access (only contributors who have access

to nextcloud, and gitlab maintainer or owner access)

c. Do not do it

d. Other (please specify)

Thanks!

Marc

_______________________________________________

Inkscape Board of Directors mailing list -- inkscape-board@lists.inkscape.org

To unsubscribe send an email to inkscape-board-leave@lists.inkscape.org

_______________________________________________

Inkscape Board of Directors mailing list -- inkscape-board@lists.inkscape.org

To unsubscribe send an email to inkscape-board-leave@lists.inkscape.org