Hi Sorry for the long Email below, but the topic is triggering something in me that I can not hold any longer. Before you proceed reading, please note that I am speaking here as openSUSE member, not more, not less. I also don't want to attack anyone personally, just want to make clear where I see problems from my personal point of view. On Thu, 21 Feb 2019 09:39:11 +0100 Richard Brown wrote:
On Thu, 21 Feb 2019 at 09:35, Maurizio Galli (MauG)
wrote: AFAIK Connect was declared soon to be dead some time ago.
Perhaps the way to deal with the spam is to pull the plug ASAP?
Pull the plug without a replacement for the Membership and the Membership application process and we'll be on course for not electing a new Board and having a constitutional crisis in the future
https://en.opensuse.org/openSUSE:Membership_officials#Process describes the current process and the requirements for such a replacement.
Getting a replacement should not be that hard. I could imagine anything from a Next-/Owncloud instance (with nice, additional features) over to something designed especially for membership management tasks like https://www.admidio.org/ for example. But I see another, real problem: the amount of people willing to administrate and maintain all the infrastructure behind openSUSE is meanwhile down to less than a handful of people - and those need to be real super heroes as meanwhile they do not only need to administrate the "backend stuff" (means: operating systems, storage & network stuff) but ALSO all the running applications. I don't know how they manage all this in their spare time, but they have my deepest respect and I wish there would be more volunteers. If you want to get an idea about the current status, just take the systems listed at https://status.opensuse.org/ (and keep in mind that there are many more systems in the backend that are not listed there): * download.o.o -> maintained by one person, if I'm right * planet.o.o -> more or less unmaintained - old, outdated software * etherpad.o.o -> running outdated version, unmaintained * icc.o.o -> down since weeks now, and nobody cares * lizards.o.o -> 4.7.5 vs. 5.0.3 including security problems (please correct me here, if I'm wrong) * news.o.o -> at least the current version, but updates are happening only on special request * features.o.o -> luckily to be shut down soon * progress.o.o -> old, outdated * connect.o.o -> old, outdated - topic of this thread ... To me it looks like more or less everything which is currently not in scope for SUSE employees is unmaintained. Please note: this should not be an attack to anyone - especially not to the openSUSE heroes, who do their best to keep the systems up and running - but the openSUSE community should IMHO decide sooner than later IF and HOW these systems should be handled in the future. Most of the web-applications listed above started because of enthusiastic community members who invested a lot of their spare time into this. They learned a lot and others found their work useful - everybody had a lot of fun during these days. But live goes on, and people start having other interests and went away. Others still find the systems useful and want to use them - they became legacy. From my point of view, openSUSE as community is very bad in managing those legacy systems. While for some of them (like crashdb.o.o) the right approach was taken and the systems were shut down, others are still there and need someone who takes care. We have an infrastructure policy [1] that says: "All running servers will be evaluated every 6 month to determined continued need for the services provided. If a service is deemed outdated or the server hosts content that may no longer be needed the maintainer on record will be contacted to provide additional details. If no response is received within a 2 week period the server will be shut down." So either we - as community - decide to delete this sentence completely (as we do not want to follow the policy), or we allow our openSUSE heroes to follow the policy and shut down the services listed above. Sounds simple and consequent, right? If there is a need, requested from whomever (and from my personal history I know the board resp. the membership committee is asking again and again to keep connect.o.o alive), this person/group either has to invest the time and resources to keep the service in question up-to date, secure and alive or had to agree that they need to search for something else and find someone who takes over the administration. I personally left the openSUSE heroes for many reasons. But one reason clearly was that I did not want to take over the responsibility for services that I did not set up/developed or have any interest in. Many users seem to anticipate that "keeping a service up and running" is very easy. I say: no, it isn't. Keeping a service not only available but secure and adjusted to changes (like PHP5 -> PHP7 or Ruby 2.3 -> 2.5 as example) needs time and knowledge. Of course, you could re-install it or re-deploying your docker image every time it has been hacked, but my personal demands are way higher than that. So: saying that we need to keep old, outdated, already spammed services up and running "because our users - or better, a small group of users - want or need them" -- fully inheriting the risk of security and data breaches (how many people have their personal data stored in connect?) is not the way I can support. Not the way I can accept. Not the way I want to see openSUSE running and handling the personal data of the own community. I already took the consequences and stepped back from the openSUSE heroes. Looks like I need to step back as openSUSE member as well, as this is really nothing I want to be involved with. openSUSE membership can be managed via paper. Setting up Email aliases and IRC cloaks can be stopped until there is a new tool established. Lost trust and data because of security breaches is way harder to restore and will result in much more work for everyone. Just my 2 cents, Lars -- [1]: https://en.opensuse.org/openSUSE:Infrastructure_policy -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org