Nethesis wants to govern NethServer

Dude, what is your issue … Nethesis is a team of developers creating NethServer’s core, and selling it as appliances under the name Nethesis. You get fully working maintenance free appliances.

If you want to build them yourself, grab NethServer, and save a few bucks on the sale, but need to invest that as time to get things running smoothly.

It is a trade off, and a very honest one at that. You do not need Nethesis, but for those who can not spare a sysadmin tot be dedicated server admin, this is brilliant.

I am not sure why you see a problem with this.

No, I’m sure he works for free and they give away hardware.

The current process, and the reasons for it, are discussed pretty extensively here. There are, of course, pros and cons to everything; those are addressed pretty well here as well. So what do you propose, and why do you think it’s better than the current process? And why should Neth do something different than literally everyone else, both Free Software and closed-source?

I sense that this discussion is getting hijacked and going very much off-topic.

May I suggest that it gets spun off into a different thread/topic?

Fact that everyone does something doesnt mean its correct thing to do…

What I (and rest of clear-thinking devs of OSS) fail to see is the sense (purpose) of creating company behind opensource. Its obvious that once you create a company, you are out of OSS, as you develop not what community wants, but what CEO (being ass or not) wants because if you dont - you will be fired for disobeying orders… Many of so-called CEO of OSS will claim they listen to what community thinks… bullshit. Thery do not care less. In fact - what they do care about is money…

What does creating a company have to do with the vulnerability disclosure process?

Extensively explained here.

Honestly I don’t understand which topic we’re discussion about :slight_smile:

If you have a large userbase, they come to depend on you. If you can not service them, they will leave. Continuity is the reason if it’s done right. Profit when done wrong. There is a risk of projects going south after they formed a business. There are also examples where this went right.

Agreed. I tend to think Nethserver is different.

Nethesis (NethServer sponsor) still has a lot of control on NethServer, (…)

I knew it…
If trhats the case, than it (NethServer) cannot be called OSS. Last word belonmgs to Nethesis’ CEO as they are sponsor and they think they can demand it in return for their sponsorship. You know what I say to this kind of CEO? “You are fired on the spot. Bye”

Puzzle solved now…

I’d like to split this discussion to another thread. Could you suggest a title for it?

Do we really need to split it? Its all about governance… Nethesis wants to govern NethServer…

So I guess you’ll be leaving now? So long.

Me leaving? What am I supposed to leave? My company? Not yet,…

Seriously though… what stops you (=NethServer devs/community) to split from Nethesis and become truly independent?

A project this size and with this scope should have serious programming power behind it. Usually, you hire people at that point.

Are you going to argue that RedHat is not OSS? That would be silly, wouldn’t it?

OSS programmers can also be serious about their work…
And do you have any mechanism to stop CEO (and other wrongwishers) from taking over the project (NethServer)?

RedHat has nothing to do here…

Yeah, it’s called a fork, and nothing prevents you…

RedHat only sells software to businesses that the community gets later … not sure how it is different.

1 Like

Im not goping to fork NethServer as I work ojn sth else…

You asked a question, I answered it.

Even when many things can be related to each other, the topic was diverting from original subject.

Regarding vulnerabilities, I think you advocate for a full disclosure model from day 0. Not the first nor the last time different disclosure procedures are discussed. That will bring full transparency, force the developers behind the project to fix the vulnerability as soon as possible and not keeping it for themselves or ignore it, but also expose lots of servers to attacks based on the disclosed information. On the other hand, responsible disclosure gives time to understand the vulnerability implications and prepare a fix, while full disclosure is delayed.

There are three parts, at least, involved in the disclosure process:

  • The discoverer: the one who discovers the vulnerability (i.e. security researchers)
  • The developers responsible to fix it
  • The users

On the other topic, developers asked advice to a group of community members on how to handle the disclosure of a vulnerability a security research firm informed them of.

If I understood correctly, the developers/community/company behind the project is giving some guidelines for security researchers. Security researches are encouraged to follow them but are free to disclose it as they wish.

Both models have its pros an cons, so if you want to contribute you can expose your thoughts for the community and developers to take it in consideration.

6 Likes

About Nethesis and NethServer, it’s important to know the order of facts.
I’m not the best one to tell the history behind NethServer, but the community was created after Nethesis and the project existed.
Nethesis had a model of selling appliances and giving support to customers (and keeping some additional features for the paying customers). I think it was first using SME and later on decided to create NethServer project.

So it makes sense that the company behind the project has some saying about the project itself. You might prefer some other organisational structure, like a foundation ran by the community.

Neither OSS nor Free Software concept is opposed to business or making money off of it. Although when money is involved conflict of interest can arise, I get your point.

There’s another topic on Governance that try to address those issues (decision making, &c.) I think @medworthy can help us here, and you’re welcome to have your saying.

If you read other posts from the community manager and Nethesis developers you can judge yourself if they work with an OSS mindset. If they ask the community about the decisions, how transparent the process is and so on. Granted the way it is isn’t perfect, and that’s why is open to discussion.

6 Likes

So it makes sense that the company behind the project has some saying about the project itself.

We have conflict here. Company can create project/s, that all ok, but what I disagree with is that when company creates project, CEO thinks that s/he is king and can have last word; WRONG Upon strarting a project they (company) should decide which way they want it to go; either

a) open project, give its governance to elected community member (community leader), let him elect other members to be devs; simply let community decide (for good and/or bad),
b) develop it as closed source; making employees devs.

Each way individually camn be; you cannot mix these ways…