Created attachment 399230 [details] NTF NDA Gentoo The foundation was contacted by Susan Graves,Director Client Experience, NTF foundation [1] about becoming members. At the march trustee meeting of the Gentoo foundation the board voted to look into joining [2] if the terms were acceptable. I am opening this bug because I received this response from Sue and need help to proceed, that's why I added the security team to this bug. [snip] HI David, Great, Yes the terms are the same. What I'd like right now is to get the names and emails of whom within the Gentoo team needs to be on our Advanced Security List. (there's a timely reason for this) Also, Please sign the attached NDA. I can either send you the standard agreement and you can modify it to your liking, we can review and accept or edit, after that, OR I can draft one, if you want to tell me what kinds of things you know Gentoo will not agree to? Looking forward to working with you! Best, Sue [snip] [1] http://nwtime.org/membership/ [2] http://nwtime.org/membership/benefits/
I don't think anyone should join ANY (even for good cause...) company/structure/fundation... that use NDA. NDA are unfair: If companyA put NDA on companyB it is to makes sure companyB could be trust and it change their relationship from: companyA 0% trust companyB -> companyA 100% trust companyB companyB 0% trust companyA -> unchange It is a bad relation because companyB still have 0% trust in companyA itself! In real, companyB is just agreeing to be the slave of companyA (for whatever reason/purpose). 1/ Don't use general NDA: it's a poisoned relationship where you get enslave for the only benefits of the other. 2/ At least if companyA puts NDA over companyB ; than makes sure companyA must also agree to get NDA BY companyB: i sign so you can trust me -> than sign so i could trust you too. Forcing companyA showning its good faith to companyB too. 3/ The NDA doesn't gives any time limit. It's perferctly logic to wish "hide" security issue... But it is against Gentoo to not have any deadline (and a reasonable one, don't enslave yourself to hide anything for years) : http://www.gentoo.org/main/en/contract.xml "Exceptions are made when we receive security-related or developer relations information with the request not to publicize before a certain deadline. " Because you cannot know the nature of the request to not disclose information (the NDA is not only for security, but anything NTF is wishing to remain hide to public). So if you cannot know the "nature" of the information to keep hidden, you cannot know what NTF will ask you to hide: and this could be damagable to you (Gentoo). And our social contract state only security information could be kept hidden AND only with a deadline. if NTF doesn't trust Gentoo ; i don't see why Gentoo must blindly trust NTF to prove its good faith. NTF must prove it too: a 50/50 deal. It is like making a pact: "we agree that YOU will jump from this roof". LOL what a good contract, you agree to obey and jump from the roof while the other party agree NOTHING! You may think enslaving yourself to another fundation and not a commercial company is "not a problem" ; because it is a fundation... Well, if it's not a problem to enslave yourself to a fundation ; i don't see why this fundation have any problem to work with Gentoo ; a fundation too and must put an NDA on it. What you could do if you really want work with them is only agree to sign NDA base on security only (the information of the problem itself ; no code or anything) and only NDA for this problem and only with a deadline. So signing an NDA for each security problem NTF submit and wish remain close to public. Look the part # in the NDA: 1. It define what is "confidential information" ; by the definition it mean "anything" 2. You agree to hide what is define as .1 3. You have no rights on anything: so if you sign the NDA for the only benefits of getting NTF information, it mean you have no rights... if NTF deny you the information it have. Making even the "omg we gonna benefits from sharing info" void. 4. is out of interrest from my understanding.
Ya, I agree about the NDA. It seems bad and generally uneeded. Why should we join in the first place though? If it is only for security updates and they don't want to send to oss-sec then a very limited NDA might be alright, but not this generic one :P
(In reply to David Abbott from comment #0) > Created attachment 399230 [details] > NTF NDA Gentoo > > The foundation was contacted by Susan Graves,Director Client Experience, NTF > foundation [1] about becoming members. > At the march trustee meeting of the Gentoo foundation the board voted to > look into joining [2] if the terms were acceptable. > > I am opening this bug because I received this response from Sue and need > help to proceed, that's why I added the security team to this bug. We're not entirely sure what to expect from this list as there is no information available about it. Is it relevant for package maintainers or NTP server/client admins? We would much prefer to receive information as part of the distros list maintained by openwall with limited disclosure windows. I agree with the sentiment that this NDA is in conflict with the social contract in the current form and would like to note that no written NDA is required for *any* other privileged information we're currently subscribed to.
The NDA in effect means that we may be told things we cannot use. That's not really compatible with open source, nor is it very useful to Gentoo. Gentoo the distro does not have the corporate structure, nor the controls in place to enforce a NDA on our contributors. If a NDA needs to be signed, it needs to be the individuals who will see the restricted information who sign. That's not something I would ask of any Gentoo dev. I recommend that Gentoo stays away from anything that requires a NDA
Closing, NDA is a no go