Does Debian need a Conflict of Interest register?
People have asked for it several times. Cabal members have always refused.
Over the last few years, I've had various questions from people about how much they can really trust certain people in Debian.
Vigilantes claim to have a Code of Conduct for Debian. But a Code of Conduct is worthless without any process for managing Conflict of Interest. Last weekend the DebConf8 room allocation data was published somewhere on the internet and this gives some scary insights into Conflict of Interest.
Most people would assume that a data set like this is somewhat private and an organization like Debian would be competent in keeping it private.
Maintaining the privacy of the data requires both technical and social best practice. As we saw in the evidence about Debian harassment culture being a factor in suicides, it isn't the best social environment. A poor social environment is going to struggle to maintain effective privacy.
In relation to the privacy of DebConf personal data, one of the most glaring lapses came with the Albanian scandal. The former Debian Project Leader, Chris Lamb, first visited Albania in 2017. One of the women spent two years visiting events with Lamb. She was seated next to Lamb at the DebConf19 dinner in Brazil. Eight weeks later, she was selected for a $6,000 Outreachy internship.
When you look at the photos and travel itineraries, there is no evidence that the woman did anything wrong. There is a strong hint that Chris Lamb was smitten with this girl. All the rules on funding were relaxed.
When they gave the woman the Outreachy placement, she writes that she had to begin learning Git and at the same time, they simply gave her access to the DebConf Git repository. The repository contains a lot of private information about participants throughout the whole history of DebConf.
I do not believe this woman is any less trustworthy than any other volunteer. On the other hand, the ease with which Lamb gave a smiling newcomer access to this data and the manner in which funding rules were violated suggests that Debian security has some soft spots.
A few weeks ago, I wrote about the manner in which two volunteers, Moray Allan and Holger Levsen, allegedly assaulted and physically expelled Ted Walther from DebConf6.
The summary of the incident includes the following text:
At this point Holger and Moray, as mentioned above, manhandled Ted across the dining hall to the door, where they were intercepted by John.
In my subsequent blog about the topic, I published an email from Amaya Rodrigo Sastre where she appears to be justifying violence towards Mr Walther, the victim:
I explained to her that what was going on had nothing to do with her, that it was a problem with Ted and that I believed Ted was a dangerous person and that she should be careful.
Amaya's defamatory emails have been made available to over 1,000 Debian Developers who have had access to the debian-private archives. 16 years have passed. Many people will not know or remember that Amaya had a conflict of interest.
In fact, Amaya had a relationship with Holger, one of the aggressors. She was writing these emails to disparage Mr Walther and take the pressure off her unstable boyfriend.
The relationship appears to be confirmed in the DebConf8 room list, here we see Amaya and Holger sharing a room:
Amaya could have added a disclaimer to her emails to declare a conflict of interest but she didn't do so. How can we ensure that people who see her emails in future will be aware of this vital fact?
Another thing to notice in the room list is that Margarita Manterola and Maximiliano Curia were able to share a room. Marga is the Google employee who sent me a hideous email telling me that Carla was not welcome to share the food at DebConf. Looking at the DebConf8 room list, we can see that these people behave like the pigs in Animal Farm. George Orwell has simplified the Code of Conduct down to just one sentence:
All animals are equal but some animals are more equal than others
This is significant for all users and contributors to Debian. This type of toxic social phenomena creates friction against innovation, it undermines privacy and it undermines security of the final software product.