Software in the Public Interest (SPI) & Debian obfuscated structure fooled suicide victim's family: the ultimate example of bad faith


There have been a lot of accusations of bad faith thrown around recently. Has anybody stopped to check what bad faith actually means? What is the difference between bad faith and fraud? Fraud is often quite unambiguous, like the FSFE using the name of FSF to raise millions of euros in donations. Bad faith seems to be a gray area that can mean whatever you want it to mean.

In 2017, the community elected me as a representative. This created an obligation for me to give volunteers and donors accurate reports about the unhealthy state of the FSFE.

One of the responsibilities of a representative is giving the volunteers and donors accurate information about their rights. It is only logical that after the suicide of Frans Pop, the Debian Day Volunteer Suicide, the right to be informed would be inherited by his family.

The most difficult task I have had to do as representative was to track down the family of Frans Pop and give them two key pieces of information. That there was significant evidence in the debian-private gossip network, including Frans' earlier resignation. That they may have a right to compensation, as I explored in my blog about the Amnesty International suicides.

In one of the hysterical legal filings constructed by Software in the Public Interest, they claim that informing the victim's family about their rights is tantamount to harassment. They even admit that the family has no desire to make a complaint, but the snivelling SPI lawyers claim it is harassment anyway simply because it is inconvenient for Mark Shuttleworth. Ubuntu is the African word for sharing but Shuttleworth appears to be more willing to share his money with lawyers than volunteers who died.

Frans Pop, Debian Day Volunteer Suicide, Walder Wyss, Axel Beckert, ETH Zurich

With such an absurd accusation, they are forcing me to publish the messages I exchanged with Pop's brother. As the elected representative, I had both the right and obligation to contact Pop's brother and give him the truth about these matters. A task like that is incredibly difficult, if Debian is really a "community", why doesn't anybody else thank me for taking on this responsibility?

What we see in the messages is that the cabal members came to the funeral, they looked Pop's family in the eye, they gathered sensitive information about the manner of his death, they may have seen the suicide note to his family, they extracted equipment from his home and yet they never told the family about debian-private. They never offered any compensation.

Looking at the replies from Pop's brother, it is clear that he hasn't been given any compensation at all. If he had, he probably would have been under some confidentiality agreement and he may not have replied to me at all. The fact that all this took him by surprise shows that compensation was never paid.

DP: Hi [redacted], are you the brother of Frans? I am sorry for your loss. Debian has hidden thousands of emails about this.

Pop: Hi. Yes. Who is this?

DP: https://danielpocock.com/debian-open-source-volunteer-suicides-compensation/

Pop: This is quite shocking to me. I did not know anything about this.

Pop: Are you Daniel?

DP: Yes, they attacked my family too. I can bring all the documents to Netherlands if you want to file a police complaint or meet a lawyer.

Pop: Can you break down the issues for me? I didn't know any of this. Nor does my mother.
In what way is Debian or Google responsible?
Is there documentation that shows a relation to pressure on Frans, his resignation and the moment of his suicide?

Pop: Thank you for contacting me.

(Pop quotes a line from my blog)Due to the way so much of Debian activity is conducted through electronic channels that are not visible to employers and families, his family may be completely unaware how much unrelenting pressure Frans Pop experienced.
Pop: This is true. But also, a lot of Debian people were at the funeral. And nobody said anything about this.

DP: They hide it very well using debian-private and a Code of Conduct (silence / obedience)

Interrupting the conversation for a moment, there are over 70,000 emails on the debian-private gossip network. Some have already been published on various websites. Here are some where Frans was in the headers, although he used various aliases too so there are probably a lot more.

Frans Pop, debian-private

debian-private messages are all accessible to thousands of developers in companies like Google, IBM Red Hat, Canonical / Ubuntu and ARM Ltd. Thousands of debian-private messages have already been published on IPFS. Pop's family are the only ones who didn't see them. Being the bearer of bad news is not harassment.

DP: We could arrange a call later today. I recommend you keep any documents and photographs, these may be useful for police in Netherlands and other countries

Pop: I do not have documents or photographs.

Pop: But yeah. We can call anytime today

DP: Please also read about the France Telecom suicides and police investigation. The law is on the side of your family.

Pop: I don't know what to say. And Debian being what it is, a project and not really a company, who or what is liable in a court of law?

Pop: I am shocked. It's been 10 years.

Pop: All of Frans computers are gone too. There was hardly any paper documentation in his home.

Pop: And I do not have access to any of his private accounts, email or anything from that time.
There was no reason for us to assume that his work for Debian was a cause of his suicide.
But after reading your blog and the timing of his choices coinciding with Debian.day and as I understand a very debated release of a major update, I see that there is a major connection

Bad faith exposed: how SPI & Debian planned from the outset to shirk their responsibilities and avoid liability

In previous blogs, I've taken the liberty of comparing the culture of hiding pedophiles in the Catholic Church with the culture of secret bullying in Debian and other open source communities. One of the key features of the Catholic abuse scandal in Australia has been the mechanism the church used to avoid liability. It has become known as the Ellis Defence. The Ellis case set a precedent and the government had to create new legislation to override this legal trickery and guarantee the rights of families to receive compensation.

The so-called "Ellis defence", which prevented abuse survivors from suing unincorporated organisations including churches and other institutions, is today abolished after the NSW Government removed a legal road block.

The move came after recommendations from the Royal Commission into Institutional Child Sex Abuse.

Notice that the Debian Project constitution establishes an unincorporated association. As Pop's brother comments above, that structure had left his family unsure who to blame.

Pop: I don't know what to say. And Debian being what it is, a project and not really a company, who or what is liable in a court of law?

From the constitution:

The Debian Project is an association of individuals

Therefore, each individual and their employer appears to be liable. A serious organization publishes details of a registered office. The Debian cabal members refuse to publish their addresses and names of their employers.

Lets look at how this culture of avoiding liability has evolved. Here I publish a sample of messages from debian-private demonstrating that people were aware of liability risks and wanted to make it hard for victims to seek compensation.

SPI volunteers knew they could be personally liable for anything really bad

Subject: SPI and the liability issue
Date: 19 Mar 1998 22:06:21 -0000
From: bruce@va.debian.org
To: dark@xs4all.nl, hamish@rising.com.au
CC: debian-private@lists.debian.org

> > I think Bruce was referring to acts of civil disobedience, such as
> > facing down the US government on free speech issues.
> 
> But without a precedent I feel that the comment was totally uncalled for.

There are precedents. Extrapolate from the obscentity issue we dealt
with a while back. This is a really nasty problem in that I would like
to stand up for these issues, but I don't really want Debian to volunteer
me to be the test case so that I can rot in jail while my child grows up.

I can see why you might have found that original statement offensive.
Let me rephrase it:

	SPI is willing to provide Debian developers with a liability
	shield and financial management. We are wary though, given the
	observed tendency of Debian developers to do anything they
	please. There has to be some sort of give-and-take in which we
	provide you with these services in exchange for your promising
	to behave responsibly about issues that could expose SPI to
	financial liability or SPI's officers to criminal prosecution.

As Tim mentioned, SPI officers can go to jail for stuff that you guys do.
As treasurer and president, he and I are the most likely ones to get
indicted. That is acceptable when we have some control over what is going
on, but it's clear we don't have any control. This doesn't really work for
us.

	Thanks

	Bruce


--
To UNSUBSCRIBE, email to debian-private-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On the relationship between SPI & Debian

Subject: Re: Future of SPI
Date: 11 Aug 1998 13:18:55 -0700
From: Jim Pick <jim@jimpick.com>
To: Dale Scheetz <dwarf@polaris.net>
CC: Michael Alan Dorman <mdorman@law.miami.edu>, debian-private@lists.debian.org


Dale Scheetz <dwarf@polaris.net> writes:

> On 11 Aug 1998, Jim Pick wrote:
> 
> > 
> > Dale Scheetz <dwarf@polaris.net> writes:
> > 
> > > Let us get one thing strait: SPI is a corporation, Debian is a separate
> > > and distinct organization. SPI was created to act as a financial shelter
> > > for Debian as well as other projects, so it is perfectly appropriate for
> > > SPI to hold trademarks for the Free Software Community.
> > 
> > But do we want that?  If SPI stayed out of politics, and stuck to
> > Debian, it would be so much simpler.
> 
> The point is that SPI is not Debain. Debian can focus on Debian and leave
> SPI to deal with other things

Then why are we discussing what SPI is going to do on a Debian list
then?  If what you say is true, SPI business should be off-topic for
debian-private.
 > > I don't see how getting drawn into a battle over the "Open Source"
> > trademark, which Debian rarely even uses, is of any benefit to myself,
> > or any of the other developers or users.
> 
> Then Debian need have no involvement with those efforts. That doesn't mean
> that SPI shouldn't be involved. One more time: These are two separate and
> distinct organizations. The fact that they have a relationship doesn't
> mean that they become identical.

From a legal standpoint - they are.  Since SPI is purely a legal
concoction, you shouldn't go around claiming they are separate
entities.

> > Debian is large enough that it doesn't need to mix it's interests with
> > the interests of other projects.
> 
> How does a relationship with SPI, which does support other projects, mix
> Debian's interests with the interests of other projects?
> 
> Are you suggesting that SPI should abandon the Berlin project and distance
> ourselves from GNOME, and never help another Free Software project again?

Yes, that is basically what I was suggesting.

I'm not sure if I'm the only one uncomfortable with the way the Berlin
project is portraying themselves as if Debian is officially
sanctioning them when we had nothing to do with SPI bringing them in.

As for Gnome - SPI has very little to do with it.  Miguel and Red Hat
are mostly running the show.

> That goes counter to the purpose of SPI. Yes, Debian expects SPI to act as
> a "shelter" for the financial and practical needs of Debian but SPI
> expects to shelter any valuable Free Software project that may need the
> same "little bit of help" that Debian needs from SPI.

I brought the topic up because there was a lot of policital non-Debian
bickering sucking up all the bandwidth on debian-private, Slashdot,
and some other forums.  This is all getting associated with Debian.  I
daresay, we are getting a bad reputation from this.

By creating our own FUD, we could do damage to those people (such as
myself) who expect to make a living providing services to the Debian
community.

> If you don't think this is a good thing for SPI to be doing, then I
> suggest that the only alternative would be for each of those projects to
> create a corporate structure for themselves. Then how many "free software"
> corporate foundations would we have?

Perhaps an umbrella organization is needed for smaller projects.

I just want people to consider whether or not Debian is so small that
it can't afford it's own organization - or if it needs to pool
resources, liability and interests with other projects.

Cheers,

 - Jim


--  Please respect the privacy of this mailing list.

To UNSUBSCRIBE, email to debian-private-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Debian wants unpaid volunteers but doesn't want to be responsible for anything those people do

Subject: Re: The Shaya issue
Date: Wed, 4 Nov 1998 16:58:04 -0600
From: m* <mark@mail.novare.net>
To: debian-private@lists.debian.org

On Wed, Nov 04, 1998 at 11:20:53AM -0700, Jason Gunthorpe wrote:
.
.>   Here's what I'd like to see done.
.> - don't give him back his access to master
.> - don't boot him from the project
.> - let him continue to maintain packages
.> - let him have a 'mentor' who checks them and uploads them (volunteers?)
.> - keep this 'parole' status for one year (or something in that .> neighborhood)... if things work out, consider reinstating him then
.> - if it (or anything similar) happens again, he's gone for good

i find this outline both reasonable and acceptable!

.I don't feel comfortable baby sitting people - we are not the Boy Scouts
.or Girl Guides.. Besides, we already gave him the stern warning and
.probation period when he did this the first time. How are you going to
.judge if someone has changed their life over the internet? It is very hard
.to get any real information of that sort.

i have to agree with Jason on this point regarding "baby sitting".

at the end of the day, that is not our jobs. furthermore as benevolent
and altruistic as we would like to be, such a responsibility is neither
pragmatic nor IMHO in the best interest of Debian.

are we to be liable for the social or moral inadequacies of our members
and contributors?  i should think not.

some may argue that we need stricter controls and a re-examination of
current policy and process regarding such incidents and their impact on Debian is certainly in order, but i think at a higher level, an expectation of maturity and integrity must be outlined in policy that each developer
and maintainer should be required to understand and adhere to. at least
to the best of each developer/maintainer's human ability :) ( non-human
developers and maintainers should be scrutnized to an even greater
degree :P )

i feel this is extremely important due the "volunteer-only" nature of Debian
and the diversity of the individuals it attracts so as not to exclude
those whose lack of life experience is obviously offset by their technical
or analytical abilities.

perhaps an informal "contract" should be required that a developer / maintainer
must sign that outlines policies and regulations and their responsibilities
and potential liabilities. does such a document already exist?

.
.> - any illegal activity on any system that is administered by Debian or used .> Debian developers will result in expulsion from the project.
.> - if the offense is considered serious enough, proper authorities may be .> involved in the issue
.> - at the discretion of the project, in some circumstances the expulsion may .> be reviewed and reduced
.> - Debian does not allow any illegal activities on project equipment or in .> the name of the project, violators will be punished
.
.All this is very sensible and alot less fanatical that some proposals I
.have heard :>

he he. once again we are enlightened by Debian's Deity of Rationalism :P

did i say diety?

m*

-- 

Horseman of the Digital Apocolypse

People knew they should organize a public liability insurance. Could the Pop family claim against this insurance?

Subject: FWD: argh
Resent-To: debian-private@lists.debian.org
Date: Fri, 12 Feb 1999 18:14:15 -0800
From: Joey Hess <joey@kitenet.net>
To: board@spi-inc.org
CC: debian-private@kitenet.net

Since I notice Wichert is gone for the weekend I'm passing this directly on
to the the SPI board to see if someone can help. The background is that
Debian has a booth at Linuxworld expo which I have been organizing - but
this insurance nonsense is blocking my way. I'd apprciate any help or advise
you can give.

----- Forwarded message from Joey Hess <joey> -----

Date: Fri, 12 Feb 1999 18:01:06 -0800
From: Joey Hess <joey>
To: leader@debian.org
Subject: argh
X-Mailer: Mutt 0.94.12i

I just got some more exibitors info for LinuxWorld. It seems that

".. Show Management requires that all exhibitors present a Certificate of
Insurance by February 19. 1999. ...

This is a proof of insurance that holds extraterritorial coverage and your
own theft, public liability and property damamge insurance. The limits
should cover at least $1,000,000 combined single limits including both
bodily injury and property damage and workman's compensation coverage over
its employees.

The certificate will list:
* The name of the Insured (your company name, complete address, primary
contact)
* Description of Operations/Locations/Vehicles/Special Items (Re: Linuxworld
Conference and expo, March 1-4, 1999. San Jose Convention Center, San Jose,
CA)
* Certificate Holder (LinuxWorld Conference and Expo)
"

Ugh. I don't know what on earth to do about this. And in just 7 days too.. I
think maybe I should talk to somebody at SPI about it..


-- 
see shy jo

----- End forwarded message -----
-- 
see shy jo

SPI, Debian and individual volunteers all going in different directions

Subject: Re: Some thoughts on SPI
Date: Fri, 26 Feb 1999 15:44:38 -0500 (EST)
From: Dale Scheetz <dwarf@polaris.net>
To: Ean R . Schuessler <ean@novare.net>
CC: Nils Lohner <lohner@typhoon.icd.teradyne.com>, debian-private@lists.debian.org

On Fri, 26 Feb 1999, Ean R . Schuessler wrote:

> On Fri, Feb 26, 1999 at 08:36:38AM -0500, Nils Lohner wrote:
> > Yes, to the first two, no to the third.  LDP is NOT an SPI project (let me repeat the _NOT_!)  Their lists are simply being hosted on the
> > debian servers.  Since SPI has made no decisions whether or not to take on LDP as an affiliated project, Joey was acting in his capacity as
> > a listmaster.  This has happened before with other lists, and noone's complained then.
> 
> Well, then I'm somewhat confused. I donate equipment for the use of Debian
> and SPI. How would you characterize the hosting of the LDP list? Also, in
> your opinion, what does Joey mean when he says "SPI now actively supports
> the Linux Documentation Project" in his recent email to both the SPI board
> and Debian-Admin? In your mind, what is the difference between SPI
> "supporting" a project and "sponsoring" a project?
> 
> I think that you are taking this too personally. Admittedly, my last message
> was something of a personal attack on Dale and that is mostly due to the
> fact that he was ducking the core issue, which is lack of clear policy on
> what does and doesn't constitute SPI "sponsorship".

I have ducked nothing, and it is your insistance that I have, which is
nothing more than a personal attack. It brings no information to the
argument and paints a picture of distrust on your part for me. 
I have been as clear as I can. SPI (the board of directors) have made no
decission to sponsor the LDP. If we had, we would have publically
announced that fact, as we have with other activities that the board has
been involved in. The fact that Joey set up the lists is, I admit, a bit
confusing considering the two hats he wears, but I decided that he must
have been working as listmaster, because I knew that no decission about
sponsorship had been made. You, on the other hand, have insisted on
weaving an image of dishonest behavior on the part of the SPI board, and I
am here to tell you that it is pure FUD.

You have insisted from the very beginning that this decission was, indeed
made, and done so secretly, without consultation of the "membership". I
still strongly object to this charcterization, because the facts, as I
know them, contradict this interpretation. You have, in the course of this
discussion foisted other falsehoods into the discussion that you and I
have had personal discussions about, and you still insist on spreading
FUD.

When I finally understand what it is that you actually desire it is neither unreasonable nor difficult to impliment. Your method of
scattershot attack, makes it very difficult to determine just exactly what
those items really are.

> 
> > Again, yes and no.  They are hosted, but it's not an SPI project.  And if you're going to accuse us of deliberately lying to you and
> > misleading the entire Debian project (perhaps with our own top secret political agendas for world domination and our ever important goal of
> > M$ domination) then I'd like to see some facts, not just FUD.  Also, if accusations of this sort are going to fly, then you should not be
> > trusting me with the SPI bank accounts, press releases, and all other SPI corporate issues.  Please _sincerely_ reconsider this paragraph.
> > I have many other things to do and work on (both projects and real life) that I really don't need to deal with this.  I work with these
> > projects because I enjoy it and like to contribute, and being accused of deliberately misleading people and 'spreading false information'
> > will quickly take the enjoyment out of it.
> 
> Since SPI "sponsorship" mostly consists of SPI donating resources to a
> project, I have a hard time swallowing this "they are hosted but not
> 'sponsored'" arguement. The notion of separating the two concepts seems
> like an effort to avoid admitting that the LDP has recieved SPI sponsorship
> without following any sort of protocol. Why not simply admit that this is
> something we need to work on?
> 
I have no problem admitting that, how SPI sponsors projects could use some
work, but I also submit that there are other problems that must be fixed
first, and from your recent posting on my proposal (Thank you, BTW), it
appears that you agree with me, but you still insist that we should solve
the problem of projects, before we deal with functional matters like
membership. 
> > SPI is as open as can be.  Just about all of the traffic I saw (except for one or two technical issues for hosting) were on the lists.
> > Quit accusing until you can back it up, please.
> 
> No, frankly its not. I don't think there is a single issue that more
> people in our community are confused about than the SPI/Debian relationship. 

Which has nothing to do with any lack of openness on the part of the
current board. This confusion is historic, and the board has been trying
its best to resolve the tangle of illogical misunderstanding about what
Debian is, and what SPI's roll is in the Debian Project. We can't resolve
that in an environment where pot shots are being taken constantly during
important discussions. If I am not considered trustworthy in my position
as a board member, and if I can't be taken at my word when I say
something, then I should not continue as a board member, because I have
lost any hope of being effective. You still sound like you are reserving
judgement when it comes to the issue of trust. I find this unacceptable.

> This isn't a reflection on you or Ian or Dale or Joey or anyone else. 

It has sounded like nothing else for much of the conversation.

> You have a difficult job and I support, endorse and basically trust you. 
> This doesn't mean that I am just going to ignore what I consider to be a
> problem situation. If I had a computer that seemed to be functioning
> fine even though it was sitting in six inches of water I would still
> be interested in getting the computer moved to a more stable operating
> environment.
> 
If we are actually sitting in six inches of water, and you really want to
help, bailing is a better option than peeing in the boat. (Sorry but you
started the analogy ;-)

> Here is what I am asking for:
> 
> - A more regular flow of information from the SPI board to its
>   constituency especially on important matters such as the Open
>   Source trademark.

First, I submit that we must first clean up our definition of just who our
constituency is, or will be. Currently we supply all the information that
has been resolved by the "new" board on a publicly accessible web page. If
you are disapointed that there is not more information there, I can agree
with you, but my understanding of why that is, has to do with the limited
resources of time currently available for SPI board work. Your
contributions of late have done more to get in the way of that effort than
to come to its aid.

> 
> - A recognition of the SPI membership (for example, Debian members)
>   and an effort to include them in important pieces of SPI business.
>   The Debian voting mechanism seems a quick and efficient way to make
>   some of this happen.
> 
The Debian voting mechanism is for the Debian Project. Members of SPI will
have their own voting mechanisms. I _do_ wish you would stop trying to
make SPI and Debian a "single" organization, this was not the purpose
behind the founding of SPI.

> - An effort on the board's part to seek assistance in the development
>   of SPI policy from its membership and an effort to give them a
>   voice in its adoption (again perhaps using the voting
>   infrastructure).

Again, we cannot ask our membership anything until we have a membership
policy that is clear to everyone (including, but not only, Debian), and
have more "real" members. We have endeavored to ask Debian, where
appropriate, and the wider community (as in the "Consultation") where
necessary, for input on the various issues being considered. I don't know
why you fail to admit that these "open" proceedures even exist, and have
come about due to the dilligence of the board.

> 
> - An effort to develop policy, with the existing membership's
>   assistance, that defines what SPI "sponsorship" is and what
>   channels other than "sponsorship" SPI may use to provide assistance
>   to free software projects. (This is an issue I am particularly
>   confused about)
> 
I still submit that your confusion comes form the fact that Debian (in the
form of Joey as ListMaster) chose to share its resources with the LDP, and
you choose to interpret that as SPI action. How we treat our sponsored
projects has already been worked out. Once the membership is in order, we
can begin to build a concensus on these other issues. I don't want to try
to decide them, even with outside consultation, until it is clear just who
are members and what their responsibilities are. Otherwise such
decissions will only be seen as dictatorial imposition by the board.

> - An effort to develop policy, with the existing membership's
>   assistance, that governs the adoption of new SPI projects and the
>   addition of their members to the meta SPI membership.
>
I believe that membership should span more than the pool of "sponsored"
projects. Being able to allow anyone with "free software credentials" to
become a member, broadens the base of support to the "true" community,
rather than restricting it to only associated projects, or only Debian
developers.

> I think that if this does not start to happen and soon that we may
> see a final breakdown in the SPI/Debian relationship and see Debian
> becoming a separate corporate entity. This would be retarded for a
> number of reasons. Cheifly, it would demonstrate that the concept of
> SPI is fundamentally flawed and that free software projects cannot
> reliably use it as an umbrella. It would also defeat the basic
> purpose that caused Debian to create SPI in the first place.

While I understand your position, the reality is that Debian didn't create
SPI, Tim Sailor, at Bruce's direction, created the corproration. If Debian
had created it, we would still be deciding things, and SPI would not
exist. I was on the first aborted board, and, although I believe that we
would have eventually come to terms, it was taking way to long. Your major
complaint is about time, as well. I'm pretty sure that, even if you paid
me to do this job, it might not happen any faster than it has. The top
TODO item on the SPI board's list has been the membership issue. It has
been scheduled for work since the first of the year, and, because we are
all volunteers, and have a "real" life has not been resolved yet.

Your supposition that Debian can incorporate itself, and get out from
under the problems created by the poorly created SPI, is a bit short
sighted. More to the point, unless the temperment of the Debian group has
changed in the last several years, that idea would be greeted with more
than a little resistance.

> 
> These are difficult issue and I again apologize for the obvious
> strain that addressing them puts on both the board and the
> membership. Ignoring these issues, however, doesn't seem like a good
> idea for anyone.
> 
No one has been ignoring them. There is, however, a limit to what I, or
any of the other board members, can do to speed things up, other than to
keep on plugging and hope that progress comes eventually. Your appology is
appreciated, considering the circumstances.

Waiting is,

Dwarf
--
_-_-_-_-_-   Author of "The Debian Linux User's Guide"  _-_-_-_-_-_-

aka   Dale Scheetz                   Phone:   1 (850) 656-9769
      Flexible Software              11000 McCrackin Road
      e-mail:  dwarf@polaris.net     Tallahassee, FL  32308

_-_-_-_-_-_- If you don't see what you want, just ask _-_-_-_-_-_-_-

People are aware that liability issues could arise from their conduct

They talk about the benefits of covering things up to avoid liability.

This is the same culture that kept the family of Frans Pop in the dark.

Subject: Re: Disclosure.
Date: Fri, 30 Apr 2004 09:11:09 -0500
From: John Goerzen <jgoerzen@complete.org>
To: Julien BLACHE <jblache@debian.org>
CC: Debian Private <debian-private@lists.debian.org>

On Fri, Apr 30, 2004 at 01:10:35PM +0200, Julien BLACHE wrote:
>  > I should mention for the benefit of those not on the board list who read
>  > this that I and other board members have serious reservations about
>  > this due to privacy and confidentiality concerns. This is by no means
>  > definitely going to happen (unless Ean acts without coordination with
>  > the rest of the Board), and Ean is speaking as an individual director
>  > and not for the Board when he proposes this.
> 
> Could you all people please stop getting in the way of those who're
> trying to get things done to sort out this mess ?

Could you please stop criticizing people that are trying to do the best
for you?

I am firmly behind Jimmy on this one.  Ean's actions would violate SPI's
stated privacy policy.  This opens us up to huge legal liability and is
fundamentally a far worse solution than it taking an extra couple of
days to send out apology letters.

Do you really suggest that SPI should jeopardize Debian's assets by
exposing itself to legal liability by violating its stated privacy
policy?  If so, I will say that I would never vote for you to have a
seat on SPI's board.

> For this particular case, can't you trust Ean and Adam to recruit
> trustworthy people for this job ? For SPI in general, could Board

Please, PLEASE!  Look into the issues before passing judgment.

> How long did the SPI board intend to wait before notifying SPI
> members and Debian developers of the situation ? Maybe we should
> instate something similar to the Social Contract for SPI, not
> forgetting the "WE WON'T HIDE PROBLEMS" part.

Uhm, the situation was public in early 2003.  There was an uncontested
election for treasurer this year.  The problem was discussed at SPI's
public annual meeting in July.  A resolution was passed later that
month.  I believe that the DPL is a member of the SPI board list and
thus would be fully aware of all of this.

Speaking solely for myself, my understanding is that we were still
trying to get ahold of the nature of things, but in hindsight, we should
have released more information sooner.  Waiting this long was a mistake,
and I should have advocated that release earlier.

That does not mean that Debian's hands are blood-free.  There are a lot
of people casting stones, you included, that did not care to attend the
public meetings or participate in public discussions.  There are a lot
of things that SPI is doing wrong.  Let us please focus on fixing those
rather than on complaining about things SPI actually did right.

> > Whether that is a re-imagined SPI, or we secede from the SPI, and
> > request the return of all our property isn't really important.
> 
> I fully agree with this too. Debian should have more control over its
> legal entity. If this isn't possible with SPI, then let's drop it and
> found a new organisation that will serve the Debian Project and its
> developers.

Debian can have as much control over SPI as it wants.  To me, it seems
Debian has been largely uninterested in that.  Debian could easily
control every officer and seat on the board -- and, for practical
purposes, actually does.  (Only one Board member is not a Debian
developer.)  The SPI president (Ean), vice president (me), secretary
(Wichert), treasurer (Jimmy Kaplowitz), and former treasurer (Branden)
are all Debian developers.

> Thanks to Adam for initiating the disclosure.

Adam did not initiate the disclosure.  He just brought it to the
attention of people that weren't interested a year ago.  (Which is still
a good thing.)

-- John

Discussion about how different legal bodies are created for each DebConf

This means that if something bad happens at DebConf, they can wind up the local organization that was responsible and frustrate any demands for compensation and unpaid bills.

Subject: Re: Legal discussion, Iranian developers
Date: Sat, 31 Oct 2009 16:13:07 -0400
From: Jimmy Kaplowitz <jimmy@debian.org>
To: debian-private@lists.debian.org

On Sat, Oct 31, 2009 at 07:02:36PM +0100, Stefano Zacchiroli wrote:
> The Debian Project as a legal entity does not exist, only SPI and
> DebConf do (AFAIR, DebConf is an organization of its own, even though I
> do not know in which country it is registered). So Debian should not
> have any problem in accepting an Iranian as a contributor due to US
> laws.

DebConf is not a legal entity, but it uses a variety of legal entities all
around the world. For 2010 we will be using SPI since the conference will be in
the US, but other years we've used things such as FFIS as well as specially
created ones (e.g. DebConf7 Ltd in the UK).

Also, Debian is certainly not a legal entity, but that doesn't mean that the
law doesn't recognize the fact that we are acting as an organization (the term
is "unincorporated association"), and certain people in relevant positions of
responsibility could still be held responsible for violations of Debian as an
organization. Corporations actually reduce liability, not increase it, though
to have a full discussion of this would drag us way off-topic, so let's not do
so as (an on-list) part of this thread please!

> The first problem (sponsoring) can be a completely bogus problem if the
> reimbursement comes from DebConf as long as DebConf is not registered in
> the US. The fact that SPI gives Debian money to DebConf is, I believe,
> irrelevant as there will be no clear mapping between the two actions,
> and we can always claim that reimbursement for the Iranian guy came from
> DebConf leftover since previous years. Even if that were a problem we
> can have other Debian related organizations outside US reimburse the
> guy, e.g. Debian UK or CH.  Or we can even establish one for that
> purpose!, it would totally be worth.

Many donations specifically for DebConf also flow through SPI, and US people
are involved in soliciting sponsors and planning and organizing the conference
just like many other nationalities of DDs are. Believe me I think that if we
can find a way to involve Iranians without causing legal problems for SPI, US
DDs, SPI's US-based non-Debian board of directors then we should do so, and I
say that both as a US DD myself and a current member of SPI's board.

> The second problem is access to Debian machines in the US. First of all
> I have no idea who would be legally responsible for that, probably who
> is hosting the machines over US soil, but the SPI lawyer should know
> [1]. If this is the case, we can ask DSA (which has the knowledge about
> which-machine-is-where anyhow) to implement specific access control
> meant to protect hosters from dumb laws, that block access to those
> machines for specific accounts. Of course, if the hosters are willing to
> take responsibility the limitation can be lifted.

ftp-master is currently hosted in the US, though I guess that could be changed
as part of a solution to this. So are various other core machines. Even if the
hosters take responsibility, there's no way they can do more than agree in a
binding document to pay legal expenses and fines/damages of SPI and US DDs who
are affected. I doubt any of them would want to do that, and it wouldn't
protect against other kinds of penalties the law might impose.

Rather more problematic is that some individual ftpteam members are US citizens
in the US, and they should no more be excluded from Debian activities due to
this stupid US law than Iranians should be due to their government's stupid
political stances.

I'm all for working out a solution with SPI's lawyers (or other ones) to allow
the Iranians to participate as fully as possible, but we should proceed
carefully instead of assuming we can just use common sense to figure out the
right details.

> [1] I duly notice that we are still waiting for a lawyer answer on who
>     is legally responsible for the content of our archive. I would
>     personally welcome payed access to SPI's lawyer non-pro-bono time,
>     as on that answer we're depending for a possible lift of some
>     annoying procedures related to debian/copyright

This has been waiting for quite a while, but for a large chunk of that time
(including currently) the delay is on the Debian/ftpmaster end, such as in
responding to questions from the lawyer, not the lawyer's end. Debian can
certainly pay for legal help, up to available funds, though I don't think SFLC
does any paid work so we'd mainly be talking about SPI's other lawyer or
engaging separate counsel for this purpose. Still, that won't help if Debian is
as slow to respond to queries from paid lawyers as SPI's pro bono lawyers can
occasionally be in the other direction.

- Jimmy Kaplowitz
jimmy@debian.org

Have your cake and eat it too

Here they want to have the benefits of having SPI in the United States and at the same time, in the closely related unincorporated association, have volunteers from countries that are subject to sanctions (Iran) and embargo (Cuba).

Subject: Re: Forthcoming acceptance of a Cuban DD
Date: Thu, 10 Jun 2010 17:37:37 +1000
From: Anthony Towns <aj@erisian.com.au>
To: Christoph Berg <myon@debian.org>, debian-private@lists.debian.org

On Sun, Jun 6, 2010 at 07:47, Christoph Berg <myon@debian.org> wrote:
> If you really want Debian to get a license here, it is a bit late to
> jump on the train, I'm afraid. We had actually tried to ask the more
> vocal (American) participants in the "Iran" thread if they would help
> with communicating with the SPI lawyer. This was around
> December/January - Enrico never heard back from you.
>
> That said, I wouldn't oppose us going in that direction - if it
> doesn't further delay Adrian getting an account RSN, and doesn't risk
> SPI or Debian getting on any blacklists.

So, aside from all the beer and geopolitical nomenclature discussion,
I'm still a bit worried about this. From Stefano's mail:

  - risks involve both criminal liability and fines of up to tens of
thousands of dollars

  - "if we screw it up for Debian it will trivially affect other [SPI]
projects" and their money
    (and possibly hardware) resources held by SPI will be subject to
confiscation

  - "With Adrian (the Cuban guy) being a DM, we're already risking
basically all we can risk"

  - "The only formal way to get out of the risks, would be to ask for
a license." which "will
     take months-or-years to have"

Obviously I'm not a lawyer and haven't talked to a Cuban embargo
expert or even looked up random pages on the web, but I'm still at a
loss why the above doesn't mean "we should not allow Cuban DMs or DDs"
if, like Stefano writes, "we should avoid any risk for SPI".

From Stefano's mail, I can't see anything that actually backs up the
claim that "no money dealing between SPI and Iran/Cuba people" would
be enough to remove that risk -- the parts from the conversation with
the lawyer rather than Stefano's "personal view" seem to be more along
the lines of "lots of risk, DM status already hits it, getting a
license is the only way to avoid it". Am I missing something?

In any event, have SPI and SPI's other projects been informed that
Debian's planning on doing this (or, I guess by now possibly already
done it), and has there been any response? (I haven't seen anything on
spi-private or spi-general)

Will Stefano's summary of the legal advice received (or anything else)
be made public if/when Adrian's accepted?

Cheers,
aj

-- 
Anthony Towns <aj@erisian.com.au>

DebConf evasion of liability is an ongoing topic

This topic comes up regularly. It has been a theme in debian-private over more than twenty years.

These were not random comments, these emails, over two decades, show us a culture of avoiding responsibility and hiding problems.

Subject: Re: Debian funding model
Date: Thu, 3 Dec 2015 21:32:50 -0500
From: Brian Gupta <brian.gupta@brandorr.com>
To: debian-private <debian-private@lists.debian.org>

On Sat, Nov 28, 2015 at 8:24 PM, martin f krafft <madduck@debian.org> wrote:
> also sprach Ben Hutchings <ben@decadent.org.uk> [2015-11-29 09:05 +1300]:
>> So far as I know, each DebConf is usually run by a new corporation
>> set up in the host country specifically for that purpose.  This
>> should shield Debian's permanent Trusted Organisations from
>> financial liabilities.
>
> The situation is of course more complex. It is true that the orga
> team set up legal entities for DC13 and DC15, but DC14 and DC16 are
> being run by SPI. While we are of course very careful with the
> things we commit to, in the end SPI could be held liable, and I am
> not sure they could keep Debian clear of any problems.
>
> also sprach Michael Stone <mstone@debian.org> [2015-11-29 03:12 +1300]:
>> Honestly, I'd rather see the debconfs have a different umbrella
>> organization, and raise funds just for that purpose.
>
> It probably won't surprise you to hear that opinions on this differ,
> and it's a real shame that we're failing to just settle the debate
> once and for all. A lot of energy is being wasted (and I am
> certainly involved here, so don't read me as trying to point
> fingers…)
>
> DebConf orga is limited by time frames and real-world interfaces,
> such as contracts and larger money flows. As such, it's very
> different from Debian and while some of us tolerate endless
> discussions in Debian (not many do anymore, and even in Debian,
> we've learned to move forward more often than in the past), we
> simply don't have the time for that while preparing for the next
> conference.
>
> I've recently brought these topics up on the DebConf-team mailing
> list:
>
>   "Protecting Debian from DebConf issues?"
>   http://lists.debconf.org/lurker/message/20151021.174812.c428973f.en.html
>
> and
>
>   "Why a new delegation won't help"
>   http://lists.debconf.org/lurker/message/20151111.190359.bf37d37c.en.html.
>
> debian-private is not the right forum for this, but neither is
> debconf-team. All the meta-discussions have worn the team down quite
> a bit. I'd be happy to join a discussion on debian-project about the
> role of DebConf and how it might best fit in with (or exist
> alongside) Debian governance.

Madduck, it's interesting that you realize how demoralizing these conversations
have been on the team, but yet you have been driving/agitating most of them.
(Both in public and behind the scenes, and for quite a long time now.)

Today I was close to tendering my resignation, like many others have already
done (publicly and privately), but I discovered today that I'm not alone, and
that many others were hurt by your actions, and that if I resign others will get
hurt, and DebConf/Debian will further suffer. I"m going to try to
stick it out, but
will not be as quiet about this situation anymore.

To be clear, I don't think you are fixing DebConf. I think you are doing a VERY
good job of destroying the team that tries to organize it. There is
hardly anyone
left. People will come back if you make a commitment to stop. (And leader@
appoints new chairs.)

-Brian

> --
>  .''`.   martin f. krafft <madduck@d.o> @martinkrafft
> : :'  :  proud Debian developer
> `. `'`   http://people.debian.org/~madduck
>   `-  Debian - when you have better things to do than fixing systems
>
> Unless otherwise noted, you may disclose anything I say on this list.

People knew it was Debian Day and they had already forgotten about Frans Pop and his resignation the night before

Subject: Re: Today's "Thank you" messages
Date: Mon, 16 Aug 2010 23:45:40 -0700
From: Russ Allbery <rra@debian.org>
Organization: The Eyrie
To: ML Debian-private <debian-private@lists.debian.org>

(I was personally quite happy to see the messages and they put a smile on
my face all day, so I'm going to change the subject header to reflect how
I personally felt.  Hopefully that won't cause too many problems for
people's threading.)

"Felipe Augusto van de Wiel (faw)" <faw@funlabs.org> writes:

> 	I'm not sure how long the "Thank you" notes will be sent
> to the various mailing lists, but I really appreciate that was
> made possible for our users at least during our anniversary.  It
> may certainly break out some work flows in the long term (like
> the unblock/unfreeze requests at -release), that's why I think
> after a while it could become something weekly/monthly or queried
> from the web page.

I believe there was a general consensus on IRC somewhere in the rough
vicinity of about six hours ago that it was time for the special event of
the e-mail to end, and the approval of sending mail messages in addition
to adding comments to the web site stopped at that point.

(I'd wait for someone more directly involved comment, but I think they're
mostly asleep at the moment.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Read more about the Debian Day Volunteer Suicide.