Open shawndwells opened 6 years ago
joshuamckenty
commented
6 years ago OpenControl wasn't started by 18F, and has never been only 18F staffers - what problem are you trying to solve?
I'm violently allergic to the RH trend towards pseudo-meritocracy, so phrases like "Need a vehicle to recognize community participants" coming from someone who clearly doesn't even know the OpenControl history make me deeply uncomfortable.
joshuamckenty
commented
6 years ago I'm also unclear why RH content should have a repo within opencontrol at all - that's a commercial entity with its own GitHub repos.
shawndwells
commented
6 years ago On 6/4/18 1:22 PM, Joshua McKenty wrote:
OpenControl wasn't started by 18F, and has never been only 18F staffers
During your talk at All Things Open, you attributed project origination to 18F during the Pivotal on AWS rollout for cloud.gov. There's also the OpenControl FAQwhich references the creation at 18F. Perhaps these should be amended?
Not trying to take anything from Pivotal involvement in the creation here.
These days OpenControl isn't being used only by 18F/cloud.gov. For example, Docker transforms their content into really great docs, Red Hat and Microsoft partnered to create an OpenShift on Azure FedRAMP template, and there are other US Gov agencies using OpenControl internally for their ATO efforts. Red Hat also is starting to ship corporately maintained content.
what problem are you trying to solve?
It's not clear who to ask for help. Multiple subprojects, like compliance-masonry and fedramp-templater, are not the most active. Certainly one could dig through git histories, but @maintainers would be a much easier way to ask for help. Let's make the community approachable for new comers.
community-members group would allow
for this. Not emotionally attached to the idea. If there's a better way,
lets hear it!I'm violently allergic to the RH trend towards pseudo-meritocracy, so phrases like "Need a vehicle to recognize community participants" coming from someone who clearly doesn't even know the OpenControl history make me deeply uncomfortable.
Meritocracy revolves around elevating individuals based on their talent, their aptitude, their quality of contributions, their level of involvement. Many of the original OpenControl contributors are no longer here -- James Scott has moved on from 18F, Diego left 18F and is currently at Microsoft. Many are lurking but their focus is on new initiatives. And all of that is OK.
The ask here is to allow the next wave of community to build on their shoulders. Restructure org permissions to better enable communications. Allow for some reorganizing to generally be more welcoming and approachable for those who would like to collaborate. Insert new blood to keep things moving forward.
And perhaps more importantly -- expand admin rights, grant those who are actively maintaining repos and content the ability to do so. Power and control based on inheritance, of being part of the project's historical lineage, is much more closely aligned to an aristocracy than meritocracy.
You made some interesting assumptions regarding my involvement in security automation and more specifically OpenControl. Even if I was new, even if I couldn't recount the origin story by biblical verse, even if my story had gaps or mistakes, there's no reason to give an attitude. Welcome those who want to help.
openprivacy
commented
6 years ago I learned about 18F and OpenControl at the same time - via Noah Kunin's Handling FISMA Faster and Better https://www.youtube.com/watch?v=T1S52B1-NT4. It wasn't important to me who created it, but rather that is was FOSS and how it might be able to transform compliance automation. Since that time (about two years ago) I have not seen a lot of progress (and I am partly at fault as I have not contributed much). But it remains an exciting project and (for me) the next step is a library of components that slot into FedRAMP, 800-171, NIST CSF, etc. to more easily inherit from when working with different compliance frameworks.
Shawn may work for the commercial Red Hat (that produces the most secure out-of-the-box OS I know of) but he also has been freely and copiously helpful technically and personally as I work to navigate the world of OpenControl (and OpenSCAP scanning).
Now: how does one feed OpenSCAP scan results into OpenControl?
joshuamckenty
commented
6 years ago So-called "Meritocracy" is a boundary-policing approach to maintaining systemic privilege. The term itself was invented as satire[1], and the concept underneath it has been put to bed repeatedly by the academic community[2] as well as the broader developer community.
I'm happy to address the needs to a) make it easier for new contributors to get involved, and b) make it easier for active contributors to get admin privileges. To start with, why don't we just give admin bits to anyone who wants them? I'd much rather bias towards an inclusive model (ala C4.1) than assume some hierarchy of governance is required.
[1] https://kottke.org/17/03/the-satirical-origins-of-the-meritocracy [2] http://journals.sagepub.com/doi/abs/10.2189/asqu.2010.55.4.543 [3] https://modelviewculture.com/pieces/the-dehumanizing-myth-of-the-meritocracy
The OpenControl project is no longer only 18F and hasn't been for some time (which is great!!). To reflect this, suggesting the OpenControl org permissions be restructured.
Currently there are four organizational teams (https://github.com/orgs/opencontrol/teams):
Suggest the following: 1) Creation of net-new
community-membersteam. Members would be able to be own tickets, be tagged in PRs, etc. Need a vehicle to recognize community participants and communicate with them.2) Creation of repository maintainer teams, such as
certification-maintainers,compliance-masonry-maintainers, etc. Members would have write-access to those repos. Currently it's to hard to track permissions and no clear way to give them out either. Also means interested parties could@repo-maintainerswhen asking for help, a quick PR review, etc.