NixCon Governance Workshop

fricklerhandwerk · September 9, 2023, 11:35pm

2023-09-09 NixCon Governance Workshop Session #2

Lead: @zimbatm @RaitoBezarius
Participants: Chair circle, ca. 40 people
Notes: @fricklerhandwerk

Introduction

@ron introduces the problem statement from the discussion draft

Questions and considerations

@peterhoeg: before we start talking about where money goes, define what we’re trying to achieve in the first place
- @ron: should abstract it away as that will take a lot of time
  - assume we already know what’s important
- @peterhoeg: disagree, have to say what the goal is
@RaitoBezarius: reminder of ground rules:
- make short, down-to-earth claims
- 2-3 min max.
- use hand signals for approval and requsting direct reactions
@ctheune: would caution against clear explicit goals
- the community is diverse
- rather make statments like “we want more of that kind” and a few “we definitely don’t want that”
@ron: propose to have pilot programs to test out the things we find
@qyliss: in some juristdictions you have a lot of bureaucracy to be able to accept even smallish amounts of money
@kirelagin: Can/do sponsors place restrictions on how their funds are spent (e.g. “funding should only go to a European entity”)?
- @ron: we’re talking about money flowing through the foundation. anyone is free to raise their own funds, we can’t and don’t want to control this
@janik: how do we determine who can run “official” projects?
@ctheune: made good experience with other associations, that to have continuous operations negotiate with companies to hire people and reimburse them with foundation money
- there are some bureaucratic hoops, but in general it’s an option
- @ron: is there precedent with foundations working with consultancies? (paying people full time)
- @fricklerhandwerk: the Haskell Foundation pays consultants to implement things from their budget
- @ctheune: there are companies that can e.g. share a few hours of accountant time per week
(anon): if the NixOS foundation gets a charitable branch in the US, we’ll have to figure out how the influx of money and the spending is handled
- @ron: clarifications
  - the NixOS Foundation is a non-profit in the Netherlands, not charitable
  - there are tax considerations, etc.
  - one could have bylaws that the US foundations’ board must be the exact same as the original one
  - it’s possible to transfer funds between those with no or low tax implications as long as they have the same cause
@asymmetric: how is it decided which rates we pay for implementors?
@zimbatm: if we inject money into the community, which side effects will it have?
- @ron: yes, that’s a key concern
- (anon): we could put that on the website to be very clear about it
@ctheune: currently these aspects are not cared about. from a commercial perspective, we’d love to know who to pay to accept our contributions
(anon): do we already classify whether grants are continuos or one-off? do we have any insights into this?
- @ron: almost all the recurrent funding flows into the foundation, everything else is one-off
  - other continuous things are in-kind donations such as hosting, cache
    - but this is not a contractural agreement
  - everything else is pretty young still
@ron: another topic: fundraising
- what do we consider okay in terms of fundraising?
- what about sponsoring at the foundation level?
- we want to make sure we’re not relying on a single entity
- @tomberek: who does the fundraising?
  - it’s one of the things you can’t let just anyone do
  - is someone assigned?
  - who is putting in the work?
  - @ron: yes, it should be someone associated with the foundation
- @edef: are we tracking the replacement price of in-kind donations?
  - @ron: we only recently started getting an overview of that
  - @raitobezarius: because funding is intermittent, it’s easier to rely on immediate in-kind support than to think about how to maintain e.g. infrastructure for the next 10 years
- @janik: is the foundation publishing how much money is in the bank and how much goes in and out?
  - @ron: we published the results for next year a while ago, prepared 2023Q1/Q2 for NixCon
- @qyliss: can use Open Collective to publish transactions
  - @ron: Open Collective charges fees to be a fiscal host, we’d probably want to avoid that where possible
    - @domenkozar: that may be worth the price, since automating that task ourselves is impractical
    - @qyliss: we don’t need them to be a fiscal host to use them as a convenient place to publish transactions
- @qyliss: we could use OC as sole fiscal host for simplicity
@raitobezarius: sometimes we have an excess of sponsorship money after NixCon. that usually goes to the foundation. what do we do about funds that pile up?
- @ctheune: are there restrictions about how much money the foundation can accumulate?
  - @edolstra: there is a restriction concerning corporate tax
  - @domenkozar: there are also limitations on the size of a donation
    - @edolstra: you can donate as much as you want, but that will have tax implications
  - @zimbatm: could we create a culture where companies can donate to the foundation directly?
    - what would that mean, what are the implications?
  - Tom: is this charitable issue resolved?
    - @ron: we have put some effort into it, it’s currently on pause, will pick it up again
- @ron: distinction donation vs. sponsorship
  - donation does not expect anything in return
  - @zimbatm: propose some pre-determined structure that makes donations easier
  - @ron: example: Google using IDX could impact our running costs, should we ask them to compensate?
    - if we had a good relationship they don’t have to pay money but would instead collaborate
    - @tomberek: this is not a hypothetical problem. it’s not critical but we’re seeing a traffic increase
- @domenkozar: if we have a culture where we have “strategical” sprints (e.g. one for stabilising flakes), that would give a very strong signal to companies and a point of contact where they can support the project
  - it may be expensive to donate 10kEUR to the foundation, but this is something that would produce a tangible result
  - Tom: agreed. also companies have Nix issues and would benefit from supporting hackathons to address them
    - that would also not be a direct donation to the foundation, sidestepping the tax issue
    - @ron: we talked to a few foundations that do bounty programs. there are concerns with who controls the money
  - @domenkozar: the foundation could step in to resolve conflicts
    - the point is not to make strategic decisions but to facilitate them
  - @ron: we could make clear that we’re open to doing such a thing and ask people to get in touch
- (???): bounty programs are good, they provide some gamification and give some structure to the problems.
  - doesn’t have to be money, could be tokens
- @adisbladis: using excess sponsorship money could actually incentivise companies to give a lot more

Proposals

@raitobezarius: a NixOS cooperative where people can work on Nix for money, a one-stop shop to get paid services
- @ron: that could be the foundation
  - @qyliss: the foundation decided not to make technical decisions
  - @ron: but we could still employ people
- @flokli: companies could also do the employment part
- @asymmetric: a cooperative is employee-owned, would be interested to explore this
- @qyliss: commercial employers are usually not equipped legally to employ open source workers (IP issues, etc.)
- @domenkozar: it’s a great initiative but would fall into the commercial realm. anyone can just do that
@domenkozar: let the foundation introduce the concept of strategic sprints
- sponsors could propose things but not decide on agendas. it would still be an agenda
- the foundation wouldn’t organise directly, but approve budgets to provide the environment
- @raitobezarius: to expand: there are a lot of Nixpkgs issues that can be taken on by individuals, but some things are only possible in a sprint setup
  - would be interesting to see how we could make those topics evident to everyone
  - selecting a topic for a focused group would be easier
@ctheune: we’re looking for ways to get into the community with things that are quite boring, such as merging hotfixes that resolve production show-stoppers
- it would be interesting to have a somewhat neutral person to accept such contributions even if they are not perfect yet, and resolve discussions more quickly or follow up on long-term solutions
- the two important parts are
  1. continuity, we’ll have to figure out the funding for that
  2. an avenue for commercial users to get certain kinds of reliable support
- @zimbatm: security is an important topic for companies. propose to fund a person 50-100% to run the security team
  - have to gauge how much effort is actually required to do this in the long run
- @qyliss: a lot of commercial users would like to have a security tracker
  - (???): the company I work for would love to give money to get commerial support
  - @peterhoeg: not having a security framework is a show-stopper for many potential commercial users
  - @ctheune: we did the Vulnix thing back then; the problem is it’s a huge chunk of work to see results
    - someone working at 30% didn’t see any reasonable progress, it’s overwhelming
  - @janik: the main concern for customers of RedHad or OpenSuse is whether older releases get security updates
    - @ctheune: had that with NixOS, were doing a huge amounts of backports to old releases, it was untenable
      - we should really focus on smooth upgrades; we have data on how fast rollouts can go
      - @qyliss: we effectively have a policy of discouraging backports because it would create the impression we’re supporting releases that we actually don’t
    - @hexa: this is work that has to be paid for
- @fricklerhandwerk: there seems to be broad consensus that we just need someone getting paid to work on security
(???): very concerned with paying people to work on Nixpkgs, as that would make an impression of having authority on particular topics just because they’re paid by the foundation
- @ctheune: that could actually improve the volunteer experience as such paid maintainers would take on chores volunteers wouldn’t like to do
  - it also needs some authority in certain situations
  - we shouldn’t create strict rules that prevent us from exploring that space
- @qyliss: most volunteers just don’t do stuff they don’t like to do
  - sometimes people do things out of a sense of responsibility, but this is self-regulating as they tend to burn out
- (???): it’s much better to pay people for things they were already doing and have experience with
  - there are some examples of this happening
  - it makes a better atmosphere than paying people who just arrived
- (???): propose the foundation hires a resident developer to facilitate contributions
  - that role wouldn’t be to implement anything but make sure things can run smoothly
@fricklerhandwerk: (presents the proposal from the discussion draft)

Meta discussion

@asymmetric: maintainers employed at companies are not doing it as their job description, this is not “a role”
(???): we have to install a good policy on transparency
- should be clear who is working for whom and where the money comes from
- ideally in a central place
- @zimbatm: simple fix: make sure all teams on GitHub are mapped to actual teams and linked to their teams page
- (???): in this room we may know who are stakeholders in the community, but newcomers have no chance. would be great to have that public somehow
(???): don’t think that people paid by their employer actually count, as they will usually put in much more hours that they’re paid for
@qyliss: the line between volunteer and paid work is hard to draw
- I do things in Nixpkgs to do things I care about, have many small-time supporters that don’t set my agenda
- @ctheune: people have fractured identities, they act with different hats on in different situations, sometimes even at the same time
  - GitHub profiles cannot reflect that
- (???): donations can be considered volunteer work, because you’re not paid per project but support you as a person for doing meaningful work
- @janik: many people contribute packages, but that has to be reviewed by someone
  - reviewers are volunteers, but that capacity is very limited
  - but sometimes multiple people working at the same company may push things much faster because they have financial incentives
    - @qyliss: agreed, from first-hand experience it’s hard to balance those interests
    - @embr: as former manager, if you’re in that situation the company has a strong incentive to get changes through no matter what
      - it’s not their job to think about what that does to the community
    - @ctheune: companies may have more urgent and immediate needs, even if they’re committed to making a better thing tomorrow and not run away
      - this can also be valuable input for the community as well
      - there is a tension between a “generative” aspect of making new things and a “moderating” aspect to prevent things from getting out of hand
  - @piegames: another view is personal relationships; one just has to know who to talk to to get things merged
    - beginners struggle with this a lot
    - we already started actively working against this by marking first-time-contributor’s PRs
- (???) on the flip side, having two engineers from a company maintain a component is valuable, as it’s maintained
  - even better would be having people from different companies do that