Difference between revisions of "Regulatory Compliance/Meeting Notes for 2016-11-14"

From SOBAC Wiki
Jump to navigation Jump to search
(Draft page for Meeting Notes: Regulatory Compliance)
 
(Draft page for Meeting Notes: Regulatory Compliance)
Line 1: Line 1:
October 2016: Promoting Open Source
+
Thanks to Martin Edmonds for moderating this month.
===================================
 
  
FLOSS: Free/Liberated Open Source Software
+
Many non-profit organizations are involved in government-regulated services such as health care, employment acquisition and training. Other activities require adherence to other laws, such as building codes. How do you keep track of all the regulations that you need to follow?
  
- What FLOSS does your organization use? How did it get approved?
+
Points raised:
Implemented?
+
• Must consider retention and retention periods of email and other documents (almost any document can be considered a legal document)
- What kinds of FLOSS is amenable to use by nonprofit organizations? Why?
+
• In addition to govt regulations, must consider industry practices & standards
- What kinds of FLOSS are less amenable? Why?
+
• Following of the Ont. Non-Profit Corporations Act (ONCA
- What are some of the selling points you use?
+
• Maintenance of email lists:
- What have been some of the advantages?
+
o use double opt-in
- What have been some of the challenges and disadvantages?
+
o using email lists only for stated purpose
 +
o offer mechanism for requesting to be removed
 +
• On website for incorporated organization (In Europe, but not yet in North America)
 +
o need to specify if cookies will be saved
 +
o need to specify physical address (required in Europe)
 +
• Considered a member of a non-profit (in some cases, even attending an event can constitute you as a member)
 +
• Adherence to Copyrights laws when photocopying
 +
What responsibilities does organization have when providing internet access to public
 +
• Audits from organizations that grant non-profit status or organizations that provide grants
 +
• Software audits (Eg Microsoft ensuring license adherence)
 +
• Need to be very careful about mailing lists and keeping them up to date to prevent mails to the wrong person
  
Announcements
 
-------------
 
  
- Tue Oct 18, 7pm: Ruby FLOSS Contributions, Sweet Tooth
+
How do you store compliance documents such as sign-offs, NDAs, and contacts? What do you use for secure document storage and transmission?
+ Boltmade was bought by Shopify!
+
• LotusNotes used to route a document and get sign-offs along the way
+ Bring a laptop and a Ruby install
+
• Block chain systems (discuss further in future meeting)
+ Goal: encourage FLOSS contributions and bring visibility to FLOSS
+
• Electronic forms on secure file server or encrypted device
projects in the area
+
• Encrypted data.
- Sat Oct 22, 4-8pm: Laptop Rescue Mission, Computer Recycling
+
o TrueCrypt
 +
 There are some known vulnerabilities in the Windows version.
 +
 Veracrypt is a fork of TrueCrypt).
 +
o Luks container
 +
o Offsite (using send command)
 +
o ZFS (a file system)
 +
• Indicate on top of email who is the intended audience of email. Legal disclaimer on the footer telling you not to read an email if it does not pertain to you.
 +
• Encrypted email systems eg. Enigmail (a thunderbird plug-in)
 +
• Online service to encrypt mail eg. Proton Mail, and Tutanota
 +
• Signal, Telegraph, and WhatsApp for encrypting instant messages
  
 
+
** Potential topics for future meetings
How do you sell it?
+
• Block chain systems
-------------------
+
o Book: London Review of Books had two stories by the same author Andrew O’Hagen
 
+
o Ethereum (a programming environment built on top of Block Chain)
- End users don't care much about open source
+
• Accessibility rules
+ They think you need to contribute code
+
• Document storage formats (ODS, etc.) could be combined with document management systems
+ Contributing might mean contributing financially or reporting bugs
 
 
 
- Lots of people using the code might make it better
 
+ But this did not work so well for OpenSSL
 
+ How do you make people aware of the code that they use?
 
+ How do you pick the projects to support?
 
* Apache
 
* Linux Foundation (they have a Core Infrastructure initiative)
 
* SPI: Software in the Public Interest
 
 
 
- Do endorsements from famous people matter?
 
+ Can you get the word out?
 
+ http://trustmeimlying...­
 
+ Getting grassroots word of mouth matters a lot
 
+ Ask for reviews from reviewers
 
 
 
- Maybe it makes sense to throw money at infrastructure projects?
 
+ Pay somebody to maintain/develop the stuff instead of paying a propreitary software company
 
+ Again, SaaS has changed this landscape
 
* Would it even be feasible for SaaS providers to release their software as FLOSS?
 
* Maybe this is their "community editions"?
 
* Most community editions take out features
 
 
 
Arguments for Open Source
 
-------------------------
 
 
 
- Cheap to acquire the software (and nonprofits are cheapskates)
 
- FLOSS tends to be easier to debug and troubleshoot
 
+ eg looking through the source of Samba to troubleshoot a problem
 
+ You can get consultants to fix your software for you
 
* eg Zikula CMS has 2600 weblinks
 
* They did an upgrade and he paid somebody $50 to fix it
 
* eg OSCAR medical records system: we paid somebody to set it up
 
and customize it for us (OSCAR/CAISI)
 
- Data migration can be easier: the code is the template for migration
 
- It is possible for people to develop code coverage and test suites
 
after the fact
 
- What would the advantage be if our rollback software was open
 
source?
 
+ You could debug the software easier
 
+ You could see what it is trying to do
 
 
 
Arguments Against Open Source
 
-----------------------------
 
 
 
- Software might be unfamiliar from what people are used to/what they use in school.
 
- Privacy is important sometimes and you need to trust the code
 
+ Sometimes privacy is a concern
 
- Other providers need to use the same application, which is not in
 
use across the board
 
+ What about federation? This may not be the issue.
 
 
 
- Software as a Service has taken over the industry
 
+ Conceptually it is possible to make it FLOSS
 
+ In practice it usually is not
 
+ Failure to make SaaS FLOSSy is a failure of sales
 
* "If you can download the code then what are you selling?"
 
* Really you are paying people to take care of infrastructure for you
 
 
 
Considerations
 
--------------
 
 
 
- How quickly can people pick up the software?
 
- Are we using it to contribute back or just to use it?
 
 
 
- What is the code quality?
 
+ In proprietary software the code quality may be bad, but hidden
 
- Are there developers? Is the project being supported.
 
- How good are the development leads? This is important for stability.
 
+ eg LibreOffice has good quality according to Coverity
 
 
 
- Who gets paid to develop the code and how?
 
+ Consultants?
 
+ Sometimes big companies sponsor developers?
 
 
 
- How friendly is the community?
 
 
 
- People are used to paying for proprietary software but not FLOSS?
 
+ But people are also used to not paying for online software unless
 
it is SaaS
 
+ Open source does not tend to nag people to pay for it
 
+ Patreon models are becoming more popular
 
+ Is it enough to fund only a few projects?
 
+ How do you crowdsource projects? How do you sell the software?
 
+ We pay for a pfSense gold membership for no reason
 
* But it is a kind of insurance so that pfSense continues to exist
 
* Maybe it is a sliding scale fee
 
 
 
 
 
- Trust is a huge factor
 
+ Can our organizations trust the product?
 
+ Does the website look nice?
 
 
 
- How much support can you get?
 
- What are your fellow companies using?
 
 
 
- Sometimes interoperability matters
 
+ TWC cannot use LibreOffice for resumes
 
(but how does Google Docs play into this?)
 
 
 
 
 
Other things
 
------------
 
 
 
- Libreoffice Online is being developed and is running
 
+ Done with OwnCloud and Collabora
 
+ The goal is to sell to government and make sure that all the
 
government templates are available
 
+ Canadian requirements for accessibility are more stringent than
 
elsewhere
 
* And there are not that many developers working on it
 
 
 
- Is there any antivirus that is FLOSS?
 
+ There is Clam, which is good for email servers and terrible for
 
desktops
 
 
 
- Is there antiviruses for other operating systems?
 
+ It exists for Mac and Linux but is not widely used
 
+ Android is the new Windows and has lots of viruses
 
+ You don't want to run everything as root
 
+ Software stores make this a little better
 
+ Android updates do not go out as quickly
 
+ Why is Android such a disaster?
 
* Too many users?
 
* Not enough quality control?
 
* Too many apps?
 
* Too much fragmentation?
 
+ Android good practices?
 
* Be careful about clicking links
 
* Look at how many people use the app
 
* There is antivirus software available for Android
 
+ If you root your phone do you run everything as root?
 
* No?
 
 
 
- How well has Drupal worked as a CMS?
 
+ We have been able to modify it.
 
+ The community is open and friendly
 
+ Developing core functionality has been hard
 
+ Major upgrades are difficult
 
+ Rails makes upgrades easier
 
* A bunch of modules were backported from Rails 4 to Rails 3
 
 
 
- Can you get university and college students to develop code as part of their coursework?
 
+ It is real code, not toy projects
 
+ Contributions that are accepted look good on resumes
 
+ If the project is organized properly this can still be valuable
 
+ A lot of student work looks rough
 
+ LibreOffice has a mentorship project for students
 
 
 
- In digital media programs they used FLOSS so the students could
 
continue using the software on their own afterwards
 
+ In the marketplace this software is less popular
 
+ But the skills are transferable
 

Revision as of 03:28, 13 January 2017

Thanks to Martin Edmonds for moderating this month.

Many non-profit organizations are involved in government-regulated services such as health care, employment acquisition and training. Other activities require adherence to other laws, such as building codes. How do you keep track of all the regulations that you need to follow?

Points raised: • Must consider retention and retention periods of email and other documents (almost any document can be considered a legal document) • In addition to govt regulations, must consider industry practices & standards • Following of the Ont. Non-Profit Corporations Act (ONCA • Maintenance of email lists: o use double opt-in o using email lists only for stated purpose o offer mechanism for requesting to be removed • On website for incorporated organization (In Europe, but not yet in North America) o need to specify if cookies will be saved o need to specify physical address (required in Europe) • Considered a member of a non-profit (in some cases, even attending an event can constitute you as a member) • Adherence to Copyrights laws when photocopying • What responsibilities does organization have when providing internet access to public • Audits from organizations that grant non-profit status or organizations that provide grants • Software audits (Eg Microsoft ensuring license adherence) • Need to be very careful about mailing lists and keeping them up to date to prevent mails to the wrong person


How do you store compliance documents such as sign-offs, NDAs, and contacts? What do you use for secure document storage and transmission? • LotusNotes used to route a document and get sign-offs along the way • Block chain systems (discuss further in future meeting) • Electronic forms on secure file server or encrypted device • Encrypted data. o TrueCrypt  There are some known vulnerabilities in the Windows version.  Veracrypt is a fork of TrueCrypt). o Luks container o Offsite (using send command) o ZFS (a file system) • Indicate on top of email who is the intended audience of email. Legal disclaimer on the footer telling you not to read an email if it does not pertain to you. • Encrypted email systems eg. Enigmail (a thunderbird plug-in) • Online service to encrypt mail eg. Proton Mail, and Tutanota • Signal, Telegraph, and WhatsApp for encrypting instant messages

    • Potential topics for future meetings

• Block chain systems o Book: London Review of Books had two stories by the same author Andrew O’Hagen o Ethereum (a programming environment built on top of Block Chain) • Accessibility rules • Document storage formats (ODS, etc.) could be combined with document management systems