Skip to Content.
Sympa Menu

cacert-policy - Re: improving p20100306 - minor changes (TRIAL POST)

Subject: Policy-Discussion

List archive

Re: improving p20100306 - minor changes (TRIAL POST)

Chronological Thread 
  • From: Ian G <iang AT>
  • To: cacert-policy AT
  • Subject: Re: improving p20100306 - minor changes (TRIAL POST)
  • Date: Fri, 22 Feb 2013 10:46:27 +0300

Some historical context might help here.

Back in the mid-2000s, when the governance project started up (a.k.a. audit), the effective power over the policies was simply board. Although policy group existed, the real 'power' was held by the board, which passed or failed. It did this in secret, so no real capability existed in policy group, and several complicated policy changes died in that committee with zero feedback.

And, as a practical matter, it was one person, not more, that controlled everything.

This also raised the problem that board could simply write whatever, and publish it and claim it was done. Indeed, many saw the policy task as board's job. Which would perhaps have been workable, except (a) they didn't do the job [0], (b) they were secretive, and (c) audit demanded some form of effective change control.

So it was judged imperative that policy move out of the hands of board.

Just to look at (c) change control: At the time, the only effective change control in place at that time was the way software changes were done. This was VERY controlled, and indeed it was under the sole control of the same person who controlled board.

So the solution that was crafted was to move all of policy's decision making out of the board, and into the hands of policy group. But, the publication of decided policies was left under the control of the same person who previously had total control. Split responsibility, leaving both the community and the person with an effective veto (you'll notice that later on, board's veto got made explicit).

This worked -- within the context of the *2006* constellation of powers-that-were. However, things have changed a lot. We're now in *2013*. The board is no longer singular, secretive, focussed to the point of obsession. And, policy group has advanced to be a mature, effective forum [1].

Also, Software Assessment has moved to the point of focussing on software and putting in place their 4-eyes oversight. So it's worth re-examining the context of 2006. We didn't choose Software Assessment as the form of change control because it was appropriate, but because it was the only one available. And it just happened to slice through the gordian knot of the one person lock, of those times. To re-iterate: audit required any effective form of change control, not that one.

And now, Software Assessment really do not want to be bothered with controlling policies, that kind of doesn't gel with the system they have set up.

Therefore, policy group have had a long standing project to get up and going a form of repository that is more easily controlled from within policy group, and relieves the load from SA. In brief, this consists (today, on paper) of having a website called with all the policies in it, and a local publication mechanism that is pushed from across to once our decision making process is done. This is for example pretty much essential if we want to move DRAFT decisions across in a timely fashion (c.f., a recent arbitration). As a matter of practical SA resources, the SA bottleneck means we cannot move DRAFT decisions across at a per-decision level, we have to batch it up into a 'finished total upgrade' level.

So, if you're a sysadm, have a look at that project and help us get that website sorted out :) Then things will be a lot slicker.


[0] They did it once - Privacy Policy. And they made one modification, again to add 3 clauses to PP. But every new policy disappeared into the black hole, including CCA, DRP, PoP, etc.

[1] The policy project's record is stellar. Although there have been some less optimal results such as inter alia the 2009 veto, there haven't been any decidedly wrong-headed decisions.

On 22/02/13 03:50 AM, 
ulrich AT
the next thing to consider
simple changes is still a pain, as main policies are located
within the critical system, and we're currently blocked since 2009
to update the main policies according to policy group decisions  :-P

The simple way goes through filing a bug report and
pass the changes via Software-Assessment
(at least 2 software-assessors who did undergo an ABC process
who checking the changes) and/or the critical admins
(critical admins also did undergo an ABC process, so trusted personal)

Since Oct 2012 we have an active Software-Assessment
update cycle process so updates to the production system
gets faster passed to the production.
All changes will be checked based on the defined
update cycle process by at least 10 eyes (!) principle
  2 software-assessors
  2 software-testers
  1 critical admin

  5 times 2 = 10 eyes ,-)

This counts as an advantage that prevents
going wild with unappropiate changes

At least Arbitrators have to reread policies from
time to time and will give notice that a policy
requires an update according to the "minor changes"
decision or rules, that a policy decision did not
find its way under the main policy directory

decision for RDL was given under p20100710

Two months later, we still discussed updates on CCA
assuming we can make progress in a short time
so the motion
Changes to CCA for RDL
have been rejected   :-P

Now, over 2 years later, we see, that our expectation
to make progress with an CCA update failed :-P
and the NRP-DaL definition is still in there
that still have been replaced by RDL back in July 2010  :(

p20100306 Policy Officer makes minor adjustments
this can be easily corrected, but here we are again
at the point where the cat bites its tail   :-P

regards, uli    ;-)

-----Original Message-----
From: Guillaume ROMAGNY 
[mailto:guillaume AT]
Sent: Friday, February 22, 2013 12:35 AM
cacert-policy AT
Subject: Re: improving p20100306 - minor changes (TRIAL POST)


Reading the thread including the Herod analogy, I really believe, in
case we don't have an appointed Policy Officer, *we* can be the

Not a physical officer but a moral body. At least, one of us (hoping not
always the same (*), considered as a temporary tasked oriented Policy
Officer) can do the minor changes, so we don't turn to *nobody* style. I
guess it is community oriented and "Ian style compliant"(tm). We avoid
to wait for the Board to nominate someone.

So, we become able to nominate a temporary PO.

(*) Hoping to avoid :

Go down, Moses,
Way down in Egypt's land,
Tell old Pharaoh,
Let my people go.


Best regards,


Le 21/02/2013 18:45, Megan C. Robertson a écrit :
Greetings, dear hearts

Once upon a time there were four people: Their names were Everybody,
Somebody, Nobody, and Anybody. Whenever there was an important job to
do Everybody was sure that Somebody would do it. Anybody could have
done it, but Nobody did it. When Nobody did it, Everybody got angry
because it was Everybody’s job. Everybody thought Somebody would do
it, but Nobody realized that Nobody would do it. So consequently
Everybody blamed Somebody when Nobody did what Anybody could have done
in the first place.

This rather sounds like the Policy Group J

Hence the need for someone, we’ll call them the Policy Officer for the
time being, being tasked with actually doing all this editing and
updating stuff that is chewed over here in the Policy Group… the
general tidying up, checking grammar and spelling, making the HTML go,
etc., is a useful background task, then when the Policy Group actually
decides on any change, that can then be entered in at the right place…
without anyone needing to worry about who was going to do it.

Hugs from Megan


*From:*Ian G 
[mailto:iang AT]
*Sent:* 21 February 2013 17:24
cacert-policy AT
*Subject:* Re: improving p20100306 - minor changes (TRIAL POST)

Having discussed, read responses, and thought about it for a few days,
I am thinking now that the answer lies in policy.

Because we have been challenged [0] on an issue of Policy, we should
get the Policy right.

Therefore, I'm thinking in terms of copying p20100306 straight into
the appropriate place in PoP:

======================ADD at end of PoP#2:
*2. Basic Model*:
2.n+1 Editors may make the following changes, where
it is clear that the change does not change the policy:

* fixes to errors in grammar and spelling,
* anchors, HTML errors, URLs & formatting,
* COD numbers and formatting, and
* other minutiae, as agreed under 2.3.

Such changes are to be notified to the policy group, and are to be
folded into effect, etc, without further ado.

========================END OF ADDITION.

With some improvement of course :) How do people feel about that?


[0] Cost-wise, it looks like we are going to spend around 2-4 weeks on
this regardless of how we deal with it. We have been told to spend
time writing down stuff we already know, we have consensus on, and is
established practice over many years. A.k.a. bureaucracy. Which will
hold up our policy work. Either way, we don't get out of the challenge
without *at least a vote* . Which is expensive, dammit! Which we
should make count... Therefore, let's turn this into an opportunity
and fix it in the policy. This way, we lead.

On 20/02/13 06:30 AM, Ian G wrote:

Software Assessment in its last telco meeting declined to take some
new policy changes with links modifications, according to p20100306:

Policy Officer may make the following changes,
where it is clear that the change does not
change the policy:

URLs to track any links that move,
grammatical errors,
anchors, HTML errors & formatting,
COD numbers and formatting
other minutiae,

They said that, as the Policy Officer position is not listed in the
Officer's page, they decline to recognise the effect of the motion.

Motion p20100306 has been very valuable because it has meant we can
do things without wasting everyone's time. Policy group attention is
our most valuable resource, we don't want to squander it. Following a
suitable notification, it's done and complete, and policy group can
concentrate more on real work.

Still, the message is clear, Software Assessment have decided to stop
after 3 years of success. I want to preserve the intent of the
motion, and I see three possibilities:

1. vote on a policy officer.

2. adjust the above words so they say Policy Team instead
of Officer, and add a caveat that the changes are
notified to policy group (our general practice anyway).

3. incorporate words into PoP to that effect.

What do people think? Prefer 1,2,3 or something else?

I apologise in advance, but it looks like we're in for another vote
on stuff we already have strong consensus on, and strong practice.


No virus found in this message.
Checked by AVG - <>
Version: 2013.0.2899 / Virus Database: 2639/6117 - Release Date:

Archive powered by MHonArc 2.6.16.

Top of Page