 that way as well. So, good morning, everyone. How's the DevConf going? Good? Everybody's awake? I'm surprised. Thank you very much for taking time to come this morning. For those of you who haven't caught on already, I'm Medial. Among other things, I've been serving for several years as President of Software and Public Interest. It has become our habit each year at DevConf to have a SPI, Birds of the Feather Session. Mostly, it's an opportunity for us to report on the status of SPI and to answer any questions. We don't have any really significant new information report except for some brief updates on financials and so forth. Out of curiosity, how many of you are not SPI members? You should fix that today. We'll explain how in a little bit. So, what I'll do is I'll just briefly run through who the current board members and officers are. We just had a Board of Directors election. It was pointed out since we arrived here at DevConf that we booped and made a small mistake and forgot to have a re-election or election of officers at the first board meeting after the board election. We kind of lost track of this because while we did have an election of new board members this year, it did not involve an actual vote because the number of candidates and the number of available positions did not require one. We'll talk just a little bit about how SPI came to be and what the history is, what the list current sort of logo cloud associated projects looks like. Probably spending a little more time talking about financial status and then we can take whatever questions people would like to ask. This is the current composition of the Board of Directors and officers list. Those that are italicized are not present. As was already mentioned, Martin Zobelhalos was here for much of the week but he had to leave after the conference center last night so he's not present today. So, I guess here in the room today from the board, I'm here as president, or it's here as vice president and more than as our current secretary and I guess everyone else is not here. A couple of notes as time goes on, the board is slowly becoming more diversified amongst the associated projects. It's not quite as purely Debian looking as it once was and I'm actually really pleased by that. I'm glad that representatives from some of our other associated projects are taking the step to take a more substantial role in SPI. So, what is SPI? Well, it stands for software in the public interest. It's organized as a charitable nonprofit organization in the United States. It was originally created when the Debian Project became large enough that there was a need to have a place that could legally hold assets on behalf of the Debian Project in the U.S. And, fortunately, those who created software in the public interest were forward thinking enough to realize that this was a service that other projects might need to not just Debian so instead of creating it as the Debian Foundation or something like this, it was created as a more generic software in the public interest charity and it should see in a moment we now provide similar services to a broad range of projects in the free and open source software. This is the organization that holds Debian funds in the U.S. and other assets like trademarks, domain names, and among other things, the copyrights. SPI was founded as a nonprofit corporation in the state of New York in June of 1997. In 1999, the Internal Revenue Service recognized software in the public interest as qualifying to charitable status under the 501c3 part of the U.S. tax code. The important part of this is that donations coming from individuals and companies in the United States may be offered some average as tax benefits. That, of course, depends on individual financial considerations. And then, as I already mentioned, while SPI was originally created to serve a Debian need, it does now serve many different significant free software projects. This is the first of a couple of slides I have with the logos of the various projects that are associated with SPI. And one of the things I think that differentiates SPI from other financial and legal hosting umbrellas for various free and open source software projects is that our projects associate themselves with SPI. They're not actually, they don't legally become part of SPI. One of the benefits of this is that it's okay for projects that are associated with SPI to also be associated with other similarly structured charitable organizations in other parts of the world. So in the Debian case, for example, Debian has other organizations in different countries in Europe and in Latin America and so forth that can also accept donations and hold assets on behalf of Debian projects in those places. So when you see the numbers representing the financial assets that SPI holds for Debian, that's not all of Debian's assets. That's just the assets that are being held on behalf of the Debian project in the U.S. Here's another big thing. A couple things you might notice in here. There's more than one last distribution. Arch Linux is also involved, as are some others. We have multiple database projects associated. So this really is a very broadly structured and very diversely connected organization. Any questions about the associated projects list or any of the other things that we've talked about so far? Well, financially, I pulled the numbers from the sort of annual report, treasurer's report, which is through the end of June. At that time, the total money being held by software in the public interest was just over $840,000 U.S. of which more than $700,000 is being held in trust for our associated projects and approximately $128,000 was being held in SPI's general reserves. Honestly, that's the highest the general reserves have ever been. It's half again as large as it was a year earlier. A year earlier, that was in the low $80,000 range. And this is the reason that I'm really quite convinced that we are at the point in time where it's okay for us to spend some of the money from the general reserves taken on more of SPI's routine tasks as things that we acquire some paid professional help to do. And we'll talk about that some more after the final part of the presentation. But as you can see, the vast majority of the funds that are being held by SPI are not really SPI's money. That's only that we're holding interest on behalf of the associated projects. And this is what the balances for those look like. Intriguingly still, something like a third of all of that money is one way or another being held on behalf of Debian and DevCon. As you can see, the Debian Air Market itself, which is right there, is still sitting at something about $224,000. This is at the end of June again. And there was, were funds still associated with the DevCon 14 year mark and quite a bit of funds for the DevCon 15 year mark. I'm sure that by the time we finish with this DevCon and close out the associated expense transactions and so forth, that those balances will be substantially different. But for DevCon, what we usually try to do for this further session is take the SPI annual numbers from the end of June so that we have a way to look at them year to year. And those numbers are slightly up from this time last year, but it's not really a very dramatic difference. And Debian's balance held by SPI has remained reasonable study over the last couple of years. And I guess if we go ahead and look at some of the others, there's substantial balances being held on behalf of other organizations. LibreOffice is another good example. As I think everyone knows, there's now this thing called the Document Foundation, which is the primary umbrella organization for the LibreOffice activities. But what we've discovered in the past is that moving funds back and forth across international borders just to aggregate sums in one place is secret because we end up paying international exchange fees and all of this. So this is another example of a place where we're happy to continue with holding those funds in trust for that project. And when they have things they need to spend money on in the U.S., they can ask SPI to disperse those funds, and we don't have quite as many international funds transfer fees. And in fact, the LibreOffice earmark is down from last year because we paid a couple of bills on their behalf for travel reimbursements from people from the U.S. or something like that. And this is the last of that list. As you can see, PostgreSQL continues to be one of the other projects that we're holding substantial assets on behalf of. And in fact, we have one of our board members who represents that project. And if you look at this list, there are a couple of projects that are essentially defined. And one of the sort of legal challenges that we'll have to address at some point is that in our associated project agreements, we have historically not been good about including any language to cover what happens when a project ceases to be active or disappears. Under the IRS rules, we understand that we can't transfer funds out to anything other than another charity. So if a project, for example, back in the old days, we held funds on behalf of the Genome Project. And the Genome Foundation was formed in a similar IRS tax status. It was easy for us to take the balance we were holding and transfer it to the new charity to continue to use on behalf of Genome, particularly since that was also an organization in the U.S. But if we decide at some point that OSCNX really is dead and gone, what do we do with the $2.92? And because these funds that are being held in trust for their various projects were given to us by the donors with an explicit earmark saying they wanted the funds used for that project, the fact that we lack in some explicit language in our associated project agreements from that era to say that this project ever goes away that will revert to being SPI-generated funds or something like that, I think at some point there's a legal question to be resolved about. And what exactly do we need to clean up some of these little balances? And a couple of cases not so little balances from projects that are just not active anymore. So I asked at the beginning how many of you are not SPI members. I really do encourage everyone to go apply and become a member. Being a basic level member of SPI really requires nothing but an expression of interest. There is a separate category for contributing members and anyone who is here at a DevCon undoubtedly qualifies for contributing number status and should ask for it and probably be granted it. The only real difference is that contributing members have the right to vote and in the past that's primarily been the opportunity to vote each year for who will represent the membership on the board of directors. But one of the things I would personally like to drive forward in the next year is to finally get around to fixing the issues that exist in the organization of biologs. And to do that we will at some point have to actually have a vote of the contributing membership to approve the new biologs. So this year may actually afford an opportunity to vote more than once. And this is where you can go to, I believe that's still the right URL so if that's still the right URL then do somebody type fast and tell me. I didn't think to check that. It's close enough. You can go to members.SKIinc.org Members.SKIinc.org Members.SKIinc.org I'll fix that later. I'll go and find out if I am a member because I might be. If you're not sure you can ask me and I can check. Otherwise if you know what email address it was I will look in and there's a positive reason. The usual things I guess. But since we're all here, yes. Just asking. In terms of getting involved, our board meetings are monthly. The schedule and agenda are announced in advance. The agenda is published on our website under the corporate agenda's part of the website. And those meetings are held in the open on the hash SPI channel on IRC.OFTC.net. So feel free to come and observe our board meetings. We do actually offer the opportunity at the start of each board meeting when the board members are identifying themselves and binding their real world identities to their IRC NICs for the purpose of our minutes. We offer the opportunity for anyone observing the board meeting to also identify themselves and be recorded in the minutes as having attended the meeting. So another opportunity to have your name reported for posterity on the website somewhere. Our discussions are held on several mailing lists. You can learn more about those on the website. There's our general access mailing list. One that's for contributing members only. There's a board of directors list that we use for those little businesses we can get away with because that one is relatively private. But I certainly encourage all of you to use the rest of this session and the rest of the time that we're here at DevCon to reach out to those of us who are present and ask any questions you'd like or bring up any interesting topics directly. With that, the sort of formal part of the presentation that I put together is over and we'll be happy to take any questions that you may want to ask. Yes, I have a question. I'm on race 3 and I, well, with my KSK rollover team right now, and I sent a question at a race by ICANN, if SPI is a traditional authority, could cross-sign the new key-signing key for a user? We much appreciate it. We got the question and I told him that I'm not answering it alone and I need to discuss with people. I sent a mail about that to SPI Private? Yeah, got one or two answers and I'm not here at DevCon that I really want to talk to this parent but I didn't have yet. But the general response I got was that it's positive. We need to talk about a few handings of the SPI CA and stuff but then we should be able to do it. Do you think that you'll get to the point where you have all the answers you need before the end of DevCon? Do you think that you'll get to the point where you have all the answers you need before the end of DevCon? Maybe possibly, yes. So did I understand correctly that SPI runs the same way? Yes, sure. The one one is not in the browser by default because it's a bit above our handings currently, what you need to do for that. At least in Devian instance, we use the CA certificate package otherwise you need to get it yourself. So it's not in the retail store because it's not signed by a public CA? It's complicated, but the short version is we run a CA and it's not recognized by everybody but Devian and I think most Devian derivatives distribute us in their CA certificates back in school. I guess you were at less than quick session. How do you engage in this course signed by another certification authority? We really haven't even thought about that very hard yet. It certainly seems like that would make sense. I would think that somehow I'm certainly personally very excited about Watson Crypt and I would think that as they become ready to sort of deal with the rest of the world, that's conversations we certainly will look forward to. I don't think Watson Crypt is really taking off and getting good because we want to run it completely on CA. Right, because there are lots of constraints and problems coming up if you run it on CA. As you heard in the presentation of the day, and I ran this actually in a similar context related to the UEFI secure boot and the issue there was who's going to be willing to run a CA and in the end the CA that exists for UEFI secure boot is only operated by Microsoft and everyone uses them to obtain signatures and all of that and as long as they continue to run that in a trustworthy sort of way and allow whoever needs it to have access to the service that's just fine but the non-profit organization that was developing specifications realized that it was well beyond their capabilities to be able to run a CA or to afford to have somebody else do a dedicated one. The Watson Crypt thing really excites me because a core group of organizations that are highly motivated to do it and do it well is doing that work. We've been running one because we needed one not because we really wanted to run a CA and so in the meantime let's do all of our things but I would hope that we connect ourselves and what would be a perfect way to do the Watson Crypt one. Peter might have some tips which CA would talk to which we would like to cross-sign the SPI CA Well, as Harris says, once they're online the idea that they might cross-sign us themselves is this is also the question of I don't want them to cross-sign us just because we're a nice charity and we're up to have a very serious conversation about what you mean to run a CA or an associated CA or a cross-sign SPI if we think that's all reasonable, great, if it seems like too big a burden then I think we'll decide. If they're very successful maybe we don't have to take hours to the next level maybe we can use theirs. I don't really follow that through. As Harris says, to be honest, there will be a CA because it's completely different from many CA standards that we are running it. I think we are doing it in a secure way and stuff but in my opinion it's an optimum way you could actually do it. It's good for our project, it's good for the things we are having and it worked and we never had a big problem with it except that we are not in any main browser and we can jump on and let them do something, you will do that. I would submit that there will just be more projects in the future that we've been able to see in this philosophically aligned project that the SPI represents. So, especially true with respect to crowd computing and pockets and crowd computing that are philosophically aligned with SPI. And then I think the question is, do we end up believing we're fully philosophically aligned with SPI, let's encrypt, is running their CA, or does there continue to be some delta and that will have to be part of our decision process in the future. We've been paying lots of attention, looking forward to seeing them come online and I can't wait to start using their services for some of my own personal servers and so forth and therefore I'm sure we'll all have the opportunity to learn how that works and think about how that should interact with SPI. Do you run a CA, unacquiredly, or associate projects, many of them are taking advantage of that? I don't know if they still have any because they've got some stands up but it can be in the past, isn't it? Or if you see it's using quite a lot for all of the servers? So just to finish up the comment, I mean I don't want to beat it today. I have a previous affiliation where they can link all global sign which is in the ring trust store and they're all off all major operating systems which I could probably arrange for a co-signing, I could probably sign or something. Again, that would be great. And again the issue is just that we have to understand what their normal expectations for a cross-on project are and we have to consciously decide if we want to use more groups. Because we're at a point now where the things we really needed to accomplish are well handled with current setup and so with an activity like let's encrypt underway and making progress in what we think is the right direction doing a lot of extra work to beef up our CA might or might not really be a great investment of time but I think we'll get a chance to see that over the next three or four months as they come along. We're certainly not going to abandon our CA suddenly for another reason but the reason it exists is because there wasn't anything like but I think in particular being able to get certificate, wildcard certificates is one of the things that none of the free CA's would want to support in the past and it's on Peter's presentation when I've got something they'll get to but isn't necessarily a part of the initial offering too so I guess we'll just have to see how that works out. Other questions? Yes. In some countries it's easier to create local trust tokenization of the Indian but for example next year we need a lot of support of SPI. What can we get from SPI? SPI can sign SPI can sign contracts in a Bay of South African as long as it's okay for a U.S. non-project to be signing those contracts I mean as long as the person on the other side of the contract thinks that's okay I don't have any problem with it I don't think Michael would either I think we can probably do the right things We were talking before the session started today about handling funds the use of SPI as a way to route funds to a conference that's happening in another country actually started at DebCon 6 when there was a huge problem trying to get a contribution from a major U.S. corporation into a personal bank account in Mexico and the resolution of that in the end was that I suggested as a last desperate measure oh well can you get it to SPI and we'll figure it out from there the we'll figure it out was that SPI reimbursed my personal credit card for the way we handled the rest of the expenses in Mexico all of that ancient history doesn't matter but since then what we've done is U.S. corporations we've offered them the opportunity to make their donations through SPI and then we've suggested that money coming from places outside of the U.S. probably should not route through the U.S. unless there's really some compelling reason to do that and so for example when DebCon was being held in Portland it was easy for those funds to route through SPI when it's being held in Switzerland a little bit harder but it wasn't difficult because they really had a local organizational local bank account because we could do one or two large transfers and not have lots and lots of little international funds transfer fees so the only thing I would ask is that we have a conversation about this with Michael the treasurer and make sure we understand what the best way to handle the actual financial transaction logistics are so that we don't end up paying a lot of international funds transfer fees but in terms of providing a legal entity that can be contractually obligated on behalf of Debbie and DebCon I think it's okay for SPI to play that role again you know we have to look at the terms of any specific contract and make sure they don't violate our legal constraints but I can't imagine that being true for from DebCon Sure Can SPI open a bank account in this target contract? Can SPI open a bank account in the target country? Maybe But I'm not sure it's a good idea The problem is that if SPI does that then all of a sudden those are assets held by US non-profit and that means that the tax rules about it get conflated by the rules of separate countries and I'm afraid our bookkeepers would I'm afraid their heads would explode and I would be afraid we would find ourselves in a situation that really wasn't good locally I don't know I almost would rather see somebody run and manage the primary accounting for some Debbie and activity happening outside of the US I don't necessarily do it through a personal account with good record keeping than trying to SPI open an account there I'm not someone who should be giving legal or financial advice to countries outside of the US maybe not even in the US It's interesting that you talked about the need for SPI possibly to have some pay level I think SPI is certainly getting to the signs and the stage now that would be very useful It's essentially for such an important organization that's holding large amounts of assets for various projects it's having to rely on volunteer effort and basically a group of people is something that may not be the most reliable way of doing it to be useful with if you could sort of give an overview of where we could go with that what sort of things we could look at and how SPI as an organization can help bring us a professional paid help Yeah, so there's been we've gone back and forth on this over the years and I guess three or four years ago we passed a resolution agreeing to spend some money acquiring specifically some assistance with bookkeeping and accounting services and our treasurer did some investigation found a firm he thought could provide services that were useful to make this life easier and began a relationship with them and in all honesty that relationship I think from where I sit has seemed a little bit rocky I don't think it got off really well and then I think the people that were actually doing the work force were not completely meeting their expectations My understanding is that our treasurer recently had a meeting with the leader slash ownership management team of that firm and they've agreed to change the way they're interacting with this and these stuff in a way that's better for them I don't really know much of the detail of what that means or what the changes are So in parallel with this I realized that and this was largely due to inputs from people like Joshua Berfusser for a while was providing us volunteer volunteer assistant treasurer services doing things like managing the documentation trail and logistics for our various associated projects involved in the Google Summer Code which actually for many of our associated projects the largest annual financial transactions are the reimbursements coming through for travel with those mentors summit and the funds that are actually going to the students that are involved working on their projects based on that I realized that we actually have grown to the point where we probably need some administrative hours or a time manpower above and beyond quote unquote just the bookkeeping that I thought we ought to try and address So I thought about two things in my personal history that provided some advice and guidance on this One is that I've been involved with another U.S. 501C3 non-profit charitable organization for many years and that's the Radio Amateur Samoan Corporation and in ASAP there's a full-time paid office manager person that's the only real employee of the corporation and they outsource some bookkeeping and accounting services so that the volunteer treasurer for the organization doesn't actually do anything in the sense of opening envelopes and depositing checks and managing financial transactions and reimbursements that's all done either by the paid office manager or the contracted accounting firm that handles the books What the treasurer is responsible for is getting the reports from the people doing the work and reviewing them and reporting on them in board meetings and being part of strategic discussions about what should happen with the funds that were available and in fact sort of guiding the activities of the people being paid to do the work. So I have that as one model of how a successful large 501C3 in the U.S. operates and then I remembered that at one point I was on the board of directors of the Consumer Electronics Fund, CELF before it folded in and became the Consumer Electronics Working Group at the Onix Foundation and in the early days of CELF, the companies that started that organization actually contracted with a third party management services firm to run the organization and I believe if I remember correctly that was the companies called VTM and they're still around and they're in the business of basically providing a turnkey solution for running a non-profit organization and they did things like arrange for the logistics of the physical twice a year board meetings one in Japan one in the U.S. over here they sent somebody to sit in the room and interact with the venue staff to make sure that the doors were unlocked and lights were turned on and the beverages were there for the break service at the right time and they took minutes and wrote up the minutes and sort of acted as the person doing the work of the secretary and the treasurer of the organization and they had their organization the accounting resources to provide all of that as a service allowing the board members all of whom were there as representatives of different member companies to focus again on sort of the strategic thinking and decision making associated with the project and so with those two personal things in my experience with guidance I started thinking about where could we go to get some help because the one thing I recognized is that I did not want to be as a volunteer to SPI responsible for the process of hiring and managing someone who just works for SPI the overhead of being a people manager for an organization I'm a volunteer to was not a people but I didn't think anybody else on the board was really enthusiastic about this either so what I tried to find was one or more places that we could go and have some kind of a contractual relationship with somebody else who would acquire the manpower to work and be responsible to us contractually and the two places I've talked to recently about this are the Linux foundation and the software freedom and service I reported briefly in the last board meeting and in the conversations on channel afterwards about the conversation of the Linux foundation but the Linux foundation is not a 501c3 there are 501c6 which in the US tax code means that they're not a charity they're a trade association and that means that unlike a charity where you sort of receive donations and then independent of any of those donations you have a board that decides what to do with those funds and what the strategic and the direction of the organization should be in a trade association you have members who pay to play and by paying to be there they help to guide the strategic direction and so trade associations exist for companies to collaborate on activities that support common strategies and development of new markets and so forth so it's a different kind of organization but I decided I do really care because what I have seen as a member of the board and as an observer of the Linux foundation is that Jim Zemlin and his team are really good at hiring high quality people and motivating them to deliver outstanding performance in various tasks and so the notion that I might be able to convince him to take some money from SPI to give us a third or half of a person's time to manage the activities at SPI that I could trust that someone who has demonstrated ability to do good people management would be sort of watching those activities and worrying about human resources aspects of it was pretty appealing the more we talk though the more I realize that there is sort of a this is something I think BLF would be happy to do I think they would give us a good rate I think that they would feel good about helping out a C3 charitable organization but it is absolutely true that there is a bit of a philosophical disconnect I'm pretty confident that if they helped us manage our books we would not be done using free software unless we made that an absolute requirement of a contract for example because while we strongly support the Linux ecosystem you know they run around using Apple products and running proprietary software to run the business supporting free software activities around Linux and that's perfectly okay, there's nothing wrong with that but SPI has historically taken a much stronger philosophical stance on this we've tried very very hard to not use anything that was proprietary in our activities and so I had the opportunity at OSCOM to have a conversation with Karen Samler and Bradley Kuhn from the Conservancy and they pointed out that in fact their needs have been quite similar to SPI they now have I think three full-time paid stuff and their transaction volume is really quite high because of some of the projects that are associated with the Conservancy so they said if you're looking for a place to go contract with to provide just some manpower, why not come talk to us because we are philosophically almost entirely alarmed we also care about using software for everything we do and in fact you SPI were willing in the last year to vote to provide up to $10,000 in sponsorship for our work on financial software and related processes to support our kinds of organizations and even though we didn't get enough of other sponsors to take your money and proceed with that work you know there's this huge convergence of interest here right now is those are the conversations I've had the next steps I think that need to occur are that we need to get Michael and others in it Martin, others in SPI they're involved in some of these routine processes together to discuss and plan what we really ought to do to take the way we operate through some transition to a new better capable handling greater scale situation and so in fact in conversation earlier this week Zodale proposed that maybe what we needed to do is have something like an SPI financial processes sprint and you know maybe there's the opportunity for us to get the right group of people together in one place to spend a couple of days working through this figuring out doing a better job of documenting so that we all understand what our current processes are and how they work what's the heavy lifting what makes it hard for us to continue to scale and purely volunteer way and maybe be able to make some decisions based on that about what to do next so we have no concrete plans about when that might happen who will be involved in the thing but that's my current thinking about how we move forward and I feel good about this because after two or three or four years of thrashing a little bit spending more money, getting more help it feels to me like maybe we are starting to at least have a plan for how to get to a plan so we'll see that anyone here that has any thoughts or inputs or suggestions who wants to help with that that would be great but that's my current thinking other questions we have a couple of minutes left there's time for a little more Neil, feel free if you have another one I think the thing might be useful at some point for us guys to look at payment processes and how we can accept donations and traditionally use flexing pledge I believe and sort of see some issues around there specifically with how well it manages to deal with donations and the financial security behind that things like checks on credit cards to make sure things aren't being used to do I think did SPI have a PayPal account set up or was there anyone or so there has been some movement around there that would be useful to possibly look at that there's quite a bit of consternation about PayPal itself in one of the accounts of guys history I personally and others involved at SPI over time have had reason to have PayPal accounts associated with other activities involved and take money over the Internet and I at least personally have learned quite a bit about sort of the best way to set up commercial bank accounts attached to PayPal accounts and arrange for automatic sweep of funds to get them out of PayPal and into your bank account where you control it and all that sort of stuff and I'm really quite impressed with some of the aspects of PayPal's charge back handling mechanism I think that's been one of the big concerns in the past so I think as part of this whole idea of reviewing maybe having a strength around SPI's financial processes it would be completely appropriate for us to review and consider whether the ways we currently allow folks to give us money is the right set. Another question that's come up a couple of times is do we accept it or not and so far the answer is no I don't have a problem with accepting Bitcoin philosophically but from a practical standpoint there are a bunch of questions and how it would actually be rendered and as assets tracked if someone really wants us to pursue that that's a project we have to engage in to go through that but with that I'm told we're out of time. Thank you very much for your time and attention and if you have other questions please feel free to catch any of us in the halls the next day or so and we'll be happy to talk about other things thank you again