 Hi, I'm Brian, this is the buff for Auditor and Trademark, right now I'm the only wealth, we have two Auditor members here, Martin is here and myself, is everyone familiar with Auditor team's role in Debian, so basically you can think of like the controllers for the project, keeping track of assets and both financial and non-tangible assets. I got involved because I'm also involved in the trademark team and was tracking down domain names and trademarks and they kind of fed in to join the Auditor team. You can read on the screen some of the tasks were responsible for. So one of the things, the delegation actually was from ZAK in 2010, one of the things that ZAK envisioned at this point was, it doesn't work, did it work? So one of the things that ZAK envisioned at the time was public reports and regular basis about Debian financial status, we are clearly not there yet, the delegation even said that the reporting frequency we are looking for is monthly. But yeah, that's basically the long-term goal would be to be able to have monthly reporting which means that most of the work should be mostly automated, that's clearly not what we have now. Sorry, from my point of view, I think that one thing that's where we have quite a lot of work to do is structuring communications with our trusted organizations. So we have four plus one trusted organizations currently, plus one is Debian CH which is not a trusted organization. By 29th of August, did you promise that progress should be made on that? Yes, I think there's a lot of work to do on improving the way we talk to TOs in terms of protocols. Okay, so we've put together a list of what we're currently working on. So currently the Debian donations page is a little convoluted to actually get to make a donation. It involves a number of clicks, there's an open bug on that. That's on my to-do list. If anybody wants to help, I'd welcome help. So this is a larger, the next one if you look on line 26, rationalized Debian's approach to donations, hardware donations, partners, sponsorship. Right now it's all kind of separate things and we recognize our partners and sponsors separately within contextually. There's no kind of umbrella of this organization is backing Debian no matter how they're doing it. So we don't have that yet and I think it would be long-term a good approach to working with third parties. And the next bullet kind of ties into that as well. It's kind of like coordinate how we talk with our sponsors, have a more coordinated fundraising efforts. So another action in this kind of ties in with making donations easier is working with SPI to enable donations via PayPal. There was a long discussion late last year with SPI members and it was kind of agreed that if we follow a certain set of conditions that they'd be okay if you know SPI could enable PayPal donations for member organizations. One of the things we wanted is a little more control over that process. So we would be having a separate bank account tied to a PayPal sub-account and things like that. But that's going to take some work doing. The royalty scheme, could you talk about that? Yeah, so that's an editor who published a Debian book and they're interested in setting up a royalty scheme. Actually what they asked for is a mention of the book on the Debian website which we already offer to all books about Debian. And based on, well, if we do that, which is easy to do, they agree to give a small percentage of revenue from the book. But that's really small percentage. So we have documents to fill about that. I don't think that's particularly urgent, but still if someone should do it at some point. The last point is actually linked. Well, you can talk about cryptocurrencies. You were the one doing it. Okay, so we were kind of, at some point we were wondering if it would be legal to accept cryptocurrency donations or if it is legal how to go about it. And we talked to SFLC who's our legal advisors through SPI. And originally they kind of didn't get back to us, but it looks like the laws have been clarified in the United States at least over the past year. And they're like, yeah, go for it. No big deal. So we're kind of, I don't prioritize it as highly as like say PayPal or other things, but it would be nice to be able to accept Bitcoin and perhaps other cryptocurrency donations. But we still have to sort out how logistically we want to do it. Do we want to work with third party payment processor? Do we want to accept the donations directly? Do we want to have a rule that as soon as they come in, they're converted into some sort of fiat, things like that. I don't want to get too caught up on this particular bullet because I think it is not going to make up a substantial amount of Debian revenue. So, but I think it's okay to look at it. So, I'll go on. So actually the to-do list was split into incoming is getting money in outgoing, improving our way to spend money and then status, I think. So, this is a, if you want to talk about these two bullets. Yeah, so Debian uses several trusted organizations to handle our funds. So we have different reimbursement procedures depending on the trusted organization. The goal of this item is to streamline all of it, document all people should proceed to request reimbursements because it tends to work quite well, but it's a bit ad hoc and sometimes there are reimbursement requests that just get lost and then, well, the person needs to ping again after some time to get reimbursed. And that's not really nice, especially when it's a high large amount of money involved. Great. So, the second item is about, we have a Debian Visa card provided by SPI. It was initially created because we needed to open an account on Amazon Web Services. The problem is the way the type of card it is apparently is not accepted by Amazon. I'm not sure of the details. I think it was a refillable card. I think that was the issue. That's something we don't have in Europe. So, we need to probably to speak with, we should talk to SPI people about it to see if it's possible to get another card because DSA, for example, is very interested in being able to spend money using a credit card because currently DSA members have to pay themselves and then get reimbursed. They do that all the time. So, yes, we need to find a solution either improve on the SPI Visa card or find another solution to get a credit card using possibly another trusted organization. If Debian CH is interested. Well, we already have the PayPal account. The actual PayPal account. Yeah, but you cannot really pay for hardware using PayPal. So, I just want to take a break. Does anybody have any questions about what we've gone over so far? Yeah, let's make this a discussion. Yeah, currently when looking at the donations page, www.debian.org, it says donation via a software and public interest and not donation via any of the trusted organizations. That's one of the issues. Yeah, but I think we should more streamline that website to show that it's not only possible to donate via SPI, but through all of the trusted organizations. That's one issue. And the other one I would like to... Currently, the donations are not shown on the webpage. Historically, there was some discussion about, well, if a student comes and buys two terabyte disks, that's probably quite much for a student to pay, but compared to that, it's nothing for a company to pay. I would like to establish some certain donation levels so that we can make it way more visible to the public who donated how much money, because that will probably also attract quite a lot of donors, big companies to donate money to the Debian project. Are you interested in working on that yourself? I mean, that's a big problem with everything auditor-related, that it's not something that is of interest to many Debian contributors. So clearly are under power. But if you're interested in working on that, yeah. Probably reason should just agree on some sponsorship levels and then just set it up, I think. For example, if you look at the Free Beals Defundation webpage, it has a quite nice, good overview, even down to five US dollar donations to who donated how much money. And once we agreed on those sponsorship levels, we should just make that page. Who would be making that page? Well, I would be willing to help with my web team. Then there's a problem of automatically getting informed of donations to update the page, and you don't want to do it manually for five dollars donation because it means doing it on a daily basis almost. Feel free to... Maybe we should write things down during the... Yeah, but I'm standing. Okay, I can put it in... Did you? You have a secret. Okay, so let me just add a section at the bottom right here. Updates from DC14. Donations page. Where did I miss that up now? Donations page. Add other TOs. Just to give an idea, there have been about 200 credit card donations since the beginning of 2014. So it's really about daily updates. So one of the things, when I talked about the streamlining earlier, it is unrelated to the SPI thing where it sends you to the page that has the big list of all the SPI projects. We went away where you just have a form, you select an amount or fill an amount and click donate, and it does it... SPI does work with a third-party payment processor that can support it, but it's another default one. And we also want to add a couple of options for payment processors. But that can come there. So where are we? Status? Yeah. So I can talk about that. So from my point of view, it's actually quite hard to make decisions about the use of Debian funds because we have no global overview of Debian finances, especially over time. I've been working on... I've not finished, but I have two days to finish it before my talk on Thursday, so I'm confident I will be able to present things. So I'm not really going to present results yet, but at least this is mostly done from my point of view. It's not really about strictly doing accounting of what went through, but at least I have an idea of what's going on taking a step back. The second item is we now have a list of criteria for trusted organizations. Four trusted organizations went through the process of answering the questions and were approved. Debian CH is missing. DDA is working on that. Yeah. It doesn't help. Yeah. Then the following action item... Well, related to... I mean, after the TO evaluation, the next thing to work on is actually making sure that we have all we need in terms of remote access to account. For example, for FIS, we have a really nice web page to list everything going on. For SPI, we don't have that. For Debian CH, we don't know if we will get that for Debian and France as well. So that's really something to clarify. Yeah. Also related to that, we need to document the list of trusted organizations. That's easy. It's just about website updates, but it seems to be done. It currently is documented in the Wiki, but he's talking about putting it in... Yeah, something similar to the Debian organization page, at least all delegation. Okay, sure. I guess the changes of me being a member of the auditor team is relatively new. The delegation is... Me and Philip are not part of the delegation yet. That's all that is about. Yeah, it's also about thinking about what's really the role of the auditor team, because it might have evolved a bit since the original delegation. It's not really auditors anymore. Yeah. It's not really auditors anymore. It's more money-managing, whatever. It's not an external point of view, just to verify that things are, which I think is what the auditor word means, but maybe I'm wrong. Bookkeeping. Bookkeeping, yeah. Treasure. The monitor. So who actually makes the policy decisions about what companies to accept money from, whether to use any particular PayPal, for example, as a conduit for the money, is that done by this group, or is it done by another group and you're simply acting as an auditing organism? So the DPL is in charge of making the policy decisions about how to spend and accept money together with... Well, I use the auditor as an advisory board. There are some constraints coming from trusted organizations. Status of the trusted organization. Not every TO can accept every kind of money, for example, but we need to be careful about that. So I've been caught a lot of discussions in the US, which I admit I haven't followed in deep detail about organizations like SPI risking losing their non-profit status. So, yeah. We need to be careful about these kinds of things. I'll just add a point about that. We've had quite heated discussions last year with StepCon sponsoring about from whom we can accept money. And there was one discussion about an evil tobacco company. And basically, I think the baseline we finally agreed upon is that money is money. With one caveat. If you're willing to work on it and accept the money, we probably won't. I think you've just answered my question. If the policy decision is money is money, then you're telling me what the rule of thumb is. That's of some concern to me, but maybe I'm in the wrong DOF. Well, also money can have no strings attached. Other than what we offer as sponsorship benefits for any other questions? How are we dealing with big money donations where the donator does not want to be listed? Currently, it's not a problem. I think that a donator should have the option of not being listed. We had quite... So digging through credit card donations history, we had some surprising donations from people that I didn't know them. Because the auditor and auditor's team and the DPL get notifications of credit card donations, so they are aware of who is donating. I can add there has been a history of anonymous donations in the past, but not very large ones. They typically are dealt with a case-by-case basis. So, trademark? Yeah, basically, there's two books in one. The first half is about auditor. So if I have no other questions, we can move to trademark or comments. Okay. So I'm also on the trademark team. The other two members of the trademark team are not here, unfortunately, but we'll just... The Debian wordmark is a registered trademark in the United States, and it's also extended to international coverage through the Madrid protocol in... I'm going to have to say this from memory, but the... Basically, the Europe... Can you build this in Japan? Sure. I think Japan, China, and the UK are the other three. EU... Yeah, EU, full coverage. Okay. Yeah. So currently, our job is basically... Any questions about the trademark? Debian itself? We field email questions. Typically, the questions are, hey, can I use your trademark to say Debian is cool? Anything like that. A lot of the trademarks are covered under existing trademark policy under what is allowed. There's a section of what is allowed, what isn't allowed. We have a fairly liberal trademark policy that allows people to make t-shirts, hats, whatever paraphernalia they want with Debian branded. You can use it in fair use. Debian is an operating system based on a Linux kernel, blah, blah, blah. However, I do not... And it's pretty much what isn't allowed. If I recall, the main thing that isn't allowed is you can't use Debian in your domain name. And we are formulating... One of our to-do lists is to define policies for handling these domain names. We kind of have some working on some informal rules of thumbs of how to handle... Basically, if it's not allowed, you have to ask. So that's what the policy says. But when people ask, we're still sorting out what the answers are. Like, if it's Debian dot whatever, do we even allow those to be held by anybody but a trusted organization of Debian? We have approved certain things like Debian fan... Not literally, but Debian fan club Europe.com or something like that. There's some conditions that go with it. You have to agree that this is a limited license and you have to display the SPI... That SPI owns the trademark and things like that. But if you're... If you have any... Currently, the... Oh, so in a recent achievement, we do have the logo under registration domestically in the United States. There's some further work that needs to be done there before we can go for Madrid protocol protection. But do you understand that because it is a somewhat well-known mark, we do have common law protection in most jurisdictions that recognize Madrid protocol. So... Right now, the trademark team is an informal team reporting to the DPL. It has not been delegated and that's one of our action items. And then this was... The inbound trademark policy involved how do we deal with third-party trademarks like Mozilla and Apache and other things like that. And so that has been on the trademark teams played, but it's recently been asked if we'd look at it. So... Any questions? So currently looking at the Vipo website, that's China, European Union, UK and Japan. But I think there are also other... Well, there are other countries especially in the Asian region which is currently quite evolving what free software is about. So... Would it make sense to extend the Madrid protocol to those countries as well, if possible? And... I don't know how many Asian countries are covered by the Madrid protocol. I mean, I know Japan and China, but I don't know how many others. So the answer is perhaps... I believe that you could come to the trademark team with a proposal for a particular country with a case that we should extend our trademark there and we would kind of make our recommendation to the Debian project leader whether or not we felt it made sense. So... I mean, there's cost benefits, things like that, yeah. The other thing about domain names let's go back to... There's also all the Debian.something domain names. Currently, we deal with them on a hard dog basis. We don't really have rules about what to do with them. Basically, what we do is when we get the chance to to get back Debian.tld domain for major tld which we make what's necessary to get it but then the definition of major is a bit blurry and we cannot clearly, I'm not interested in getting all of them. That would be a waste of money. We were quite aggressive about Debian.eu The fact was that the Debian.eu domain was pointing to a Microsoft hosting website from a domain grabber so DSA at one point I think talked to Stefano told him about and he informed the trademark team and the trademark team asked SPI to help handling that request together with the software freedom law center who then wrote several letters to the domain grabber and in the end we tried to get there for the EU domain there is some sort of council where you can bring up trademark issues but the fee for handling via this office was higher than just giving the amount of money the domain grabber wanted in the end. So I read that discussion and clearly we don't want to go through that process for every minor GLD just be crazy Also the other related question is what to do with those domains currently they point to the Debian website Do we want to use them for local groups? In some cases if the group is clearly recognized as a local Debian representative group for example Debian.ch is one example where the GLD domain is not owned by OTO yet I mean Debian.ch is going to become a trusted organization but it could be different What do we do about websites? It's becoming kind of the running joke but it's useful to mention that Debian.ch is de facto already a TO because it's doing reimbursements in the name of Debian for some people so we will do this procedure but share it all I'm one voice of many but I personally believe that all Debian.star domains that we care about should be owned by TOs or held by TOs Descending opinions welcome And if you are owner of a Debian.ch whatever TLD domain and want the TO to hold speak up to the DPL or to the trademark team and we encourage you to move your Debian.ch whatever domain under SPI or FFIS or Debian France Any other questions? I think we can wrap Oh I just want to add my wife Marianne has agreed to attend this buff and she's been practicing US trademark for 25 years so if you have any actual trademark questions that are beyond Debian and they're just generic law questions she'd be happy to answer them Okay Thank you for attending