Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Making community decisions in the absence of consensus George Dunlap XenProject Committer
[thinking ahead]
The Issue
XenProject Security Process • A well-known place to report vulnerabilities • A structured way of announcing vulnerabilitie...
Pre-disclosure
XSA-7: Intel SYSRET
Discussion goals • Find the best solution • Do it in a way which everyone felt their voice was heard
ONE Make sure you have a fall-back in case consensus can’t be reached
Process isn’t necessary — until it is
ONE Make sure you have a fall-back in case consensus can’t be reached
TWO Have an online discussion but don’t stop there.
Online discussions are great for… • Identifying important factors • Clarifying thinking • Exploring possible solutions • U...
Online discussion: Weaknesses • Favor people who… • Like to argue • Are articulate, have a high command of English, or typ...
Social factors and silent argument : Debian systemd discussion
TWO Have an online discussion but don’t stop there.
THREE Summarize the major positions and hold a five-point survey
Four options • No pre-disclosure • Pre disclosure to software providers only • Pre disclosure to software providers and a ...
Five-point survey • Based on “Identify the Champion” • For each option, ask people to rate it: • This is a great idea, and...
Further details • “Other options / comments” box • Anonymous or named? • Allow anonymous votes but say votes with a name a...
Outcome • 33 survey responses • Only 4 anonymous votes • Other 29 were a good mix: • Developers • Distributions • Both lar...
FOUR Look for the “center of gravity”
Things to look for • Good: Total approval vs total opposition • Bad: Polarized options, particularly divided by sub-group ...
No pre-disclosure This is a great idea Happy with this idea Not happy with this idea This is a terrible idea No opinion 0 ...
Software providers only This is a great idea Happy with this idea Not happy with this idea This is a terrible idea No opin...
Software and large cloud providers This is a great idea Happy with this idea Not happy with this idea This is a terrible i...
Software and all cloud providers This is a great idea Happy with this idea Not happy with this idea This is a terrible ide...
FIVE Write up a concrete proposal
Recap • Make sure you have a fall-back if consensus fails • Have on online discussion, but don’t stop there • Summarize th...
Questions Comments / criticism: George Dunlap <george.dunlap@citrix.com> References: XenProject Security Policy (including...
OSSEU18: Making Decisions without Consensus - George Dunlap, Citrix
OSSEU18: Making Decisions without Consensus - George Dunlap, Citrix
OSSEU18: Making Decisions without Consensus - George Dunlap, Citrix
OSSEU18: Making Decisions without Consensus - George Dunlap, Citrix
Upcoming SlideShare
Loading in …5
×

OSSEU18: Making Decisions without Consensus - George Dunlap, Citrix

57 views

Published on

Healthy open-source communities usually include a wide range of people with very different ideologies, goals, values, and points of view; from anarchists to CEOs of major corporations. The normal approach for making decisions that affect the entire community should be an attempt to reach consensus through discussion. But what if you're attempting to make a decision which is critically important, but for which you know there are irreconcilable differences in the community?

The XenProject community had such a decision to make in the wake of the XSA-7 security issue. This talk will cover the approach we took which (we think) allowed us to find a "center of gravity" for the community, and allowed everyone to feel that their viewpoint was considered, in the spite of the lack of any option with clear consensus. We hope this will help other communities navigate similarly difficult waters.

Published in: Technology
no profile picture user

  • Be the first to comment

  • Be the first to like this

OSSEU18: Making Decisions without Consensus - George Dunlap, Citrix

  1. 1. Making community decisions in the absence of consensus George Dunlap XenProject Committer
  2. 2. [thinking ahead]
  3. 3. The Issue
  4. 4. XenProject Security Process • A well-known place to report vulnerabilities • A structured way of announcing vulnerabilities to users • A pre-disclosure list
  5. 5. Pre-disclosure
  6. 6. XSA-7: Intel SYSRET
  7. 7. Discussion goals • Find the best solution • Do it in a way which everyone felt their voice was heard
  8. 8. ONE Make sure you have a fall-back in case consensus can’t be reached
  9. 9. Process isn’t necessary — until it is
  10. 10. ONE Make sure you have a fall-back in case consensus can’t be reached
  11. 11. TWO Have an online discussion but don’t stop there.
  12. 12. Online discussions are great for… • Identifying important factors • Clarifying thinking • Exploring possible solutions • Understanding implications, pros and cons of different options
  13. 13. Online discussion: Weaknesses • Favor people who… • Like to argue • Are articulate, have a high command of English, or type quickly • Sociological: Favor people who… • Feel like they’re in the “in” crowd • Think their opinion will be popular • Hide silent agreement
  14. 14. Social factors and silent argument : Debian systemd discussion
  15. 15. TWO Have an online discussion but don’t stop there.
  16. 16. THREE Summarize the major positions and hold a five-point survey
  17. 17. Four options • No pre-disclosure • Pre disclosure to software providers only • Pre disclosure to software providers and a small number of public cloud providers • Pre disclosure to software providers most public cloud providers
  18. 18. Five-point survey • Based on “Identify the Champion” • For each option, ask people to rate it: • This is a great idea, and I would argue for it • I am happy with this idea, but I would not argue for it • I am not happy with this idea, but I would not argue against it • This is a terrible idea, and I would argue against it • No opinion
  19. 19. Further details • “Other options / comments” box • Anonymous or named? • Allow anonymous votes but say votes with a name attached would be given more weight • Two-week survey window, announced publicly
  20. 20. Outcome • 33 survey responses • Only 4 anonymous votes • Other 29 were a good mix: • Developers • Distributions • Both large and small cloud providers
  21. 21. FOUR Look for the “center of gravity”
  22. 22. Things to look for • Good: Total approval vs total opposition • Bad: Polarized options, particularly divided by sub-group • Good: Options that are opposed for opposite reasons
  23. 23. No pre-disclosure This is a great idea Happy with this idea Not happy with this idea This is a terrible idea No opinion 0 5 10 15
  24. 24. Software providers only This is a great idea Happy with this idea Not happy with this idea This is a terrible idea No opinion 0 5 10 15
  25. 25. Software and large cloud providers This is a great idea Happy with this idea Not happy with this idea This is a terrible idea No opinion 0 5 10 15
  26. 26. Software and all cloud providers This is a great idea Happy with this idea Not happy with this idea This is a terrible idea No opinion 0 5 10 15
  27. 27. FIVE Write up a concrete proposal
  28. 28. Recap • Make sure you have a fall-back if consensus fails • Have on online discussion, but don’t stop there • Summarize the major options and run a five-point survey • Analyze the data to find the “center of gravity” • Make a concrete proposal based on the findings
  29. 29. Questions Comments / criticism: George Dunlap <george.dunlap@citrix.com> References: XenProject Security Policy (including pre-disclosure list) https://www.xenproject.org/security-policy.html Identify the Champion http://scg.unibe.ch/download/champion/

×