[20:00:22] Let's start the meeting. [20:00:34] Welcome to the monthly meeting of DCNF, it's 2016-03-06. [20:01:02] For simplicity sake, I will be the chairman and Crise has agreed to act as secretary (regardless if he's currently here). [20:01:08] What we do need is a head count. [20:01:11] So just state your name [20:01:13] Pretorian [20:01:16] cologic [20:01:34] poy! [20:01:38] State your name [20:01:49] poy [20:01:52] Goodie. [20:02:03] hello! [20:02:06] Let's continue. [20:02:07] Hey. [20:03:16] There's a few items from the last meeting; * E-mail to the EFF * Gitlib accounts etc * Attacks management * HTTPS * +about and +rules [20:03:29] Let's go through each of them, and then we can take additional actions/items that we shall discuss/do [20:03:38] * E-mail to the EFF [20:04:05] I have received the cleared up version from cologic, but I have not had the ability to provide an updated mail/draft, and as such I have unfortunately not sent it. [20:04:31] It is in my very well intention to do this this coming week (no particular activities after work). [20:04:44] I emplore everyone to poke me/harass me until it is done. [20:04:54] If anyone has any comment, feel free to speak up. [20:05:00] (here) [20:05:04] Ah, good. [20:05:42] If people have no comment on the EFF thing (besides rightfully chastizing me for not doing it), I suggest we move on. [20:05:54] do you have plans on tracking responses to the email? maybe use the dcbase list email? [20:06:09] Yes, that was my intention. [20:06:18] Or at least add the dcbase list email as a CC. [20:06:20] or you could forward us / archive them the emails somehow? :) [20:06:28] -them* [20:06:28] Yes, indeed, of course. [20:06:42] sounds great. [20:06:51] I hadn't specifically thought about that, but you are correct that this should be recorded/archived appropriately. [20:07:04] But good to bring it up. [20:07:38] I will add the responses to the forum (or as links to the main webpage) as well. [20:07:49] Any other comments/questons? [20:08:29] I'll take that as a no. [20:08:43] Let's continue (we can go back if someone thinks of another comment) [20:08:47] * "Create accounts and projects for the organization on the GitLab.com service for further progress on using git with the organizations website." [20:08:59] It is unclear who has this task, Crise perhaps? [20:09:08] *I* have not done this at least, FWIW. [20:09:22] Crise: Comment? [20:09:44] Yeah, Crise discussed this last meeting at least. [20:10:21] Unless this is set up already, I'd propose that Crise does this. [20:10:34] I have yet to do this, I will set them up immediately following this meeting... do we have an email I can use. They send few messages to itso I was hesitant to do so using the forwarding address [20:11:12] Crise: Do you have access to Loopia? Because you can just create an appropriate mail forwarding address there. [20:11:21] If you do not, I can set that up. [20:11:45] Preferably any and all services should have a unique mail. [20:12:13] I suppose one could use dcbase+git@dcbase.org but I'm unsure how the provider can handle that. [20:12:57] I don't recall, as far as loopia specifically, if the organization has a gmail equivalent address we can use the +alias trick to do this [20:14:16] I'll set it up after this meeting. [20:14:36] thanks, other than that no further comments at this point [20:14:41] Ok, good. [20:14:43] Let's move on. [20:14:44] if you can't get an "org email" to work, the more common method is to register the projects with your own account, then add other DCNF people into a "team" allowed to administer the projects... [20:15:42] eg what we have on launchpad. [20:15:48] Yeah, true. [20:16:05] Let's try with the org email and fall back to individual registration/team. [20:16:31] * Attacks [20:16:37] (Next item) [20:16:55] There is an issue with the organization getting attacked by various parties. [20:17:25] It is yet unclear who it is, although there are suspicions (I won't name them here now) [20:17:34] Now, what can we do for this? [20:17:38] (Open comment floor) [20:18:00] I had to investigate "IRC cloaks" / alternate chatting solutions but haven't done so, sorry. Will do soon if you can bear with me... [20:18:31] eMTee provided a link to [20:18:49] I set up an account, but there have not been any response. [20:18:51] freenode website was down since I last checked so perhaps it is easiest to default back to icemans comments on cloaks from last meeting [20:18:53] They need to approve of the org. [20:19:10] Otherwise Project Shield should be ideal. [20:19:20] At least for meetings. [20:19:56] Are there other recourses we can take? [20:20:17] re: attacks in general, my immediate reaction would be to move the hub off of the OVH server, as that is the only place that actually exposes the IP for a potential attacker right now [20:20:56] Perhaps also the hub should be changed to not forward the IP addresses of users (since we have personally been attacked as well). [20:20:58] where would you move it? [20:21:36] yup, OVH has some anti-DDOS system that always detects the attacks when we have our meetings; so just not displaying users' IPs might be enough. [20:22:03] Huh, https://freenode.net/ does read simply as "Making freenode great again... -- New website coming soon!" with a link to an introspective blog post. Odd. [20:22:13] cologic: Yeah, I noticed that as well today. [20:23:16] I don't know as far as moving the hub, it sucks that we can't freely use the OVH server to say the least... but unfortunately I doubt regardless of what we do neither google's project shield or cloudflare can actually protect the server as long as the hub is on it, or am I mistaken? [20:23:36] poy: Can you take it upon yourself to make the change to the INF I4? [20:23:55] (At least for non-OP users) [20:24:04] hehe I was thinking of doing this the right way, yes... [20:24:15] Crise: my first read is that it's for websites, which aren't really the main vulnerable point of the OVH server due to CloudFlare already being pretty effective. Am I mistaken? [20:24:33] you would be correct [20:25:51] So we need to protect the following: individuals (members), the website and the hub (or any other service we provide). [20:26:09] Each of those things are protected by different approaches. [20:26:28] Individuals, at first at least, is to not forward the INF's I4. [20:26:39] The website should be fairly OK since we have CloudFlare. [20:26:42] Individuals should be protectable via poy's changes, CloudFlare protects the website, and I'm not sure if/how the hub itself can be protected. [20:27:57] I am still unsure of *how* we are being attacked. Whether it's DC originated (i.e. NMDC hubs/CTMs or equivalent) or if it's other venues (SYN attacks etc). [20:28:10] Does anyone know? [20:28:27] the hub probably can't be protected per se... since we are limited on options and do not know the specifics, what we can discuss is how to make it so that the hub being attacked does not impact the other services [20:28:31] haven't logged anything, nope. could be interesting. [20:29:00] Can we set up something on the server to log all traffic? [20:29:41] Initially, I guess, to log per OVH management and to log within the system installation. [20:31:09] I will see if I can find something in the OVH management regarding logging. [20:31:49] People should think of ways on how to log themselves so we can trace the source/DDoS content. [20:32:36] I think it is only really possible to protect the hub if we know the source. [20:32:45] agreed [20:33:21] All right, let's defer the specific solution to attacks to the hub in lieu of source information. [20:33:39] Let's continue, unless people had more to discuss. [20:34:02] (I am trying to move the meeting somewhat pacefully, I know people have stuff to do/have limited time.) [20:34:35] * HTTPs management [20:34:45] cologic, how has that progressed? [20:35:08] What is left? The management of re-aquiring the certificate? [20:35:37] Still in ongoing management -- kept things updated enough to run. Haven't set up automatic key renewal, but will do that, yes. [20:35:43] (open discussion floor, I guess) [20:35:59] Ok, so that's what's left? [20:36:19] I believe that is on a 90 day timer correct, judging from cologics statement that has been reset to when exactly? [20:36:21] Do you need any further information to progress in that? [20:36:29] Crise: yes. [20:37:18] Pretorian: I think I have the relevant information. If I need any more, I'll ask, probably, Crise. [20:37:46] ok, I'll try to be available if needed in that case [20:38:02] Great, let's move on. [20:38:14] * We need updated +rules and +about [20:38:29] I think poy looked into it after the last meeting, no? [20:39:25] What was the last state of it? [20:39:34] I tried to make it work with a script that needed an Lua "lfs" lib but failed. [20:40:01] I'm not sure whether it has ever worked on a Linux install... [20:40:55] would be cleaner, anyway, to do this with a proper ADCH++ script. [20:41:44] Can't we simply do it in the same way as +history or the motd is done? [20:42:08] Because they work now fine. [20:42:29] yup, what I meant. ^ with a user command to show them again. [20:42:30] Since the functionality should simply be to report back a particular file's content. [20:42:33] Yeah [20:43:10] Please look into it, you're probably the best person for this. [20:43:30] If you don't make any headway after, say, the 20th, let me know and I'll take a stab at it. [20:43:31] sure. [20:43:50] Ok, let's move on. [20:44:21] That concludes all the items from the past meeting. [20:44:39] If you have additional things you want to adress, please state them now (numbered please) [20:45:22] * Pretorian 1: Tax papers arrived * Pretorian 2: .SE domain registrant project funding [20:47:02] (I'll continue with Pretorian-1, people can continue to state their own items) [20:47:10] Crise 1: Does the discussion on attacks warrant delaying the public availability of protocol and logs documents for this meeting? Also, do I need to note the way this meeting was held [20:47:33] * Tax papers arrived [20:47:39] I have received tax forms for the organization, please see for an equivalent online copy. What was automatically filled in was the organization number (organisationsnummer), taxation year (räkenskapsår), address information and the dates (from = från och med, from and including; tom = till och med, to and including) (2015-01-26 - 2015-12-31). There is another page that is not included in the above PDF, which is a page that says "Time to provide tax declaration". This page is in (couldn't find one for 2015). The main page's table is in the page I received. This table is translated here; (copy/paste to e.g. Excel for the tabbing) The document we *want* to submit is INK3SU, since it is much more sparse and applies to us. However, the requirements (the table above) lists are somewhat cumbersome and I will need to investigate further if we actually abide by them. I am intending to schedule a meeting with them, so I can get it sorted out directly with them, since it's really dense information. The last filing date of the tax declaration is 2016-07-01, so there is time to do this correct. For electronic filing of appendixes (extra documents etc) 2016-08-01 applies. [20:48:00] (wall of text, I'll let people read it for a few minutes, and then it is up for discussion) [20:49:54] As much as I generally consider myself competent to read through tax forms, tax forms in Swedish are, alas, slightly beyond my immediate comprehension. [20:50:33] But, yes, I see where the dates you talk about come from. [20:50:33] I don't really have previous experience with *these* types of tax forms, so you're not alone in such sentiment. [20:51:10] The main thing is to make sure in which category we fall into, as it dictates which document we need to fill out. [20:51:42] https://www.dcbase.org/resources/files/taxation/income_declaration_help_2014_swedish.pdf seems to be about a juridisk person, which is DCNF, correct? [20:51:47] If we only need to fill out the one I want to, INK3SU, then I can do this fairly OK (although I still need to do it together with another one). [20:52:00] Yes, juridisk person == legal person/entity [20:52:10] Basically the organization number is that entity. [20:53:01] "To be considered a legal entity for an non-profit org, you need to have set by-laws and chosen a board. etc etc" [20:53:16] Basically it is what we did last year when we filed for an org number. [20:53:25] I will say this, the instruction sheet is much shorter than the equivalent IRS instruction sheets, which are often 50+ pages. [20:53:52] In the first link, we *have to* fill out the first page. [20:54:03] Then it is up to the table/category to fill out the remaining document(s). [20:54:39] And I want to fill out the second/third page INK3SU since it is most apt for us. [20:54:41] But, I see also why you describe how there are the various ruta sections that presumably need to be all navigated properly with respect specifically to DCNF. [20:55:02] Or, rather, describe how to properly fill things out, and have questions which need to be answered/classified properly. [20:55:32] Yep. [20:55:43] The table is the most important one as it dictates what we should submit. [20:56:25] The thing is that the other documetns (INK3S, INK3R etc) do not really fall into the same "type" of org we have, with members etc. [20:56:41] Also, those documents also indicate that we have assets in term of real estate etc. [20:56:45] Which we clearly do not. [20:57:11] They are simply not applicable for DCNF. [20:57:22] But it requires that we fulfill the requirements as stated in the table. [20:57:35] These all sound like the kind of questions the Swedish tax office would be best-qualified to answer. I have a hard time believing the DCNF is a terribly exotic organization structure in terms of membership and assets. [20:57:36] Those requirements are in the second link. [20:57:42] Indeed. [20:57:51] Like I said, I want to schedule a meeting with them. [20:58:05] But I want to stress that it is no hurry in getting this done. [20:58:22] We should (must) do it, but not "now now". [20:59:08] Please check through the documents and let me know what Google translate has trouble translating. Unless it's any and all docuemtns... :P [20:59:19] I mean, these are questions I couldn't easily intuitively read other English-speaking tax countries' instruction forms and easily fill out, because they're just semi-arbitrary legal and bureaucratic classifications. I happen to know the US delineations for many of these things, but there's no reason to expect them to be intuitive or all that similar in detail in other legal systems. [21:00:16] I shall note that it is NOT my intention of submitting this so we are tax exempt. [21:00:30] Ah, Google translate does work on URLs to PDFs. Had never tried that. [21:00:36] Tax exemption is secondary, in my opinon, and just a positive if we are considered that. [21:00:44] Not great formatting, but it translates surprisingly well. [21:01:04] So, 4 categories, and we need to pick one, is that correct? [21:01:15] Yes. [21:01:32] Because the category basically says "submit these documents" [21:01:41] And we can ignore the other documents. [21:01:58] What does it mean by "compound"? ("förening som endast") [21:02:07] Uhm, where? [21:02:36] In the 4-category table. e.g., Charitable nonprofit * compound only taxed Special payroll tax return tax or property tax. The same compounds as above but which have employees or owning [21:03:19] Use as it is my personal best effort translation. [21:03:39] That specific translation you have is wrong. [21:03:43] Oh, that is better, yes. [21:04:12] (tab separated so paste into something that can properly separate it, such as Excel) [21:04:59] I'd say probably category 4, the only non-publicly useful one? BUt this is an example of where I'm not sure if that publicly useful phrase means something really specific in Sweden (e.g., in US tax law, a "nonprofit organization" is a highly technical thing. So is a "Religious organization", in its definition.) [21:06:01] I see that and see some kind of charitable, philanthropic, etc goal, which I'm not sure the DCNF has, but if 3 of the 4 categories are publicly useful, that suggests it has a fairly broad meaning in Swedish law. [21:06:04] The issue is that that category has documents that are almost for companies... [21:06:26] Also, bunch of references to actual tangible assets. [21:06:57] Ah, that's what you were referring to before. Okay, what does publicly useful mean? [21:07:10] See the asterisk, bottom part. [21:07:16] Oh, right. [21:07:43] So it is up to us, I guess, to attempt to fulfill those requirements or at least argue that we do. [21:08:14] Openness requirement we fulfull right off the bat, by the way, per the bylaws (can't discriminate against people joining). [21:08:23] Yeah. "The organization also cannot operate for its members or other people's economic interests." should be reasonable at least. [21:08:47] Those specific requirements are specified in the help PDF on page 3, 4 and 5. [21:09:13] It's just that when I see that sort of broad requirement, it's so easy to argue economic self-interest either way for, well, a lot of things. [21:09:25] We actually also might be exempt from certain documents because we have so little money. [21:09:49] It's not literally a profit-making organization which does business, but... [21:10:24] As people can't randomly get private money, it's all fine. [21:10:24] Pretorian: they don't have english versions of these documents... I find that a bit odd in this day and age? I mean surely sweden has immigrants that do not speak swedish [21:10:42] Crise: I know I know, I tried to find it but couldn't. [21:10:52] Crise: It is otherwise my intention to get it. [21:11:01] Crise: maybe enticing them with the ability to read tax instructions is how they convince people to learn Swedish. [21:11:12] Hm, perhaps I should phone them tomorrow about an English translation. [21:11:48] My read of the translation of the completion requirement is that basically, less than 20% overhread on non-goal-oriented activities. DCNF should easily qualify, since no salaries, real estate, etc. [21:12:08] We can have salaries, mind you. [21:12:27] Okay, but right now, we don't. FOr what tax period does this apply? [21:12:35] last year. [21:12:45] Whatever we do this year is moot. [21:12:47] And if that changes, is it easy enough to change the organization type or is that kind of set? [21:13:01] You mean category? [21:13:02] So one year, category 4, another year, category 2. [21:13:06] Yes, that's fine. [21:13:38] Okay, so maybe next year, salaries will be an issue, but I don't se how they are this year (well, for the 2015 tax year). [21:14:01] Salaries don't need to be an issue. [21:14:22] It does not violate the personal monetary gain statements. [21:14:51] At least, from my understanding when we filed for the org; I checked this then at elast. [21:15:10] Well, maybe I'm not reading this properly (probably, since it's Google's translation of a PDF), but " purpose. With reasonable extent provided approximately 80 per cent" of the organization's revenue must be used for the public good purpose? [21:15:33] But, that goes back to what the public good purpose is -- I can see that salaries could easily be argued to qualify. [21:15:54] [off for 1h. was looking into blocking I4 / I6 but it's quite hard (ADCH++ does not go through the scripting event handlers when dispatching INFs).] [21:16:18] If the salaries are to have people employed (to fulfill the tasks of the org), then it's considered for the public good. [21:16:26] (I think) [21:16:26] THis is sort of what I mean by navigating fairly technical terminology. Even in Swedish, I doubt the literal words are that complicated, but they're used quite precisely and with a specific technical meaning I have no intuition of. [21:16:54] (Again to use the example I'm familiar with, "nonprofits" in the US can have something that looks a lot like profit.) [21:17:52] So, those requirements for "Non-profit organization without publically useful operations that has taxation required incomes Organization that are not publically useful like e.g. union organizations or trade associations Main document and appendix INK3R and INK3S or appendix INK3K" look plausible to me so far. [21:18:20] BUt that you said was almost like a company [21:18:25] Yes, the text in the table applies to us, but the documents, in my opinion, do not. [21:18:45] Category 3 applies to people renting out real estate. [21:19:14] Category 2 is I guess investment and/or real estate organizations? Anyway, if not category 4, category 1 looks closest. [21:19:32] Yup, that's my view as well. [21:19:51] I will phone them and see if they have this in English. [21:20:29] Anyway, let's continue. [21:20:48] (so we don't remain here) [21:20:58] Yeah, sounds good. [21:20:58] people can look through those documents later, I guess [21:21:13] * Pretorian 2: .SE domain registrant project funding [21:21:25] I have noted this before, but I figured it'd be good to have it official. is a project started by the .SE domain registrar [21:21:55] They periodically, twice a year, give out grants (up to 230k SEK) to people/organizations to do a project. [21:22:23] I would like everyone to provide at least one such project suggestion (preferably more) by the next meeting. [21:22:30] E.g., "build a mobile app" [21:23:44] I have no further comment for this, unless other have comments? [21:24:00] (check around the website for the past projects) [21:24:14] Seems reasonable, but, no, I don't have specific comments at this time. [21:24:34] Oki, let's continue. [21:24:43] Crise 1: Does the discussion on attacks warrant delaying the public availability of protocol and logs documents for this meeting? Also, do I need to note the way this meeting was held [21:26:01] Mostly this is about setting a consistent way of handling closed meetings like this or meetings with subject matter that might not be good idea to make public before it has been acted on [21:26:34] In my opinion the public availability of logs should be immediate (i.e, as soon as we complete them). I think an appropriate note should be in the *attacks section, something like "Due to previous attacks and concerns for one during this meeting, the board decided to have the meeting in a temporary location. It is the intention of the board that this will change to the official one" [21:27:26] No objections. I do like the nod to the intention of openness, even if the technical infrastructure isn't yet there. [21:28:30] Exactly. [21:28:31] I agree, but let's pose a hypothetical in which we decide to say take legal action, I assume such extreme case would warrant a separate consideration, since obviously it would be counterintuitive to make our intent public prior to taking such action [21:29:06] True, although such an action shall only be between the board, in my opinion. [21:29:38] (or such severe discussion should only be between the board) [21:30:10] Ok, I guess that wraps this topic up then, I will have the documents ready and sent to the org email by tomorrow again [21:30:38] Good. [21:30:52] That is the last item that was brought up. [21:30:59] Does anyone have any further item? [21:31:13] That they want to discuss/or any action they want people to take? [21:32:23] (I'll give 2-3 minutes, and then we can conclude the meeting) [21:33:24] I have nothing further. [21:33:53] nothing further here either. [21:34:17] All right. [21:34:22] That concludes this meeting. [21:34:25] Thank you all. [21:34:39] Items for next meeting? [21:37:13] * E-mail to the EFF (Pretorian) * Gitlib account (Crise) * Attacks management (modifying the hub re I4) and looking at source logs) (poy/Pretorian) * HTTPS management (reaquring certs) (cologic/Crise) * +about and +rules (poy/Pretorian) * Tax papers - get English version * Suggestions for internetfonden.se [21:37:40] * tax papers (Pretorian) * Suggestions for internetfonden.se (All) [21:37:49] cheers, just trying to follow a consistent template here :) [21:38:09] /end meeting