Tender to implement the new TDF Membership Committee’s web-based tooling

Hi Uwe, all,

(...)
All right for the mentioned "core business" - or in other words: the goals of the foundation following our statutes. That's how a community works we believe. Besides: LO in no way is or ever was "volunteer project" (a

project has a start and an end). It's a community with a high extent of volunteer engagement.

But this is in no way right if it comes to administrative decisions. To

stay in the above example: It sounds rather silly to start a community wide discussion on which software we will use to do our bookkeeping. And in
our case, the MC is "the doers". The tooling we use until today emerged exactly the way you described above: Someone set up something which was far way better than nothing. But it has some severe immanent drawbacks. And
we understood that we don't have the skills to set up a solution by our own which satisfies our needs.

could you please explain who have and who should have access to the
membership data (old tooling and new tooling) please?

Has they / should the have access to all membership data from the start
of TDF up to now?

I found nothing about this in the detailed specifications for the tender.

Regards,
Andreas

Hi Uwe,

(...)
So we look for a company to outsource a special problem solution, described in the specification document. And we are willing to pay those ecosystem companies for services we feel in need of but which we don't see as

our core business (we strongly prefer companies engaged in open source community). i.e. a company which does the necessary plone adjustments. But we surely not would ask the plone community or a certain developer to do so on a voluntary base (c.f. "credo" above).

which leads me (after looking over the specifications in more detail) to
the question: what about the payment for drawing the specifications
paper? Is this done on a voluntary base like other public available
documents / tender specifications in the project?

Regards,
Andreas

Hello,

Hello,

Today we've published a tender to implement the new TDF Membership
Committee’s web-based tooling:

https://blog.documentfoundation.org/blog/2021/05/26/tender-to-implement-the-new-tdf-membership-committees-web-based-tooling-202105-01/

interesting to read in the specifications document about a self hosted
Captcha but without pointing to an example for such solution. If such a
solution (especially published within an OSS license) already exists,
why is it not already used within the current application form?:
https://www.documentfoundation.org/governance/members/application/

I'm curious about a working self hosted Captcha provider.

Regards,
Andreas

HI

what about the payment for drawing the specifications
paper? Is this done on a voluntary base like other public available
documents / tender specifications in the project?

Yes. It was done by me on a voluntary base.

Hi Andreas

could you please explain who have and who should have access to the membership data (old tooling and new tooling) please...I found nothing
about this in the detailed specifications for the tender.

First of all: This tender is based on a software specification and not on a description of the working processes of the MC. The latter are just subject as far as it seems necessary to describe the needed software functionality.

And this list thread should hold on that tender. Feel free to open another thread for anything else.

You did nothing find on data access in the specs because you obviously read only some few pages. In short: Regulating data access is not a function of the tendered software but in fact a function of granting access to it by our SSO solution. You find that described at page 14 of the specs - including the information who is intended to be able to access the software and thereby the data.

Hi

Interesting to read in the specifications document about a self hosted
Captcha but without pointing to an example for such solution.

You embezzled the "i.e." just before that. It was meant to illustrate the idea, not to describe or define a specific intended solution.

I'm curious about a working self hosted Captcha provider.

Me too :slight_smile:

You want “e.g.” then not “i.e.”. The latter isn't a replacement for
“for instance”, it stands for “id est” (“that *is*”).

    https://en.wikipedia.org/wiki/List_of_Latin_phrases_(E)#e.g.
    https://en.wikipedia.org/wiki/List_of_Latin_phrases_(I)#id_est

Hello Guilhem

You want “e.g.” then not “i.e.”. The latter isn't a replacement for
“for instance”, it stands for “id est” (“that *is*”).
     https://en.wikipedia.org/wiki/List_of_Latin_phrases_(E)#e.g.
     https://en.wikipedia.org/wiki/List_of_Latin_phrases_(I)#id_est

Thanks for the hint. I use(d) it as abbreviation for "in example" - but indeed, for the better educated of us it surely is misleading :slight_smile:
So indeed, it was meant as an example to illustrate something, not to emphasize something. I'll correct the specs accordingly.

Hi,

Hi

Interesting to read in the specifications document about a self hosted
Captcha but without pointing to an example for such solution.

You embezzled the "i.e." just before that. It was meant to illustrate
the idea, not to describe or define a specific intended solution.

I'm curious about a working self hosted Captcha provider.

Me too :slight_smile:

would be great, if someone could shed some light on this. Is there
already a captcha provider available which could be self hosted. I
searched for such option, but with no result.

If there are nothing available yet, it is necessary to look for a
working solution / a captcha provider, which should be included into the
forms (in accordance with the GDPR).

Regards,
Andreas

Hi Uwe, all,

Hi Andreas

could you please explain who have and who should have access to the
membership data (old tooling and new tooling) please...I found nothing
about this in the detailed specifications for the tender.

First of all: This tender is based on a software specification and not
on a description of the working processes of the MC.  The latter are
just subject as far as it seems necessary to describe the needed
software functionality.

And this list thread should hold on that tender. Feel free to open
another thread for anything else.

I already opened a new thread. I changed the subject of this thread (in
accordance to the usual way I know for mailing lists).

You did nothing find on data access in the specs because you obviously
read only some few pages. In short: Regulating data access is not a
function of the tendered software but in fact a function of granting
access to it by our SSO solution. You find that described at page 14
of the specs - including the information who is intended to be able to
access the software and thereby the data.

OK, got it now.

Have you already compared the details of meetings and decision making
for the board and the MC in the statutes. There are differences which
need to be considered for the access and the processing of the personal
data (of members and applicants).

Regards,
Andreas

Hi Andreas

I already opened a new thread. I changed the subject of this thread (in
accordance to the usual way I know for mailing lists).

No, technically you didn't :slight_smile:
Just changing the subject isn't enough, because mail readers use the message ID of the mail you answered to thread mails (at least Thunderbird does) which will be written into the mail header when answering an existing mail. And you answered an existing mail which will keep your answer in the tread instead of opening a new one, despite of the subject's text. This will only used by some mail readers if the ID of the mail answered isn't available.
To be sure to open a new thread you have to write a brand new mail instead of clicking an "answer" button.

Hi Andreas

Have you already compared the details of meetings and decision making
for the board and the MC in the statutes. There are differences which
need to be considered for the access and the processing of the personal
data (of members and applicants).

You may save me a lot of time and work accomplishing this, giving also the sources.
Personally I can't see regulations for data processing in our statutes e.g. But besides this, German law provides a lot of special rights to information for members of an association like TDF. But this does not touch the way the tendered software shall work.

Hello Andreas,

would be great, if someone could shed some light on this. Is there
already a captcha provider available which could be self hosted. I
searched for such option, but with no result.

we looked at some in the past (don't remember their names from the top of my head), but the results were only mediocre. What helped us years ago in the wiki was to ask concrete questions eg. about TDF (Where are we located etc.), because these cannot be automated so easily, but still, you need to rotate these frequently... indeed, time for a proper solution to this. :slight_smile:

Florian

Hi Florian,

Hello Andreas,

would be great, if someone could shed some light on this. Is there
already a captcha provider available which could be self hosted. I
searched for such option, but with no result.

we looked at some in the past (don't remember their names from the top
of my head), but the results were only mediocre. What helped us years
ago in the wiki was to ask concrete questions eg. about TDF (Where are
we located etc.), because these cannot be automated so easily, but
still, you need to rotate these frequently... indeed, time for a
proper solution to this. :slight_smile:

I'm currently evaluate a solution for Plone with a 'honeypot' and work
on a new add-on for a switch to a GDPR compatible captcha online provider.

But I don't know yet, how long it take me to finish both options,
because my spare time currently is occupied mostly by other tasks.

Regards,
Andreas

Hello Andreas,

I'm currently evaluate a solution for Plone with a 'honeypot' and work
on a new add-on for a switch to a GDPR compatible captcha online provider.

thanks for sharing! Let us know how it's going - we'll also share our findings (probably on the website list), as I guess several projects have similar issues.

Florian

Hello Florian, all,

Hello Andreas,

I'm currently evaluate a solution for Plone with a 'honeypot' and work
on a new add-on for a switch to a GDPR compatible captcha online
provider.

thanks for sharing! Let us know how it's going - we'll also share our
findings (probably on the website list), as I guess several projects
have similar issues.

I created a new Plone add-on to use HCaptcha instead of ReCaptcha some
weeks ago and migrated the forms of a Plone add-on to HCaptcha
currently. I'll work on further Plone add-ons and  migrate the forms to
HCaptcha. I think about making it optional to use HCaptcha and rely on
the 'honeypot' add-on technology instead.

Regards,
Andreas

Hello Andreas,

thanks for sharing! Let us know how it's going - we'll also share our
findings (probably on the website list), as I guess several projects
have similar issues.

I created a new Plone add-on to use HCaptcha instead of ReCaptcha some
weeks ago and migrated the forms of a Plone add-on to HCaptcha
currently. I'll work on further Plone add-ons and  migrate the forms to
HCaptcha. I think about making it optional to use HCaptcha and rely on
the 'honeypot' add-on technology instead.

thanks for the follow-up!
What's your experience with this captcha, is there a difference between the spam before and after? Back in the days, all alternative captchas were much less effective, I'm curious to learn how the situation is noawadays.

(Maybe let's follow-up with this discussion on website@)

Thanks,
Florian

Hello Florian, all,

Hello Andreas,

thanks for sharing! Let us know how it's going - we'll also share our
findings (probably on the website list), as I guess several projects
have similar issues.

I created a new Plone add-on to use HCaptcha instead of ReCaptcha some
weeks ago and migrated the forms of a Plone add-on to HCaptcha
currently. I'll work on further Plone add-ons and  migrate the forms to
HCaptcha. I think about making it optional to use HCaptcha and rely on
the 'honeypot' add-on technology instead.

thanks for the follow-up!
What's your experience with this captcha, is there a difference
between the spam before and after? Back in the days, all alternative
captchas were much less effective, I'm curious to learn how the
situation is noawadays.

I'm currently not running or managing any server / PC outside my home
environment. I have a payed full time outside the software industrie and
work on software only as volunteer in my spare time.

Thus I could not provide you any experience about the effectiveness of
the different captcha services (providers). I created the new hcaptcha
add-on only on a request / discussion inside the community.

(Maybe let's follow-up with this discussion on website@)

If I remember correctly there is an open ticket in the LibreOffice
community on this topic without real work on it for about four years
yet. Has there been any research on this topic (without documentation)
on that topic inside the LibreOffice community already?

Regards,
Andreas

Hello Andreas,

Thus I could not provide you any experience about the effectiveness of
the different captcha services (providers). I created the new hcaptcha
add-on only on a request / discussion inside the community.

to answer your question, the above is indeed the problem we were facing - other Captcha services were working, but much less reliable, i.e. they were much less suited to prevent spamming. Even with blocking certain "spammy" IP ranges, the amount of spam was too high, and the feedback from other communities back then was very similar.

However, let's continue this technical discussion on the website@ list instead, where also others could provide valuable feedback.

Florian

Hello Florian, all,

Hello Andreas,

Thus I could not provide you any experience about the effectiveness of
the different captcha services (providers). I created the new hcaptcha
add-on only on a request / discussion inside the community.

to answer your question, the above is indeed the problem we were
facing - other Captcha services were working, but much less reliable,
i.e. they were much less suited to prevent spamming. Even with
blocking certain "spammy" IP ranges, the amount of spam was too high,
and the feedback from other communities back then was very similar.

However, let's continue this technical discussion on the website@ list
instead, where also others could provide valuable feedback.

if you like you could start a new discussion on that list.

I worked on a further version of one Plone add-on with protection by a
honeypot field instead of a captcha. I used a special add-on for this,
which was published by some members of the Plone community. This
technology has the advantage that it doesn't bother the website user in
the way a captcha does.

Regards,
Andreas