I didn't want to be break this story over here but since no one else seems to be posting about it here I am sharing a screenshot from the other side with @scan's post.
-
@liaizon It's always nice to hear from users, and on behalf of the project, thanks for your kind words! I agree that this is an unfortunate decision - made independently by both Open Collective and Open Source Collective, it seems - that has the potential to harm lots of FOSS maintainers. I hope you can understand that it is, well, a delicate matter to raise complaints against the very organization that holds >80% of our funds, but I shall do my best to address this with sensitivity and expediency.
-
@opsocket @liaizon
We're indeed adding a persona integration on the platform to help Open Source Collective manage their KYC program. It is not something we're forcing on anyone, just a bridge we're creating for fiscal hosts relying on this service.For the rest, I'll let Open Source Collective comment.
They're aware of this thread and are preparing a reply as we speak.
oh boy i sure cant wait for the next round of 'we heard your concerns and we totally understand.. and listening to feedback .. anyway here is some spiel about ""safety"" and [insert scapegoat here] .. so fuck you were doing it anyway.'
-
RE: https://social.wake.st/@liaizon/116206925371202010
I didn't want to be break this story over here but since no one else seems to be posting about it here I am sharing a screenshot from the other side with @scan's post.
@liaizon @scan hey, uh, @OpenSourceCollective, what the fuck?
-
@wcbdata @liaizon @scan Thanks, we agree. We recognize that identity verification raises legitimate privacy concerns, especially in the open source ecosystem.
If you know of identity verification providers that operate outside the US, and align with strong privacy standards, we would love suggestions.
Handling funds responsibly while respecting the privacy of contributors and maintainers is a balance we take very seriously.
-
S snue@radikal.social shared this topic
-
@liaizon @jowek @ukrudt @tak @ruben @magnus
Yes haven't checked out the state of petition-software lately.
One low effort/complexity way of doing it would be to write a letter in ukrudt's hedgedoc and just ask projects to sign it if they agree - sign it by way of writing their name in the bottom: https://hedgedoc.ukrudt.net/ - we can then create a public read-only link and share that.
-
@liaizon @OpenSourceCollective another I never liked about open collective is that they store all their data on AWS in the US, unencrypted. that means all the fiscal data, invoices, payment details, of all their users, including all collectives using their online platform. as open collective is difficult to self host, everybody uses their website. when i asked for more details, they said they are a US based organisation, that they won't care, and that GDPR does not apply to them. i stop using it
@nextgraph @liaizon @OpenSourceCollective On encryption: it's not accurate to say all data is stored unencrypted. Sensitive documents like tax forms uploaded to S3 are encrypted before upload (https://github.com/opencollective/opencollective-api/blob/main/server/lib/tax-forms/index.ts#L44), as are certain sensitive fields in the database (https://github.com/opencollective/opencollective-api/blob/5e374c160750fc259ee4163230c764956efda36f/server/graphql/v2/mutation/LegalDocumentsMutations.ts#L126).
-
@nextgraph @liaizon @OpenSourceCollective On encryption: it's not accurate to say all data is stored unencrypted. Sensitive documents like tax forms uploaded to S3 are encrypted before upload (https://github.com/opencollective/opencollective-api/blob/main/server/lib/tax-forms/index.ts#L44), as are certain sensitive fields in the database (https://github.com/opencollective/opencollective-api/blob/5e374c160750fc259ee4163230c764956efda36f/server/graphql/v2/mutation/LegalDocumentsMutations.ts#L126).
@nextgraph @liaizon @OpenSourceCollective On self-hosting: it's true that it's harder than it should be. The platform wasn't built with self-hosting in mind, and over the years we've added layers of business logic tightly coupled to our own instance. On top of that, our primary users are fiscal hosts. The platform's features are therefore oriented around these organizations which operate at a much larger scale. This is part of why self-hosting at the collective level feels so out of reach.
-
@nullagent @liaizon @scan
> build services in a heartbeatI believe that when I see it
@sef I mean, probably the most famous example:
https://lwn.net/Articles/131657/However, note that we're discussing building services for _ourselves_, not other people. We can throw together something that's extremely rough around the edges that scratches our itches, but isn't ready for the rest of humanity!
-
@nextgraph @liaizon @OpenSourceCollective On self-hosting: it's true that it's harder than it should be. The platform wasn't built with self-hosting in mind, and over the years we've added layers of business logic tightly coupled to our own instance. On top of that, our primary users are fiscal hosts. The platform's features are therefore oriented around these organizations which operate at a much larger scale. This is part of why self-hosting at the collective level feels so out of reach.
@nextgraph @liaizon @OpenSourceCollective On GDPR: it does apply to us. Yes, we're a US-based non-profit (though most of our team is based in Europe), but several of the fiscal hosts on the platform are European. We take that obligation seriously. We'd like to get to a place where European users have their data stored in separate regional instances; this is on our roadmap.
-
@nextgraph @liaizon @OpenSourceCollective On GDPR: it does apply to us. Yes, we're a US-based non-profit (though most of our team is based in Europe), but several of the fiscal hosts on the platform are European. We take that obligation seriously. We'd like to get to a place where European users have their data stored in separate regional instances; this is on our roadmap.
@nextgraph @liaizon @OpenSourceCollective We've applied for decentralization grants to help make it happen. We're a small team and prioritizing this alongside everything else is genuinely difficult.
All that said, we've already made real progress over the past few years: white-labeling work, consolidated data import/exports, and we're currently refactoring our ID system in a way that will also support better decentralization.
-
@nextgraph @liaizon @OpenSourceCollective We've applied for decentralization grants to help make it happen. We're a small team and prioritizing this alongside everything else is genuinely difficult.
All that said, we've already made real progress over the past few years: white-labeling work, consolidated data import/exports, and we're currently refactoring our ID system in a way that will also support better decentralization.
@nextgraph @liaizon @OpenSourceCollective On infrastructure: yes, we run primarily on Heroku, which relies on AWS. This is a legacy decision the engineering team inherited, and moving away from it is non-trivial at our scale. Here again, the work we're doing around decentralization will hopefully help us spin up separate instances in Europe and progressively migrate what needs to be migrated.
-
@liaizon @jowek @ukrudt @tak @ruben @magnus
Yes haven't checked out the state of petition-software lately.
One low effort/complexity way of doing it would be to write a letter in ukrudt's hedgedoc and just ask projects to sign it if they agree - sign it by way of writing their name in the bottom: https://hedgedoc.ukrudt.net/ - we can then create a public read-only link and share that.
-
-
-
-
@liaizon @jowek @ukrudt @tak @ruben @magnus
Another issue is the whole governance issue - their 2022 stated goal for "Exit to Community" has resulted in:
"That vision became reality in 2024, when stewardship of the platform transitioned to a new nonprofit: the Open Finance Consortium Inc. (OFiCo), a U.S. 501(c)(6) association created by and for the fiscal hosts and communities who rely on it.
OFiCo now governs the platform collectively, while its subsidiary OFi Technologies (OFiTech) operates the platform. Together, they continue the original Open Collective mission: enabling transparent, collaborative finance for communities everywhere."
What does "govern the platform collectively" mean?
The OFi Consortium site says they are "community governed", and then later, that they are formed by 5 organisations including Open Collective Europe and Open Source Collective, that "represent thousands of Collectives and guide our strategic direction".
I'm in several collectives that are fiscally hosted by Open Collective Europe, and I have never been asked to "guide their strategic direction" in any real governance sense. And looking through their (OCE) site - there is nothing I can find about hosted collectives having governance. For me "exit to community" means that the community, in this case, the collectives, have governance - but I don't see it.
Am I missing something?
This is probably next-step stuff. But it is a lingering question I have had for a while. I have a good relationship with OCE, and I believe they are well-meaning. My worry is that if there is no real community governance, then it becomes "community-washing" instead of "community-governance".
-
@liaizon @jowek @ukrudt @tak @ruben @magnus
Yes haven't checked out the state of petition-software lately.
One low effort/complexity way of doing it would be to write a letter in ukrudt's hedgedoc and just ask projects to sign it if they agree - sign it by way of writing their name in the bottom: https://hedgedoc.ukrudt.net/ - we can then create a public read-only link and share that.
-
hey @Wtebbens have you seen this thread? seeing as you just set up a fiscal host on Open Collective and have been talking about the need to move away from Big Tech I would think chiming in, in this situation would be useful
@liaizon I am profoundly worried about age verification and more so to see @opencollective join the Peter Thiel backed Persona.
We're here together precisely to fight against these techbros, to resist tech monopolies and surveillance capitalism, to help people become autonomous and assure basic human values as privacy and solidarity.
We should be able to give donations without becoming part of the authoritarian tech stack? Well that's what we work on together. So let's hope OpenCollective reverts course.
-
@sef I mean, probably the most famous example:
https://lwn.net/Articles/131657/However, note that we're discussing building services for _ourselves_, not other people. We can throw together something that's extremely rough around the edges that scratches our itches, but isn't ready for the rest of humanity!
@Andres4NY I see, I suppose that’d be the fully existing although under-utilized LiberaPay in this case.
-
@Andres4NY I see, I suppose that’d be the fully existing although under-utilized LiberaPay in this case.
@sef LP hardly resembles OC though, of which the ease of invoicing and reimbursements happen through its pretty unique ecosystem of fiscal hosts. The fiscal host system is basically a regulatory loophole, bound to be either shut down or regulated massively.
