By Luca Marzo on 2020-05-15 09:56 in Board of Directors

Open Source Matters, Inc.
Full Board of Directors and Officers Meeting

Date: May 07, 2020
Time: 17:00 UTC
Total time of meeting: 2 hour 5 minutes

Attendees:

Brian Mitchell (President), Elisa Foltyn (Vice President), Luca Marzo (Secretary), Marco Dings (Director), Hugh Douglas-Smith (Director), Djamel Kherbi (Director), Jaz Parkyn (Director), Radek Suski (Director).

Apologies:

Rowan Hoskyns Abrahall (Treasurer) due to health reasons.

Eric Lamy (Director).

Proxies:

Marco Dings served as proxy for Rowan Hoskyns Abrahall.

Discussion outline

President

  • Brian shared a recommendation for the appointment of the Ombudsman. The Board requested the preparation of a list of candidates to choose from.

  • Brian suggested to proceed with the Bookkeeping RFP.

  • Brian changed the payment method of GoDaddy domains/services in order to be resilient to card changes.

  • Brian transferred the ownership of kids4opensource.com to OSM.

  • Know Your Customer is in progress, Brian is working on that with Rowan.

Treasurer

  • Rowan couldn’t attend the meeting due to serious health issues. 

  • Rowan prepared a draft of the Budget for 2020/21 Fiscal Year.

Production Department

  • Inventory Production assets and remove access from individuals that are no longer part of an accountable team.

  • Restructuring of the Production Department’s drive ongoing to incorporate team documents and discussion in the appropriate context so they are preserved.

  • Puneet Kala stepped down as team lead for GSOC, succession and handover pending.

  • The Production Department is actively defining a roadmap for 4.1 and 4.2 to dovetail into 4.0 release and not cause a gap.

  • Production will no longer wait for answers or active collaboration by marketing, given that this has been an ongoing one way discussion since november last year. The Department will take initiatives a.o. with relevant FFtF groups to identify Joomla’s target market and UX personas. The train has left the station for 4.1. For 4.2 and further we are open for structured discussions with the Marketing department.

  • The Production Department was already taking inventory of the assets to lockdown access only to those that actually need it. The incident of destroying the joomla-projects/privacy-framework policy was investigated. The history is not in a possible local fork. Without that history, “rebuilding” the repo isn’t worth the effort. 

Legal & Finance Department

  • Hugh proposed to clean up the list of pending Code of Conduct Incidents.

  • Hugh decided to step down from the Conflict Resolution Team. The Board is grateful for his contribution during his term. 

  • Brian stepped down from the Conflict Resolution Team to prevent any conflict of interest with the President role.

Events Department

  • Department leadership meeting postponed due to unavailability of the Team Leaders.

  • The discussion on virtual JUGs is still ongoing slowly within the relevant teams.

Operations Department

  • Showcase directory still didn't provide any report however they are very cooperative and Wilco is working with them to improve their workouts and security. 

  • A report from the webmaster team meeting has been published. 

  • The JSST is helping to implement measures to improve security.

  • A serious data breach has been ascertained:

    • Organisational data is being stored in unauthorised places. 

    • Unauthorised service, which can potentially process the data being used. 

    • Backups aren't encrypted.

    • People from outside of the team, or even from outside of the organisation have administrative access to the website. 

All those established violations causing serious security and legal problems. A detailed report about the data breach has been provided to Luca in his role as DPO, and the will be shared at the beginning of the board meeting. Given the situation, and lack of cooperation from the team leadership I propose two steps to, as soon as possible, implement measures to deal with this situation:

  • A degradation to an unofficial team. 

  • A complete liquidation of the team access and direct restoration of all issues by the Webmaster Team Lead and JSST members in cooperation with the DPO.

We are aware that those measures might seem to be drastic but it's the only possibility to stop all those violations immediately. 

  • The Operations Department is having issues with the Joomla Resource Directory site and team which requires some measures. A report about the situation shows the lack of following organizational rules, cooperation and serious site based issues.

Programs Department

  • Department meeting postponed until next week due to TL availability

  • Team membership forms completed for Certifications, pending for VET and Educational Outreach.

  • Jaz requested feedback from the Board on the Guidance for Team Leaders document.

Vice President

  • [Accessibility] We have the offer of the a11yclub to share our call for volunteers. I think if we rather call for individuals and call for a identify a11y issues challenge we could maybe attract individuals to bring their expertise in. Elisa to get in touch with Carlos to work on the call.

  • [Accessibility] Elisa proposed to check whether it’s possible to achieve an accessibility certification for the Joomla backend.

Secretary

  • A corporate calendar has been prepared and it includes all the election and related reporting deadlines, the details about Fiscal Year start date and end date, as well as the federal filings due date. Board meetings (without agendas and details) have been added too, as well as Members Meetings. The full Board got an invitation to accept the calendar and receive its notifications.

  • [Commitment] Board members are supposed to be responsive and check frequently their mailbox and the organizational communicational channel on Glip, this because there could be urgent topics, action or decision to be processed. Some members have been unresponsive and don’t check their mailbox and Glip regularly. This kind of behavior has negative effects on the operations of the organization. In case of personal issues (health, family, travels, etc.) the Board should be aware of the absence to take any appropriate measure to ensure the operational flow.

  • [Tools] Some teams are not using the tools and services that the Board defined as the standard organization-wide: Glip, Google Meet and others. The usage of non-approved services or tools, or services/tools for which OSM does not have an agreement or an owner-level account, might expose sensitive information and even personal data at risks that have not been properly assessed. Luca stressed the concept that the Board has the duty to ensure that teams have the needed tools/services to fulfill their tasks properly, but that Teams have to adhere to corporate-level rules and guidelines, especially when there is the risk to expose sensitive information and data to unapproved third-parties.

  • [Security Incident] Luca got a notification on May 06, that recently someone deleted the joomla-projects/privacy-framework repository. Luca checked the logs on GitHub and found out who deleted the repository. This is a terrible incident that made the organization lose all the work done in this repository and a piece of history of Joomla. There was no reason to have such permissions given to all the members. Luca changed the rule to restrict the opportunity to delete a repository to owners only. Luca formally requested the Production Department to audit all the accesses on GitHub and to ensure that only needed permissions are given (minimum privilege rule). As well as, Luca requested the Operations Department to audit all the permissions on website properties to ensure the same rule is applied.

  • [Outreachy] Luca would like to propose to the Programs Department to apply to the next cycle of Outreachy. Application period opens in late August. We have currently the time to look at their rules and prepare for the deadline: https://www.outreachy.org/docs/applicant/ 

  • [FOSS Responders] Luca submitted a request for funding for Joomla, given that it has been really difficult to ensure an income flow in this period. https://fossresponders.discourse.group/t/foss-crowdfunding-campaigns-that-need-your-help/61 

  • [Payments] In case of unavailability (even temporary) of President and Treasurer nobody else can access accounts and proceed with the payment of crucial services. Luca suggested creating an additional card, even a prepaid one, for emergency expenses to be assigned to a Board member as a backup payment method. The Board will work on a Direct Expenses Policy prior to proceed issuing any new eventual cards.

  • [Payments] Luca informed the Board that Google Ads payment had failed due to the Card that has not been updated. Brian to proceed with the payment.

  • [Signatures] As of today, the only one able to sign contracts and agreements, including volunteer NDAs and partnership agreements is the President. In case of declared unavailability, there is a provision that allows the Vice President to step up. Luca proposed the adoption of a role-linked Power of Attorney for Vice President and Secretary to sign partnership agreements, volunteer NDAs and any other agreements that don’t have financial impacts.

  • [Procedures] To ensure a proper due diligence and an eventual impact assessment, the Board should be in the knowledge upfront of any sponsorship or partnership. A motion will follow.

  • [Assets] Apparently there is a G-Suite organization for conference.joomla.org to which nobody of the current members and DCs have access. Luca requested support from Google to reinstate the access to this organization and then we will proceed with a massive cleanup and eventually removal of the GSuite organization as the business can be conducted through CJO and Joomla.org accounts. 

  • [Compliance] The Compliance Team published a new Cookie Policy for the *.joomla.org websites. There are still some updates to do and then it will be published in the footer menu of all our websites. Work is currently in progress also on the new global Privacy Policy that will cover all our websites.

  • [Compliance] The Identity Portal will be released on May 16, 2020 with one property connected to it. There will be a dedicated announcement as a blog post on the Community Portal on the release date.

  • [NDA] Luca reminded that all Board members and team leaders should sign the OSM Non-Disclosure Agreement available at joom.la/nda

  • [Data Breach] Following the report prepared by the Webmasters Team about the Data Breach in the Joomla Resource Directory, a task group has been formed. Such a group includes people from the Webmasters Team, the Compliance Team and the Board  to deal with the incident. An action plan is going to be prepared and all the affected people will be informed. The group will evaluate any eventual need to inform Data Privacy authorities in the relevant countries as well as public disclosure.

Motions taken during this meeting

#2020/055 - Elisa and Marco request to be temporarily assigned to the CRT for the purpose of identifying and documenting status and actions of outstanding requests.
Proposed by Marco Dings, seconded by Elisa Foltyn
The motion passed with unanimous consent.

#2020/056 - Declare the Joomla Resources Directory Team an unofficial working group.
Proposed by Radek Suski, seconded by Marco Dings.
The motion passed with unanimous consent and 1 abstention. Brian Mitchell abstained.

#2020/057 - Remove JRD team access to the site and allow the Webmaster Team Lead, JSST, DPO to restore the website.
Proposed by Radek Suski, seconded by Marco Dings.
The motion passed with unanimous consent and 1 abstention. Brian Mitchell abstained.

#2020/058 - Board Members should check their mailboxes, the Board channel on Glip on a regular basis (at least every 24 hours) and promptly respond to requests.  In case of absence or impossibility to fulfill this obligation, Board Members should notify at the earliest opportunity the rest of the Board about their absence and estimated duration.
Proposed by Luca Marzo, seconded by Marco Dings.
The motion passed with unanimous consent.

#2020/059 - Adopt Glip as the official communication tool for Working Groups, Sub-Team, Team, Department and organizational channels.
Proposed by Luca Marzo, seconded by Jaz Parkyn.
The motion passed with unanimous consent.

#2020/060 - Adopt Google Meet, with GSuite project-owned accounts, as the official voice/video meeting tool for Working Group, Sub-Team, Team, Department and Board Meetings.
Proposed by Luca Marzo, seconded by Jaz Parkyn.
The motion passed with unanimous consent.

#2020/061 - Board members should complete their Department/Officer box in the agenda with updates and proposed motions at least 24 hours prior to a scheduled meeting.
Proposed by Luca Marzo, seconded by Radek Suski
The motion passed with unanimous consent.

#2020/062 - Apply the rule for which only owners on GitHub can delete a project repository on all the Joomla organizations on GitHub.
Proposed by Luca Marzo, seconded by Marco Dings.
The motion passed with unanimous consent.

#2020/063 - Grant a Power of Attorney to the Vice President and the Secretary to allow them to sign on behalf of the Corporation partnership agreements, NDAs and any other legal documents that do not have financial impacts or costs for the corporation pursuant Section 9.04 of the Bylaws.
Proposed by Luca Marzo, seconded by Radek Suski.
The motion passed with unanimous consent.

#2020/064 - Give the mandate to the Webmasters Team to conduct regular audits of Joomla.org family of websites to ensure they are compliant with the standard security practices and privacy guidelines.
Proposed by Luca Marzo, seconded by Radek Suski.
The motion passed with unanimous consent.

#2020/065 - All the agreements and contracts shall be reviewed by the Board before the signature phase.
Proposed by Luca Marzo, seconded by Marco Dings.
The motion passed with unanimous consent.

#2020/066 - The Secretary proposes to adjourn the meeting.
Proposed by Luca Marzo, seconded by Hugh Douglas-Smith.
The motion passed with unanimous consent.

Motions taken offline before this meeting

#2020/054 - Approve and publish the Board Meeting Minutes.
Proposed by Luca Marzo, seconded by Radek Suski.
The motion passed with unanimous consent.