Project:Infrastructure/Infrastructure Guidelines

This article Article description::provides general guidance to infra members is to take actions that avoid impropriety (actual, implied, or perceived). With great infra power comes a responsibility to users to use that power in a positive way. If you would be embarrassed to see your activity posted to gentoo-project; its probably unlikely to be permissible under this policy.

Scope
This document covers members of the Gentoo Infrastructure team; it does not apply to other developers (non-infra members).

Service maintenance
From time to time the Infra team may perform routine service maintenance. These are day-to-day activities that ensure the proper running of services provided by the Infra team. These activities are generally 'know it when you see it' in nature but may include things like software upgrades, configuration management, backups, and so forth.

Accessing user data
Do not access private user data unless requested by a user. Incidental access is expected during service maintenance activities (e.g. reading logs that might contain user data) but should be minimized when possible. Ideally user requests are take in writing (e.g. a bug or email) but IRC notice is also permissible; we expect Infra team members to exercise good judgement in this case.

Some projects may have shared working spaces which are semi-public or private, which will contain material not specifically owned by any one user (e.g. project archive of restricted distfiles). Incidental access here may also occur.

Disciplinary action
Disciplinary action typically involves permission removal as an reaction to behavior by community members.

Disciplinary action should be driven by Comrel. Comrel will file bugs; the bugs should have clear instructions as to the content of the action and its vote status. Please ensure the bugs follow the Comrel Policy

These actions should NOT be taken unilaterally by infrastructure members.

The actions taken might include:


 * Bans from mailing lists
 * Bans from Bugzilla
 * Permission removal from various code repositories
 * Removal from 'Gentoo' (aka. Retirement)

Legal matters
Legal action involves various infrastructure changes that are made from time to time at the request of the Gentoo Foundation to ensure the Foundation acts within the law. These changes should be driven by the Foundation board and have a bug with attached resolution and minutes.

An audit trail is crucial for showing compliance without unreasonable delays as required by some legal statutes (e.g. DMCA [17 U.S.C. § 1201-1205] states "expeditiously", but does not define the term).

Legal matter examples

 * DMCA requests
 * Court order compliance
 * Privacy-related requests
 * GDPR
 * Record preservation, due to court orders

Service defense
From time to time the infrastructure team may need to defend Gentoo services from spam or other abuse. Unlike other actions, the infrastructure team is responsible for of all portions of this activity: investigation of the abuse, remediation of the abuse, communication of the abuse. We provide this guidance:


 * Take the minimum amount of action to restore service to users. So avoid banning broad IP ranges.
 * If individuals are identifiable, please contact them first if their abuse is 'minor' and the service is still functional.
 * If service is not functional (e.g. individual people are causing service failure) it is permissible to block them and then follow up with contact.
 * Abuse may be noted to ComRel if relevant and applicable to an existing community member
 * For IP bans, avoid banning IPs forever. Folks move providers and someone new might land on that IP range and they should be able to access our services. If banning a swath of IP space, consider a temporary ban (1-2 weeks) as often abuse tapers off after some time.
 * Consider other ways to detect bans; often web crawlers have HTTP headers set that are effective and transcend IP space.

Other guidelines and policies elsewhere
This section is a reference to other policies or guidelines only.


 * LOPSA (League of Professional System Administrators) Code of Ethics https://lopsa.org/CodeOfEthics
 * USENIX/SAGE Code Of Ethics: https://www.usenix.org/system-administrators-code-ethics