Add introductory note crediting key open source components #275
Conversation
docs/general/introduction.rst
Outdated
| SecureDrop Workstation uses `Whonix <https://www.whonix.org/>`_ to maintain | ||
| connectivity with the Tor network. You can `make a donation to the Whonix project <https://www.whonix.org/wiki/Donate>`_. | ||
|
|
||
| In addition, SecureDrop Workstation relies on other open source projects such as |
There was a problem hiding this comment.
I slightly worry that, if we get into the level of granularity of (for example) packages installed in SDW VMs, we will leave out some folks inadvertently and prioritize others. (For example, do we list only user-facing applications? Do we list all libraries and components? Do we list PyQt? etc)
What I would propose as a first step is that we highlight and link to QubesOS first, as you have done, then have a section mentioning other projects on whom we have a substantive reliance and/or have engaged with directly (with donation or contribution links as the case may be) with wording like "please consider supporting these projects with your time, with a financial contribution if you are able, or by following their work" or something (not all take donations).
Then we can either stop at that with a line about how the components of SD ecosystem are open source and it's important to support the community, or collect a longlist of other projects we want to mention (but I think that will take some time and be a bit more ambiguous).
I suggest:
QubesOS
then (alphabetical)
Localization Lab https://www.localizationlab.org/donate
Sequoia-PGP https://sequoia-pgp.org/contribute/ (not a donation link)
Weblate https://weblate.org/en/donate
Whonix https://www.whonix.org/wiki/Donate
Then optionally we can also list the major other projects (Debian, Fedora, Python, etc), but I feel a little dicey about that because we get far into "who do we include". I would love a second opinion (maybe @legoktm has thoughts..?)
There was a problem hiding this comment.
I think the "big" projects are a good idea to start with at least (including Debian/Fedora/Python and Tor too). I'd be okay skipping Qt since (AFAICT) it's a for-profit company.
Once we have some SBOMs we can go into more detail and maybe have a comprehensive list across server (flask, etc.) + workstation + client, but that shouldn't hold this up.
There was a problem hiding this comment.
Thank you both for the review. I've taken another pass at this, let me know what you think!
I've added Localization Lab, Weblate and Sequoia as part of this change.
In terms of software running in VMs, I've relied on https://github.com/freedomofpress/securedrop-workstation/blob/main/tests/vars/sd-viewer.mimeapps to enumerate individual viewer apps. Most of these are part of the GNOME project; the ones that I individually called out are not.
I am in favor of including these, because they are so essential for the day-to-day user experience of the SecureDrop Workstation, and because the existence of an allow-list does seem to make it practical to maintain an enumerated list.
At the same time, I think it is defensible to not enumerate every transitive library, dependency, or build system component, because such a list would be impractical for us to maintain. Instead, I've included a general comment acknowledging the reality of these deeper dependencies, and encouraging folks to direct financial contributions and effort wherever it can make a positive difference.
docs/general/introduction.rst
Outdated
| `Freedom of the Press Foundation (FPF) <https://freedom.press/>`_, a | ||
| US-based nonprofit organization. You can support our work through | ||
| `your donation <https://freedom.press/donate>`_ or by | ||
| `contributing to SecureDrop development <https://developers.securedrop.org/en/latest/contributing.html>`_. |
There was a problem hiding this comment.
A nit: maybe we can flip the order here and say "you can support our work by contributing to our projects [link], making a financial donation [link]," and (maybe?) adding "or following and sharing the work we do (newsletter/Mastodon link)"?.
I also prefer the "contributing to our projects" wording slightly over the "contributing to development," just to make sure the translators etc feel included :)
There was a problem hiding this comment.
I've flipped the order here and now use the more general "contributing" without specifying "development". I've not added the "follow/share news" just to keep it focused mainly on the core message of acknowledging the open source ecosystem we rely on.
There was a problem hiding this comment.
Hi @eloquence - thanks so much for preparing this! I have left a suggestion about the list of projects we call out explicitly, with a couple options (keep it short, or really make a longlist). I think I'm in favour of a thoughtful shortlist so that we don't get into the "who's in, who's out" territory. Let me know your thoughts. :)
This is more inclusive of all categories of contribution
If this kind of language works, could add similar language to main SD docs. I probably forgot some important shout-outs though!