27 Sep
2022
27 Sep
'22
4:37 p.m.
Hello 44Net!
For quite some time, y'all have heard rumblings of a new portal, which
Chris has been working on bit by bit. Realizing that it's likely a
larger project than we initially thought, earlier this year the TAC took
on the task of writing a feature requirements document. This has been
the bulk of their work this year so far, and I'm really proud of the
results, which were completed just a couple weeks ago.
I'm writing on behalf of the TAC to share this document with you and to
request comments and comments:
https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirement…
Ideally, please share your thoughts in this channel rather than emailing
directly, though of course we will read any feedback you send. Pierre,
the TAC Chair, will be watching the list and answering any questions
that may come up.
Note that this document is a feature requirements document - which
outlines the features that the portal needs to have before it's
considered "done." By definition, it's *not* an engineering document;
we've purposefully not specified the exact technology we'll use to build
this out. We have, however, specified that it will be released as an
open source project as soon as we have a functional version, likely
without all features present. Ultimately this will be a project managed
by our new Director of Technology (who starts on Monday; will introduce
after he starts) and the team he assembles to carry out the build. Thus,
information like timelines, project plans, and database specifications,
etc., will follow his review of this document and any comments from this
group.
And with that, I say - happy reading! And thank you so much for your
thoughts and questions.
Looking forward,
Rosy
--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
28 Sep
28 Sep
12:13 a.m.
Thanks for sharing this work with the community.
Reading through it, some thoughts and questions come up:
- I'm delighted to see that accessibility and WCAG is considered.
- What is the intent of the Level Of Trust value? Is this about allowing
some centralized administrative actions, or does this represent something
that community members can earn and level up?
- In addition to GDPR compliance considerations, you might also consider
California's similar CCPA.
- What is the intention of requiring maidenhead locators? I'm mostly just
curious how the information gets used, though I suspect it would be useful
to map country-granularity call signs to actual geographic areas where the
subnets are assigned.
In general, this seems like a really straightforward list of requirements
that all make sense in context.
Looking forward to experimenting and trying out something new.
Cheers and 73,
jof / K6BGP
On Tue, 27 Sept 2022 at 14:37, Rosy Schechter - KJ7RYV via 44net <
44net(a)mailman.ampr.org> wrote:
Hello 44Net!
For quite some time, y'all have heard rumblings of a new portal, which
Chris has been working on bit by bit. Realizing that it's likely a
larger project than we initially thought, earlier this year the TAC took
on the task of writing a feature requirements document. This has been
the bulk of their work this year so far, and I'm really proud of the
results, which were completed just a couple weeks ago.
I'm writing on behalf of the TAC to share this document with you and to
request comments and comments:
https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirement…
Ideally, please share your thoughts in this channel rather than emailing
directly, though of course we will read any feedback you send. Pierre,
the TAC Chair, will be watching the list and answering any questions
that may come up.
Note that this document is a feature requirements document - which
outlines the features that the portal needs to have before it's
considered "done." By definition, it's *not* an engineering document;
we've purposefully not specified the exact technology we'll use to build
this out. We have, however, specified that it will be released as an
open source project as soon as we have a functional version, likely
without all features present. Ultimately this will be a project managed
by our new Director of Technology (who starts on Monday; will introduce
after he starts) and the team he assembles to carry out the build. Thus,
information like timelines, project plans, and database specifications,
etc., will follow his review of this document and any comments from this
group.
And with that, I say - happy reading! And thank you so much for your
thoughts and questions.
Looking forward,
Rosy
--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
1:53 a.m.
The Level of Trust is a means to ensure that the person is a genuine, licensed radio
amateur. It starts when you first register by verifying your email address, which earns
you the lowest level. You then have various easy options, like adding a mobile/cellphone
and verifying that to earn a few additional points, you can also verify your postal
address (Google style postcard with PIN).
The next stage would be to get your licence and ID verified, this would typically be done
by either a physical meeting, if someone is close enough, or (more likely) via a video
meeting. The idea is that the more verification processes you go through, the higher your
level of trust. So when you apply for resources all the verification is already in place.
This is especially important for BGP requests as it currently takes some time to go
through that process.
The ultimate goal would be to become a verifier yourself and help verify others - It’s the
same model as the CA-Cert Web Of Trust.
73,
Chris - G1FEF
On 28 Sep 2022, at 06:13, Jonathan Lassoff via 44net
<44net(a)mailman.ampr.org> wrote:
Thanks for sharing this work with the community.
Reading through it, some thoughts and questions come up:
- I'm delighted to see that accessibility and WCAG is considered.
- What is the intent of the Level Of Trust value? Is this about allowing some centralized
administrative actions, or does this represent something that community members can earn
and level up?
- In addition to GDPR compliance considerations, you might also consider California's
similar CCPA.
- What is the intention of requiring maidenhead locators? I'm mostly just curious how
the information gets used, though I suspect it would be useful to map country-granularity
call signs to actual geographic areas where the subnets are assigned.
In general, this seems like a really straightforward list of requirements that all make
sense in context.
Looking forward to experimenting and trying out something new.
Cheers and 73,
jof / K6BGP
On Tue, 27 Sept 2022 at 14:37, Rosy Schechter - KJ7RYV via 44net
<44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
Hello 44Net!
For quite some time, y'all have heard rumblings of a new portal, which
Chris has been working on bit by bit. Realizing that it's likely a
larger project than we initially thought, earlier this year the TAC took
on the task of writing a feature requirements document. This has been
the bulk of their work this year so far, and I'm really proud of the
results, which were completed just a couple weeks ago.
I'm writing on behalf of the TAC to share this document with you and to
request comments and comments:
https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirement…
<https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirements-Doc.pdf>
Ideally, please share your thoughts in this channel rather than emailing
directly, though of course we will read any feedback you send. Pierre,
the TAC Chair, will be watching the list and answering any questions
that may come up.
Note that this document is a feature requirements document - which
outlines the features that the portal needs to have before it's
considered "done." By definition, it's *not* an engineering document;
we've purposefully not specified the exact technology we'll use to build
this out. We have, however, specified that it will be released as an
open source project as soon as we have a functional version, likely
without all features present. Ultimately this will be a project managed
by our new Director of Technology (who starts on Monday; will introduce
after he starts) and the team he assembles to carry out the build. Thus,
information like timelines, project plans, and database specifications,
etc., will follow his review of this document and any comments from this
group.
And with that, I say - happy reading! And thank you so much for your
thoughts and questions.
Looking forward,
Rosy
--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org <http://ampr.org/>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
1:26 p.m.
The next stage would be to get your licence and ID
verified, this
would typically be done by either a physical meeting, if someone is
close enough, or (more likely) via a video meeting. The idea is that
the more verification processes you go through, the higher your level
of trust. So when you apply for resources all the verification is
already in place. This is especially important for BGP requests as it
currently takes some time to go through that process.
Could we consider other well established forms of trust does as
something signed via a valid LOTW certificate, maybe an pre-existing
Echolink validation, etc?
--David
KI6ZHD
1:44 p.m.
This has been discussed before and it is still being looked upon.
Of course organisation like radioid.net (dmr, dstar and p25 ID's ) and echolink cannot
give us all they have without consent from their user database.
Using LOTW signing could also be problematic.
Maybe a way to create a world wide database of ham with the capacity to ID them for every
service could be done, but it is a bit outside the scope of our dashboard requirement
documentation.
Pierre
VE2PF
TAC Chairman
________________________________________
De : David Ranch via 44net <44net(a)mailman.ampr.org>
Envoyé : 28 septembre 2022 14:26
À : Chris Smith; Jonathan Lassoff
Cc : Amprnet 44 Net
Objet : [44net] Re: Comments and questions welcome: Portal Features Requirements Document
The next stage would be to get your licence and ID verified, this would typically be done
by either a physical meeting, if someone is close enough, or (more likely) via a video
meeting. The idea is that the more verification processes you go through, the higher your
level of trust. So when you apply for resources all the verification is already in place.
This is especially important for BGP requests as it currently takes some time to go
through that process.
Could we consider other well established forms of trust does as something signed via a
valid LOTW certificate, maybe an pre-existing Echolink validation, etc?
--David
KI6ZHD
2:04 p.m.
All,
* Is this the same as the 44NGN (no emails either) - was the TAC mailing list closed too?
* Does this require those who have verified, use LOTW to connect to AMPR, provided to get
a Wiki account, etc. previously - to "verify again"?
* Is this live now?
* Will I loose my allocation?
* Will I loose DNS entries/hosts/services that do not match the new nomenclature?
I volunteered for TAC - was I removed at at some point/some reason?Did the collaboration
on TAC via mailing list stop/change?
73,
- Lynwood
KB3VWG
29 Sep
29 Sep
9:23 a.m.
Hi Lynwood,
* Is this the same as the 44NGN (no emails either) -
was the TAC mailing
list closed too?
There's no mailing list for the TAC (aside from an internal one we use
to send meeting agendas). Chris can share more info re: what happened
with the 44NGN mailing list.
We will soon be starting a Groups.io that will have open channels
related to more specific topics, such as PoPs. It will follow the
publication of our Code of Conduct, which is in the works.
* Does this require those who have verified, use LOTW to connect to
AMPR, provided to get a Wiki account, etc. previously - to "verify again"?
I will let Chris speak to this as well.
* Is this live now?
No, it is being built. However, it's clear we need more than one person
working on it, so we developed this document to outline what needs to be
built and better scope the project.
* Will I loose my allocation?
No.
* Will I loose DNS entries/hosts/services that do not match the new
nomenclature?
No.
I volunteered for TAC - was I removed at at some point/some reason?
Did the collaboration on TAC via mailing list stop/change?
I do not see your resume or cover letter in our file for applicants.
Perhaps you applied late? We will be putting out a call soon for 2023,
please be on the lookout and consider applying.
73,
Rosy
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
28 Sep
28 Sep
1:44 p.m.
Great work Chris & TAC! Glad to see this document delivered! I see many great points
throughout the document and I am really happy they made it there. Just some comments and
questions that may be helpful from me, in case you’re interested:
1. Why did you pick GPLv3 as the license? Is this an ARDC requirement or a decision
independently made for the Portal? Is there any chance to reconsider and pick a license
like MIT, BSD, or Apache 2? I feel like the restrictions that GPL (especially v3) imposes
are unnecessary.
2. It would be nice to see an API specification published in a standardized format as
well, e.g. OpenAPI, to try to get a gRPC-like automatic client library generation in many
languages + automatic mocks / tests for when you are developing a client. That’s a
nice-to-have but low effort and high gain.
3. Regarding the ticketing system, perhaps it’s worth to explore integrating with an
existing one for some of the use cases to not reinvent the wheel?
4. I would like to see WebAuthn for Security Keys with support of multiple, e.g. 8-16
keys, and not single-key only like some services. The web also seems to be moving to a
passwordless future, with support for Passkeys already landed in browsers and OSes in
desktop + mobile. Integrating WebAuthn for 2FA and Passkeys for passwordless login is very
similar. My colleague Adam has written a very good technical post on how to implement
these standards securely in case you’re interested:
https://www.imperialviolet.org/2022/09/22/passkeys.html
<https://www.imperialviolet.org/2022/09/22/passkeys.html> . I would also try to
avoid any insecure practices like security questions to recover an account. I don’t know
if I would pick SMS 2FA for a new project, although it’s better than nothing. Just make
sure you don’t fall back to SMS e.g. if Security Keys / TOTP doesn’t work. I think with
e-mail 2FA support the SMS option isn’t needed. People without a smartphone would still
need e-mail access to login, so I don’t think it is excluding people if you do not offer
it. Just be careful with WebAuthn: it is domain dependent. The blog post I link to
explains this well, and also what happens if the domain of the Portal changes.
5. I agree with the other e-mails about the maidenhead. I know it’s currently a part of
the old Portal, but is it really required? I would make it optional personally unless
there’s a specific use case. We should practice data minimization and only collect what’s
really needed now, and not require fields “just in case they’re useful in the future”.
That way you’ll have to convince users they get some value out of supplying you with this
information ;) It also makes the Portal more generic: networks like guifi that are not
related to amateur radio can also use the software since it’s generic enough.
6. Regarding the LoT, I’d be careful with the retention of the data, as it may not be
needed forever, and only during the verification. If I provided some proof only for
points, and this info isn’t used anywhere else, for any other reason, maybe there’s not a
lot of need in keeping it.
7. I don’t know how deep “View history” goes, but I think audit logging of every
(important) action is a good feature to have. If something happens, one can go back to the
file and build a timeline of events that led to the situation at hand. This doesn’t have
to include PII but enough information to assist in a case.
8. I would like to see the Portal (in the future) be used to generate all the whois
responses. The whois server should just serve data from the database directly, as that
should be the source of truth (with a cache in the middle of course). The model of RIRs
with inet{6,}num objects and person objects, etc. is very helpful to create relations.
9. Can you not delegate $callsign.ampr.org to your own servers anymore? Or is this still
done manually via a ticket?
10. Does DS / DNSKEY support mean we’re getting DNSSEC for ampr.org? :) Would be nice to
see that, including for rDNS, and of course for delegated zones too!
11. What is the purpose of 3.2.6.4?
12. For 3.6.3.1 I would recommend OWASP’s ASVS (
https://owasp.org/www-project-application-security-verification-standard/
<https://owasp.org/www-project-application-security-verification-standard/> ) as a
guideline, and I would aim for Level 2. It doesn’t have to be followed to the letter, but
it gives a good idea of a lot of important things to pay attention to. The WSTG is of
course also a good resource to use in parallel.
13. I would like to see IPv6 support explicitly mentioned as a requirement, both for the
software, as well as the service. The functionality (assignments, allocations) depends on
what the plans and needs of ARDC are, but being able to use the Portal fully in an
IPv6-only network is something I believe should be there regardless.
14. If ARDC manages to get RPKI, I would like to see the automated provision of ROAs for
all BGP networks, e.g. by using the RIPE API, or if it’s self-hosted (why?) an integration
with Krill (probably). Obviously something for the future.
15. For 3.6.3.2 I believe it should be “only available”. After all, a lot of modern web
features (e.g. WebAuthn) don’t work without it.
That’s all, looking forward to the continuing of the development!
Antonis
On 28 Sep 2022, at 08:53, Chris Smith via 44net
<44net(a)mailman.ampr.org> wrote:
The Level of Trust is a means to ensure that the person is a genuine, licensed radio
amateur. It starts when you first register by verifying your email address, which earns
you the lowest level. You then have various easy options, like adding a mobile/cellphone
and verifying that to earn a few additional points, you can also verify your postal
address (Google style postcard with PIN).
The next stage would be to get your licence and ID verified, this would typically be done
by either a physical meeting, if someone is close enough, or (more likely) via a video
meeting. The idea is that the more verification processes you go through, the higher your
level of trust. So when you apply for resources all the verification is already in place.
This is especially important for BGP requests as it currently takes some time to go
through that process.
The ultimate goal would be to become a verifier yourself and help verify others - It’s
the same model as the CA-Cert Web Of Trust.
73,
Chris - G1FEF
On 28 Sep 2022, at 06:13, Jonathan Lassoff via
44net <44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
Thanks for sharing this work with the community.
Reading through it, some thoughts and questions come up:
- I'm delighted to see that accessibility and WCAG is considered.
- What is the intent of the Level Of Trust value? Is this about allowing some centralized
administrative actions, or does this represent something that community members can earn
and level up?
- In addition to GDPR compliance considerations, you might also consider California's
similar CCPA.
- What is the intention of requiring maidenhead locators? I'm mostly just curious how
the information gets used, though I suspect it would be useful to map country-granularity
call signs to actual geographic areas where the subnets are assigned.
In general, this seems like a really straightforward list of requirements that all make
sense in context.
Looking forward to experimenting and trying out something new.
Cheers and 73,
jof / K6BGP
On Tue, 27 Sept 2022 at 14:37, Rosy Schechter - KJ7RYV via 44net
<44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
Hello 44Net!
For quite some time, y'all have heard rumblings of a new portal, which
Chris has been working on bit by bit. Realizing that it's likely a
larger project than we initially thought, earlier this year the TAC took
on the task of writing a feature requirements document. This has been
the bulk of their work this year so far, and I'm really proud of the
results, which were completed just a couple weeks ago.
I'm writing on behalf of the TAC to share this document with you and to
request comments and comments:
https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirement…
<https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirements-Doc.pdf>
Ideally, please share your thoughts in this channel rather than emailing
directly, though of course we will read any feedback you send. Pierre,
the TAC Chair, will be watching the list and answering any questions
that may come up.
Note that this document is a feature requirements document - which
outlines the features that the portal needs to have before it's
considered "done." By definition, it's *not* an engineering document;
we've purposefully not specified the exact technology we'll use to build
this out. We have, however, specified that it will be released as an
open source project as soon as we have a functional version, likely
without all features present. Ultimately this will be a project managed
by our new Director of Technology (who starts on Monday; will introduce
after he starts) and the team he assembles to carry out the build. Thus,
information like timelines, project plans, and database specifications,
etc., will follow his review of this document and any comments from this
group.
And with that, I say - happy reading! And thank you so much for your
thoughts and questions.
Looking forward,
Rosy
--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org <http://ampr.org/>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
29 Sep
29 Sep
9:38 a.m.
Hi Antonios!!
So good to hear from you :)
I'm going to let the TAC / Chris speak to some of your questions, but
I'll share my thoughts on some of the below.
On 9/28/22 2:44 PM, Antonios Chariton (daknob) via 44net wrote:
> 3. Regarding the ticketing system, perhaps
it’s worth to explore
> integrating with an existing one for some of the use cases to not
> reinvent the wheel?
Yes, that is also something that we've considered, though this portion
has already been built. We will review it against the features outlined
and determine if an out-of-the-box solution better suits our needs.
> 4. I would like to see WebAuthn for
Security Keys with support of
> multiple, e.g. 8-16 keys, and not single-key only like some services.
> The web also seems to be moving to a passwordless future, with support
> for Passkeys already landed in browsers and OSes in desktop + mobile.
> Integrating WebAuthn for 2FA and Passkeys for passwordless login is very
> similar. My colleague Adam has written a very good technical post on how
> to implement these standards securely in case you’re interested:
> https://www.imperialviolet.org/2022/09/22/passkeys.html
> <https://www.imperialviolet.org/2022/09/22/passkeys.html> . I would also
> try to avoid any insecure practices like security questions to recover
> an account. I don’t know if I would pick SMS 2FA for a new project,
> although it’s better than nothing. Just make sure you don’t fall back to
> SMS e.g. if Security Keys / TOTP doesn’t work. I think with e-mail 2FA
> support the SMS option isn’t needed. People without a smartphone would
> still need e-mail access to login, so I don’t think it is excluding
> people if you do not offer it. Just be careful with WebAuthn: it is
> domain dependent. The blog post I link to explains this well, and also
> what happens if the domain of the Portal changes.
Thanks, this is noted. Ideally we provide multiple options for 2FA.
> 5. I agree with the other e-mails about
the maidenhead. I know it’s
> currently a part of the old Portal, but is it really required? I would
> make it optional personally unless there’s a specific use case. We
> should practice data minimization and only collect what’s really needed
> now, and not require fields “just in case they’re useful in the future”.
> That way you’ll have to convince users they get some value out of
> supplying you with this information ;) It also makes the Portal more
> generic: networks like guifi that are not related to amateur radio can
> also use the software since it’s generic enough.
> 9. Can you not delegate $callsign.ampr.org
<http://callsign.ampr.org> to
> your own servers anymore? Or is this still done manually via a ticket?
The items described in the feature requirements doc are not live, so
please continue to use existing processes until we make the transition
to the new Portal. Ideally this process of transitioning to the new
portal, led by our forthcoming Technical Director, will not be abrupt
and have sufficient warning for changes. I do not see any major release
for the new portal happening until 2023 (ideally early 2023, but no
promises + more scoping needed.)
> 13. I would like to see IPv6 support
explicitly mentioned as a
> requirement, both for the software, as well as the service. The
> functionality (assignments, allocations) depends on what the plans and
> needs of ARDC are, but being able to use the Portal fully in an
> IPv6-only network is something I believe should be there regardless.
This may be a whole second project, combined with a longer discussion
around whether ARDC should actually manage an IPV6 block. We see cases
for and against it, but ultimately, we need to make sure that our
existing address space is better managed and utilized before taking on
more. That said - your comments are noted.
If TAC / Chris / Board members have additional thoughts to share here,
please do.
> That’s all, looking forward to the
continuing of the development!
Thanks, Antonis! Us too. Very grateful for so much forward movement here.
All the best,
Rosy
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
Great work Chris & TAC! Glad to see this document
delivered! I see many
great points throughout the document and I am really happy they made it
there.
Thank you :)
Just some comments and questions that may be helpful from me, in
case you’re interested:
1. Why did you pick GPLv3 as the license? Is this an ARDC requirement or
a decision independently made for the Portal? Is there any chance to
reconsider and pick a license like MIT, BSD, or Apache 2? I feel like
the restrictions that GPL (especially v3) imposes are unnecessary.
We're open to different open source licenses. Why would you choose MIT,
BSD, or Apache 2 over GPL?
2 Oct
2 Oct
5:14 p.m.
Hey Rosy, please find my answers below:
That’s a good and inclusive choice and I support it. I would just want you to avoid the
legacy of SMS 2FA in a brand new system :)
Yes, of course, by “anymore” I was referring to the new system, but it was not clear
enough. I was informed that this isn’t possible today anyways, so I apologize for the
mistake. It seems that nothing is changing with the new requirements.
I agree, and that’s why I’d like to focus on ensuring the portal is accessible over IPv6
at least, regardless of whether or not this project will happen, and whether ARDC will
ever have to manage IPv6 addresses. It’s always good to be able to use the current IP
version to manage the legacy one ;)
Antonis
On 29 Sep 2022, at 16:38, Rosy Schechter - KJ7RYV via
44net <44net(a)mailman.ampr.org> wrote:
Just some comments and questions that may be helpful from me, in
GPL is applying restrictions on the code that prevent certain use. The other licenses
listed above actually allow for free use and distribution of the code. They do not pose
any significant limitations. With a GPL license, if you’re interested in contributing to
the code or making a fork of the software, you can either do it privately, or you’re
forced to publish it under the same license. This can lead people into keeping their forks
private. Moreover, if a project uses code from a GPL project, even in part, it needs to be
released under the GPL as well (unless it includes the code in the form of a library),
which can limit reusability of the code by others. (I have seen and heard many stories on
that, and it’s not clear to which degree this is true, e.g. if linking the code is okay or
not, but it can expose you to risk).
Moreover, for a lot of professionals, especially outside the US, it can be difficult or
may require explicit approval from their employer to contribute to such software, or it
may not be allowed outside the scope of their work, due to intellectual property rights.
Some companies for example allow you to contribute to any OSS under a certain license
list, and almost always the three ones above are included, and almost always GPL is
explicitly not included.
There’s a large debate about enforceability, and some of these areas are not well
understood or defined, and that’s why typically companies that care about the legal risk
tend to just avoid any exposure.
A lot of modern programming languages such as Rust and Go try to have a culture of Apache
2 which is the recommended license (and has a very helpful patent provision) and most of
the libraries choose a license in the list above (called permissive). This helps ensure
GPL-free software which they probably consider an important point.
Here’s an interesting article I just found:
https://medium.com/@henvic/opensource-and-go-what-license-f6b36c201854
<https://medium.com/@henvic/opensource-and-go-what-license-f6b36c201854> — 87% of Go
code on GitHub is licensed under permissive licenses. Around 75% of any software is
licensed under permissive licenses. It also covers a lot of important points on why you
can choose one vs the other. However, a modern typical practice seems to be a dual Apache
2 + MIT option, but it may be too much for the Portal. Any one of the two is fine. I think
there’s some bias in the article, so keep that in mind while reading.. ;)
Of course, it should be mentioned that there are very large and successful projects that
are using GPL, but some are too big to be ignored, and this may be the reason. The most
popular is Linux, that is licensed with GPL, but even that does not use GPLv3, but GPLv2,
as Linus Torvalds expressed a dislike towards the changes introduced in the 3rd version.
My main point, and why I always prefer permissive licenses, is that you remove the
potential for legal risk / gray zones, and you release software that is truly free,
without imposing restrictions to anyone. This, however, may not be something everyone
wants, but I don’t see a reason why we should not do that.
Finally, as something unrelated to the Portal code, but a practice I see more and more
lately: software companies release the “Community Edition” under GPL, and the “Enterprise
Edition” as a paid license. That way they use the GPL to prevent their competitors from
forking the code, or doing any development, and they maintain the sole right to sell this
code (that people outside the company may contribute). There’s also a recent trend it
seems for a certain Cloud provider to find OSS with permissive licenses, and offer it
"as a Service”, directly competing with the company or team behind it, that also
attempts to do the same thing. These companies have been forced to restrict their code to
remain financially viable, but still chose to stay away from the GPL.
case you’re interested:
1. Why did you pick GPLv3 as the license? Is this an ARDC requirement or a decision
independently made for the Portal? Is there any chance to reconsider and pick a license
like MIT, BSD, or Apache 2? I feel like the restrictions that GPL (especially v3) imposes
are unnecessary.
We're open to different open source licenses. Why would you choose MIT, BSD, or
Apache 2 over GPL? 4. I would
like to see WebAuthn for Security Keys with support of multiple, e.g. 8-16 keys, and not
single-key only like some services. The web also seems to be moving to a passwordless
future, with support for Passkeys already landed in browsers and OSes in desktop + mobile.
Integrating WebAuthn for 2FA and Passkeys for passwordless login is very similar. My
colleague Adam has written a very good technical post on how to implement these standards
securely in case you’re interested:
https://www.imperialviolet.org/2022/09/22/passkeys.html
<https://www.imperialviolet.org/2022/09/22/passkeys.html> . I would also try to
avoid any insecure practices like security questions to recover an account. I don’t know
if I would pick SMS 2FA for a new project, although it’s better than nothing. Just make
sure you don’t fall back to SMS e.g. if Security Keys / TOTP doesn’t work. I think with
e-mail 2FA support the SMS option isn’t needed. People without a smartphone would still
need e-mail access to login, so I don’t think it is excluding people if you do not offer
it. Just be careful with WebAuthn: it is domain dependent. The blog post I link to
explains this well, and also what happens if the domain of the Portal changes.
Thanks, this is noted. Ideally we provide multiple options for 2FA. 9. Can you not
delegate $callsign.ampr.org <http://callsign.ampr.org> to your own servers anymore?
Or is this still done manually via a ticket?
The items described in the feature requirements doc are not live, so please continue to
use existing processes until we make the transition to the new Portal. Ideally this
process of transitioning to the new portal, led by our forthcoming Technical Director,
will not be abrupt and have sufficient warning for changes. I do not see any major release
for the new portal happening until 2023 (ideally early 2023, but no promises + more
scoping needed.) 13. I would
like to see IPv6 support explicitly mentioned as a requirement, both for the software, as
well as the service. The functionality (assignments, allocations) depends on what the
plans and needs of ARDC are, but being able to use the Portal fully in an IPv6-only
network is something I believe should be there regardless.
This may be a whole second project, combined with a longer discussion around whether ARDC
should actually manage an IPV6 block. We see cases for and against it, but ultimately, we
need to make sure that our existing address space is better managed and utilized before
taking on more. That said - your comments are noted. 
28 Sep
28 Sep
7:23 a.m.
Hi Rosy and the group,
Thanks for sending this, I'm looking forward to trying the new portal
and seeing its improvements.
I have read the document and made some observations, which I have
written here in no particular order, and with the relevant section where
I thought that would be helpful:
1. 3.2.1.9: 2FA - can I please request FIDO U2F support?
2. 3.2.1.10: Maidenhead - is there a requirement to gather this,
alongside other already identifying information? Users may have
different reasons for keeping their location private (i.e. not having to
divulge) alongside any other PII that is gathered and appropriately
governed in the Portal.
3. 3.2.5 BGP assignments: Perhaps this falls under RADB objects, but my
suggestion is to incorporate IRR record management. It would be ideal to
incorporate this as an optional part of the portal-based process.
4. 3.2.6 and the mention of '<callsign>ampr.org' reads to me as if call
signs are being used as the primary identifier on the Portal. If this is
the case, it may prove more versatile and useful to employ some other
sort of identifier (username?) as a primary identifier, and allow
multiple call-signs to be explicitly supported across the services
offered. Users then may easily change or obtain additional callsigns
throughout their life, without impact to the services they run. To
address the specific point around a callsign subdomain in relation to
multiple callsign holders, this would allow users to manage their own
cutover without their hosted services stopping abruptly upon changing to
a new callsign in the Portal. To make this point clearer in the
requirements, 2.2.1.1.1.1 could change to mention callsign(s) (plural)
as all associated to a user may need to be verified.
5. I understand that to date the Portal has required a regular login to
verify the ongoing interest of the account holder in maintaining their
account. Currently the requirements do not distinguish between web-based
and API-based access in determining the last time the Portal was
accessed. My personal preference is that API-based access be included in
the determination of last access time, as any server making an API
request on my behalf is likely to perish alongside my interest in
maintaining my IP space. Ultimately it would good to clarify the
expected behaviour one way or the other, so that all are clear if
API-access counts in 'resetting the clock' for access invalidation.
5. Perhaps this is covered by other accessibility requirements, but I
would suggest a specific requirement to ensure that the website will
support and provide full functionality across typical device sizes (e.g.
phone, tablet, desktop web browser).
6. I wondered if prescribing that all work will be in alignment with
open source best practices --- without defining these --- might provide
a point of contention later, if a user doesn't like the way something is
being done, and given the proposed public nature of the codebase. Given
too that best practices tend to be dynamic and that it may require some
additional work to bring the codebase into line with this requirement
whenever a change is made, it might be worthwhile to soften this
expectation slightly without undermining its intent.
7. Point 2.1.2.1 may have been intended to enumerate accessibility
standards (there is a hanging colon).
I may have missed or misunderstood some sections of the document, in
which case I beg your pardon if my suggestions are addressed elsewhere
in the document or otherwise moot.
The requirements document reads very well and it is clear much thought
and work has gone into its production. My thanks to the team behind it
who are obviously striving to make the Portal an improved experience for
all.
Regards,
--
Joel Buckley VK3LE/VK2VRO
On Tue, Sep 27, 2022 at 05:37:31PM -0400, Rosy Schechter - KJ7RYV via 44net wrote:
Hello 44Net!
For quite some time, y'all have heard rumblings of a new portal, which Chris
has been working on bit by bit. Realizing that it's likely a larger project
than we initially thought, earlier this year the TAC took on the task of
writing a feature requirements document. This has been the bulk of their work
this year so far, and I'm really proud of the results, which were completed
just a couple weeks ago.
I'm writing on behalf of the TAC to share this document with you and to
request comments and comments:
https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirement…
Ideally, please share your thoughts in this channel rather than emailing
directly, though of course we will read any feedback you send. Pierre, the TAC
Chair, will be watching the list and answering any questions that may come up.
Note that this document is a feature requirements document - which outlines
the features that the portal needs to have before it's considered "done."
By
definition, it's *not* an engineering document; we've purposefully not
specified the exact technology we'll use to build this out. We have, however,
specified that it will be released as an open source project as soon as we
have a functional version, likely without all features present. Ultimately
this will be a project managed by our new Director of Technology (who starts
on Monday; will introduce after he starts) and the team he assembles to carry
out the build. Thus, information like timelines, project plans, and database
specifications, etc., will follow his review of this document and any comments
from this group.
And with that, I say - happy reading! And thank you so much for your thoughts
and questions.
Looking forward,
Rosy
--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
29 Sep
29 Sep
9:53 a.m.
Hi Joel,
Thank you so much for your comments. As with those from Antonis, I'll
let the TAC / Chris speak to many of them, but my thoughts on some of
the items are below.
Thanks for sending this, I'm looking forward to
trying the new portal
and seeing its improvements.
Glad to do it! And me too.
1. 3.2.1.9: 2FA - can I please request FIDO U2F support?
This is noted. As as mentioned on my last email, ideally multiple forms
of 2FA will be available.
6. I wondered if prescribing that all work will be in
alignment with
open source best practices --- without defining these --- might provide
a point of contention later, if a user doesn't like the way something is
being done, and given the proposed public nature of the codebase. Given
too that best practices tend to be dynamic and that it may require some
additional work to bring the codebase into line with this requirement
whenever a change is made, it might be worthwhile to soften this
expectation slightly without undermining its intent.
I hear what you are saying here. Ultimately the notion of doing this
work in the public causing contention due to disagreement about how
things are done, is the main reason why some members of our team
(including me at times) have been hesitant to do work in the public in
general. The truth is, though, that has to change – we value open
source, and we hear the call from 44Net members for increased
transparency into what we're doing. Making sure that this codebase is
public is part of meeting those needs. I agree that it will likely come
with some contention, and we must both expect it and take steps to work
through it and keep our work productive.
My hope is that we'll have solid guidelines for engagement around our
open code bases designed to minimize contention. As stated in the Rust
code of conduct:
"Respect that people have differences of opinion and that every design
or implementation choice carries a trade-off and numerous costs. There
is seldom a right answer."
https://www.rust-lang.org/policies/code-of-conduct
We'll definitely need to employ this kind of philosophy in whatever work
we are doing in the public. And like you say, it may be worth softening
our expectation in order to be as productive as possible.
7. Point 2.1.2.1 may have been intended to enumerate
accessibility
standards (there is a hanging colon).
There's just a hanging colon :) Thanks for pointing that out.
I may have missed or misunderstood some sections of the document, in
which case I beg your pardon if my suggestions are addressed elsewhere
in the document or otherwise moot.
I don't see any misunderstandings :)
The requirements document reads very well and it is clear much thought
and work has gone into its production. My thanks to the team behind it
who are obviously striving to make the Portal an improved experience for
all.
Thanks to you for sharing your thoughts here!
All the best,
Rosy
--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
10:03 a.m.
My main contribution at this time is to suggest moving this to a Google Doc that you can
take suggestions, comments, and questions there directly and merge as you go to review.
Mainly because my inbox is blowing up with this thread and I almost unsubscribed several
times now.
I hope to also review and provide more feedback when I have some downtime, hopefully this
weekend.
Matt
On Tue, Sep 27, 2022 at 14:37, Rosy Schechter - KJ7RYV via 44net
<44net(a)mailman.ampr.org> wrote:
Hello 44Net!
For quite some time, y'all have heard rumblings of a new portal, which
Chris has been working on bit by bit. Realizing that it's likely a
larger project than we initially thought, earlier this year the TAC took
on the task of writing a feature requirements document. This has been
the bulk of their work this year so far, and I'm really proud of the
results, which were completed just a couple weeks ago.
I'm writing on behalf of the TAC to share this document with you and to
request comments and comments:
https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirement…
Ideally, please share your thoughts in this channel rather than emailing
directly, though of course we will read any feedback you send. Pierre,
the TAC Chair, will be watching the list and answering any questions
that may come up.
Note that this document is a feature requirements document - which
outlines the features that the portal needs to have before it's
considered "done." By definition, it's *not* an engineering document;
we've purposefully not specified the exact technology we'll use to build
this out. We have, however, specified that it will be released as an
open source project as soon as we have a functional version, likely
without all features present. Ultimately this will be a project managed
by our new Director of Technology (who starts on Monday; will introduce
after he starts) and the team he assembles to carry out the build. Thus,
information like timelines, project plans, and database specifications,
etc., will follow his review of this document and any comments from this
group.
And with that, I say - happy reading! And thank you so much for your
thoughts and questions.
Looking forward,
Rosy
--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
2 Oct
2 Oct
9:27 p.m.
Hi,
Well, don't really see a whole lot I can contribute; this is one of the better spec
docs I've seen in a LONG time. So great work there.
On the topic of extensibility, one area I didn't see a lot of information on was
identity and access management (or IAM). Not sure what you plan on using for your
underlying user system, but you might consider SAML IdP for a base, if not OID; and/or
featuring SAML SP so you can interface third-party identity providers, to facilitate your
onboarding with other institutions, i.e. education, and enterprise organizations) for
supporting third-party login providers. If you decide to support SAML, I would encourage
you to start with Shibboleth (either as a SP, IdP, or both) as a means of jumpstarting
your enrollment into the InCommon Federation as well.
You'll also be doing yourself a favor when you can onboard third-party commercial
products (cloud-hosted or on-premise) which also support SSO with SAML to offload
development cost of those services (i.e. project management, email, CRMs, support ticket
systems, etc.) esp. if you start scaling out your internal "workforce" with
additional volunteers sourced from your existing user base.
That's about all I can think of for now.
Thanks,
Matt (KE7INI)
------- Original Message -------
On Tuesday, September 27th, 2022 at 2:37 PM, Rosy Schechter - KJ7RYV via 44net
<44net(a)mailman.ampr.org> wrote:
Hello 44Net!
For quite some time, y'all have heard rumblings of a new portal, which
Chris has been working on bit by bit. Realizing that it's likely a
larger project than we initially thought, earlier this year the TAC took
on the task of writing a feature requirements document. This has been
the bulk of their work this year so far, and I'm really proud of the
results, which were completed just a couple weeks ago.
I'm writing on behalf of the TAC to share this document with you and to
request comments and comments:
https://www.ampr.org/wp-content/uploads/2022-09-Portal-Features-Requirement…
Ideally, please share your thoughts in this channel rather than emailing
directly, though of course we will read any feedback you send. Pierre,
the TAC Chair, will be watching the list and answering any questions
that may come up.
Note that this document is a feature requirements document - which
outlines the features that the portal needs to have before it's
considered "done." By definition, it's not an engineering document;
we've purposefully not specified the exact technology we'll use to build
this out. We have, however, specified that it will be released as an
open source project as soon as we have a functional version, likely
without all features present. Ultimately this will be a project managed
by our new Director of Technology (who starts on Monday; will introduce
after he starts) and the team he assembles to carry out the build. Thus,
information like timelines, project plans, and database specifications,
etc., will follow his review of this document and any comments from this
group.
And with that, I say - happy reading! And thank you so much for your
thoughts and questions.
Looking forward,
Rosy
--
Rosy Schechter - KJ7RYV
Executive Director
Amateur Radio Digital Communications (ARDC)
ampr.org
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
565
days inactive
571
days old
13 comments
9 participants
participants (9)
-
Antonios Chariton (daknob) -
Chris Smith -
David Ranch -
Joel Buckley -
Jonathan Lassoff -
lleachii@aol.com -
Matt -
pete M -
Rosy Schechter - KJ7RYV