I am sorry to hear about your disappointment. You're free to point me at role models that are doing better. I may be ignorant about the variety of choices here.
Team members are also people who have access to critical infrastructure, such as:
1) domain management
2) whonix.org ssh access
3) Whonix APT Repository
4) Whonix News
5) Wiki Admin
6) Wiki Reviewer
7) forum admin
8) forum mod
9) various project accounts for sourceforge etc.
On what criteria do you propose were someone more or less automatically gets the right to get access to this critical infrastructure?
To understand me better, I also always having this https://www.whonix.org/wiki/Trust#Evil_developer_attack
in mind. I am not that into the Debian OpenSSL debacle (https://lists.debian.org/debian-security-announce/2008/msg00152.html
) where a maintainer said "I don't like this randomness in the code", made it non-random, therefore messed up entropy, but one could say this is similar to evil developer attack. Having the kind of adversaries in mind that may not like Whonix, I think the most reasonable approach is to be very careful.
According to distrowatch, Debian is one of the most popular distributions. And I'd say, they're following the Free Software spirit. Something, I could not say about Ubuntu. They're more popular, but a sponsored, commercial project, which doesn't care so much about the Free Software spirit.
Debian as a very successful distribution is a good role model. There are:
- level 0: non-members / community contributors
- level 1: debian member? (This level might not exist anymore or I may be totally wrong about it.)
- level 2: debian maintainers, join process: https://www.debian.org/devel/join/newmaint
- level 3: debian developers, join process: https://wiki.debian.org/DebianDeveloper#Becoming_a_Debian_Developer
- level 4 and higher: team leaders, project leader?
In Debian it seems to me there is no way to anonymously join the project (pseudonymously, as in having others know your real name/identity but using a pseudonym on the web however seems to be allowed).
As in case of featherweight edition, Cerberus my plan was to see if you're coming up with source code changes, git commits, git tags and binary builds. My plan was to revamp the download page with the various different options that are maintained by different developers. This would have included linking to binary download images, that have been created by an anonymous person (Cerberus). Now that there are verifiable builds (https://www.whonix.org/wiki/Trust#Verifiable_Builds
), this approach is hopefully not entirely unreasonable from both, a security perspective and from a community member to team member progression.
Again, I am happy to look into other projects/models how they're doing. This is the first and only Free Software project at this size I am working on, so I am asking for forgiveness should anything be unreasonable.