Privacy, Security, and Information Control

  • I've got some concerns about the current level of security for the Eco community.

    The first thing I noticed was forum privacy. If you have the link to the developer forums, you can read all of the posts without logging in. Furthermore, I was able to access the Slack team spreadsheet without any kind of login, and I could edit the information freely.

    I was not able to locate the developer forums without already having the link, but I don't feel that this is an adequate level of security. I would like to feel more comfortable sharing my personal details in the community.

    When I tried to find the developer forums without the link, I was able to find the public Eco forums. These have already been subjected to spam.

    Finally, with regard to the code proliferation question, if the intention is to keep all the source code and assets confined to this community, I believe in principle we should all agree to non-disclosure as a prerequisite to that access. I don't think viewing the spread of the code on the Internet as inevitable is a healthy approach, and steps should be taken to protect it.

    I am also a bit unclear on whether or not "open-source" is really an accurate description of the intentions when the protections being sought by the licensing are considered. Even if something truly open-source is the ultimate goal, I think the product is especially vulnerable during this early phase of development, and public access to the code should be delayed as much as possible or until the ownership of that intellectual property clearly decides to grant the public access.

    I think it's ambiguous because (to my knowledge) the information protection legislation doesn't explicitly cover a scenario where expanded access is being granted to a specific body of people who are neither employees or contractors, but I don't believe that precludes the right of the information owners to take steps in protecting their intellectual property directly.

  • I am curious as to why the dev forums are able to be accessed with a link as well and read by guests. At the very minimum the dev forum should be private and require login to read any topics/see anything. And all new accounts should require moderation/admin approval.

    I am having a hard time figuring out what forum software we are on though, i have used almost all of them and while i recognize some of the things on this forum i still can't place it. So, i have no clue what its capabilities are now lol. I find it odd that there is no post quote support though :[..

    I offered my help to John about the forums and what not but i was to late as they had already been finished. The spreadsheet im not as worried about only because when he sends out bulk invites he can just remove all our info immediately.. I just hope he does that sooner than later. xD

    And Yes, they should enforce an NDA on everyone who want's to touch the code base.. But some of the people here are students i think, and i thought an NDA would not be valid on anyone under 18 because their signature is invalid. In America anyways. If we ran a gitlab we could then run a private github repo and do invites only for accounts on it. Make the repo private unless logged in, and pull requests can be approved by a strangeloop game dev. Then they can avoid paying for user accounts on actual github.

    @JohnK, if you need help setting up a gitlab please let me know i will be happy to assist you in this matter.

  • Yes, I really agree about the forum privacy. If the KS campaign says that only people at certain pledge levels will be able to access the forums then I expect it to be that way.

    Concerning an NDA I think they could do that. The Kickstarter terms says that "People under 18 (or the legal age in your jurisdiction) are not permitted to use Kickstarter on their own, and so this privacy policy makes no provision for their use of Kickstarter." and "To sign up for an account, you need to be at least 18 years old, or old enough to form a binding contract where you live. If necessary, we may ask you for proof of age.". Though I'm fully aware of the fact that there might still be backers under the age of 18 but then they have also violated the Kickstarter terms of agreement.

    Though I think it's up to the devs to decide how they want to restrict the code base but I really agree that the forum privacy settings hould be fixed to comply with the information on Kickstarter.

  • From what it would seem it would be nice to have a link on the main forums to the dev forums which will require authentication. Right now all that is required is to know to add '/eco-dev-forum' to the url.

    From what I understand, John K is planning on locking down the forums when the kickstarter is done but it does seem like it would be helpful to have authentication from the beginning.
    Also for an NDA from what I have seen there are 2 people who are from Highschool, which I would assume that they are the only ones that would be under 18. (there could be some of the college students who are under 18 but I would guess that there will only be a few) Unfortunately from what I can find a minor even with a parental co-sign cannot be held to an NDA (I'm not a lawyer but that is the information that I was able to find)

    Also I am also curious what will be 'open sourced.' Where is the line between 'engine' and 'line' drawn?

  • Great points @jscpowser and all. So right now the forums are open only because Kickstarter won't give me people's emails until the campaign is finished, so in order to open it early I had to do it this way. Once it's done I'll go through and send invites to everyone not here, and delete accounts from emails not tied to a Kickstarter pledge. The spreadsheet exists for the same reason. Once the KS campaign is done we will have an account system through that lets us track accounts and give access in a more secure/easier way.

    I'm debating having the forum readable by the public, this could be a great way for people to see what the community is like, and potentially join it (we're considering allowing people to 'pledge' on our website post-campaign at a cost higher than the current tier levels in order to get access to the source and community, basically continuing the campaign but making it so the initial backers got the best deal). Perhaps we could expose just a single area of the forum, announcements. Or maybe the whole thing.

    Forum software: this current forum is a total quick-job, since we're slammed for PAX prep right now, we'll go back and make it sexy after. Having help with that would be great @MajorCyto

    Source we'll have to make private of course, and only people with accounts can access it. We'll have some agreement to the effect that 'anything you add or modify to this code becomes property of Strange Loop, and you cant use it elsewhere without permission' that people will need to sign, with the caveat that if anyone becomes a major contributor we will either hire them, contract with them, or share revenue somehow. I want it to be a fluid transition between 'playing around with the Eco code/learning from it' to 'actively contributing shipping features', and I absolutely want those people to be compensated, so we'll just have to work that out on a case by case basis, with the default being the safest for us of 'we own everything'. You're right @jscpowser the term open-source might not be exactly right here, since we're opening the source but not free usage elsewhere.

    The 18+ issue is an interesting one. Not sure how to handle that without locking people out, which would suck, as this could be a great learning experience for high school students and younger. I'll see if we can find a solution for that.

    I'm less worried about an NDA because I assume the code will instantly end up on PirateBay whatever we do, and if we do this we have to expect that. The hypothesis being that the value we get from this open community will be greater than the cost of having our source code publicly available. I have huge hopes for this community, so I think it will.

    Re help setting up forums: Jeff does all our web programming right now, email about helping on the forum and such (after Sept 2 please, post PAX) and we may be able to get you setup with an account to do so.

    Thanks a ton all, great to see security is on people's mind from the beginning.

  • When you say public do you mean the public to the development community or public as in the world as a whole?

  • Great @JohnK, hopefully we get Slack access soon and i can work with you on there about the GitLab? Or whatever medium is preferred. I can help with the forum as well (if even needed).

  • @eat_those_lemons the forums will be viewable by the dev community only, though we may let the public see some of the categories.

    The source code will only be available to the dev community. I meant it would be 'public' because it will eventually get outside the community somehow, we can't expect it not to. Hope that makes more sense.

    @MajorCyto yeah sounds good, we're going to be focusing on pax through the weekend but will begin setup in earnest next week.

  • @JohnK Sounds like a good plan :) And keep focusing on PAX for now!

  • Sounds good to me as well. Giving public access to view some of the more discussion based threads may (as you have said) want to get involved and contribute as well and in doing so, generate some extra funding post-KS. Good luck at PAX. Kind of wish I was going as well :P

  • I don't know if i'm right here but i've got a question: I'm a 125 $ baker (because i have not enought money for 175 $) , but can I also become dev-tier after ks (when I got more money)? Maybe with an 50 $ donation?

  • @TaminoSch, they said they would consider options for people to upgrade their backing package after Kick Starter has ended but they have no concrete plans as of yet.

  • @MajorCyto thanks :) I hope there will be an announcement.

  • @TaminoSch yep, we decided to do this, but prices will go up a bit after Kickstarter, so our early backers will always have received the best deal.

  • Just FYI. I emailed Kickstarter support and they told me that someone under 18 can back a project with parents permission, so I know there is probably at least a few people under 18 on here, and I think they should be able to help even if they can't sign a NDA.

  • I'm under 18.

  • Any news on whether NDA would be needed or not?

  • The only problem I see with having the developer forums readable by the public is in regards to how much detail you want the general public to see. Suppose, for example, a thread opens up to tackle a programming problem. Source code is posted through the course of discussion. One way to side step that is to have a setting where anything inside code tags are unreadable unless logged in, but there might be other issues with public disclosure. It really depends on how closely you want to guard your own code.

    In regards to NDA, you can ask that parents sign it on behalf of their child and/or obtain birth date information so that the minor can sign their own agreement when legally able to do so.

  • This could be solvable with a new forum. I'm assuming we will be able to split off programming challenges in to a locked sub forum to keep them hidden.

    Not to say making the forum visible is a good idea or not (I'm undecided).

  • I wouldn't mind having my legal guardian/parent co-sign an NDA with me. If they're under 18 and funding at the level of $175, it seems like they're at least 16

Log in to reply