SecureDrop Community decision making



The SecureDrop Community is horizontal and has a basic decision making process taken from the infrastructure team. It goes like this:

  • An action that has no impact on others can be carried out without asking for permission
  • An action impacting others is advertised in advance and carried out if there is a consensus
  • Any person impacted by an action can call for a vote
  • People with access to an exclusive resource must be identified and reachable

Various decisions were made following these rules in the past few months, For example allocating funds for localzation work which reached consensus after a few weeks. Or bootstraping Enough after months of discussions. Or creating a Nextcloud instance unilaterally because it has no impact on anyone. Or granting access to the infrastructure to @aydwi after a week to give anyone a chance to voice their concerns. Not once did anyone call for a vote but I think it is very important that anyone can.

We could add details such as the delay that is considered in advance. It turns out to be a week or so at the moment, which makes sense because including at least one week-end allows non staff members to participate during their free time. We could also try to clarify what an exclusive resource is (DNS, money etc.) and explain the rationale for identifying people with access. I tend to like when things are simple, even if it leave a lot to interpretation. But others may feel differently.

I propose this de-facto decision making process is published on for newcomers to quickly understand we are not a centralized organization and do not intend to ever become one.

What do you think?