It’s no secret that there is a MoCo-internal meeting, currently held once a month. Gary Kovacs (MoCo CEO) explains it as being a place to discuss things which are not relevant to the wider community, like office configuration. This month, the topic of the Thunderbird leak did come up, and Mitchell said that a) we should try and help the person who did this understand how harmful it was, and b) we need to continue to try and find ways to safely share, to a group wider than “employees”, information which shouldn’t (yet) be made public. For a), see my previous blog post, actually posted just before the meeting. Here are some thoughts on b).
The leaked email was sent to everyone in the Mozilla Community Directory (Phonebook) who is “vouched”. What exact responsibility you are taking on when you vouch for someone isn’t clearly defined (that I can find), but the Contributor Engagement team is very keen that anyone who is a new or even a potential contributor to Mozilla creates a profile there as soon as possible. And if one of the purposes of the Phonebook is to get metrics about the size and interests of the whole community, that makes good sense.
When I designed the predecessor project to the phonebook, Domesday, it had a system of user tags, some of which had to be bestowed on people – you couldn’t award them to yourself. One tag I envisaged was called “trusted” – a group narrower than “having an account and being a community member” but certainly wider than “employee”. There were heated arguments during the design phase about whether such a thing was even necessary.
I think this incident proves that it is. It’s not possible for one “vouched” marking to both serve as “member of the community” and “trusted member of the community”. Phonebook needs to grow the technical ability, and Mozilla needs to grow the social processes, to mark people as trusted, with a mechanism for the person who incorporates them into the trusted community to be known and held accountable for their conduct. And no free passes – start with Mitchell and Brendan as trust roots, and employees need to find someone who will publicly put trust in them, just like everyone else. (The free pass for employees was, IMO, a significant and unnecessary inequality in the Mozillians vouching implementation.)
Trustworthiness is not something that can be programmatically determined, and it is not related to project activity or long service. This is a human problem. We need a mechanism to identify who is trusted and who is not, because only then will we be safely able to distribute stuff that shouldn’t be public wider than “MoCo-only”, and break down the employee/volunteer barrier.
(Some may want to argue that the category of “stuff which shouldn’t be public” shouldn’t exist at all within any part of Mozilla. I think a little thought will reveal that this can’t be so; there are plenty of legal, diplomatic, and partner-related things where publication would damage Mozilla’s interests. Not to mention, on occasion, people’s real opinions of industry developments.)