[Cryptech Core] Budget, accounts payable, and NGI Trust project
sra at hactrn.net
Wed Feb 19 22:14:06 UTC 2020
I'm writing on behalf of the "Cryptech Board" created as part of
moving the project home to NLnet/Commons Conservancy. In spite of the
name, the board has no real authority to make decisions, we're really
more of a liaison group to NLnet. Real decision making still rests
with the core team. Hence this note.
As some of you are all too aware, there have been some hold-ups
paying Cryptech developers for current work. The reason for this is
simple: we're down to a fairly small pot of money, almost all of which
has strings attached.
Current status: we have a current balance of just under 77,000 EUR,
70,000 of which is the initial block of NGI grant money (the pot with
strings attached). We currently owe Pavel about 21,000 EUR, and Paul
about 9,000 EUR, all for work done since the start of the NGI project
and submitted for payment. That leaves about 47,000 EUR to get the
rest of the NGI project done.
Assuming we tick all the boxes from the project plan, our work is
approved as meeting what we said we'd do at the end, and we raise
enough money from other sources to satisfy the matching requirements,
we get about another 100,000 from NGI in September. Not a sure thing.
We think that all the work Pavel has been doing qualifies under the
NGI deliverables (faster ModExp was on the plan). The driver and
performance test work Paul has been doing should also qualify, same
reasoning. The one bit of current work we're not sure about is the
stuff Paul did to support storing wrapped keys outside the HSM: this
is not listed explicitly in the "new SW core functionality" section of
the etherpad notes from November, but easily could have been, given
that it was the one missing feature ARIN said would have been a
showstopper for them, back when they were evaluating us for their
current HSM purchase round. We're inclined to say it qualifies.
Given the size of the pot, the board is hereby proposing that, for the
duration of the NGI project or until we (somehow) obtain adequate
funding from other sources, we do the following:
1. Pay the amounts currently owed. Yes they're large compared to the
total size of the current pot, but the work was done in good faith
with the expectation of being paid, expecting developers to accept
a retroactive rule change does not seem fair or reasonable.
2. Effective immediately, we switch to a model where the remaining
funding is split up equally among the project goals, with the
understanding that if, by some miracle, achieving one of the goals
does not take that goal's full share, the remainder gets thrown
back into the pot to be shared among the other goals. This seems
the least unfair way to allocate limited funding. It's not great,
it just sucks less than the alternatives. If and when we get
sufficient other funding, we can go back to the old rules.
"Effective immediately" in the previous paragraph refers to work
done after today. Given that there is active work in progress, we
will almost certainly owe a bit more than the sums above already
owed to Paul and Pavel (mostly past due at this point, ouch).
3. 7,000 of the current 47,000 presumably comes from non-NGI sources.
In an ideal world, we'd spend that covering any outstanding
requests for payment from before the NGI project started, eg
anything left unpaid from work Pavel did on ModExpNG over the
summer. Further, we would argue that Pavel has first call on such
funding, because that was what the core team agreed a year ago when
it became obvious that we were going to be going through a dry
period: core discussed work in progress and concluded that ModExpNG
was the most critical project in progress, and therefore should get
what funding we could find.
All that said, at this point 7,000 is a significant portion of what
we have left, so we would understand if core feels that we can't
spare it at this time. Nevertheless, the board's recommendation is
that we earmark this 7,000 towards paying down whatever we still
owe Pavel for the period before the NGI project started.
So now it's up to core to decide whether to adopt the above plan or
not. This has been dragging on for much too long, so there's some
urgency. In the interest of resolving this, silence will be construed
as agreement with the above plan.
-- Your Friendly Neighborhood Cryptech Board (Leif, Stephen, and Rob)
More information about the Core