[Cryptech Core] Budget, accounts payable, and NGI Trust project

[Rob Austein]

I'm writing on behalf of the "Cryptech Board" created as part of
moving the project home to NLnet/Commons Conservancy.  In spite of the
name, the board has no real authority to make decisions, we're really
more of a liaison group to NLnet.  Real decision making still rests
with the core team.  Hence this note.

As some of you are all too aware, there have been some hold-ups
paying Cryptech developers for current work.  The reason for this is
simple: we're down to a fairly small pot of money, almost all of which
has strings attached.

Current status: we have a current balance of just under 77,000 EUR,
70,000 of which is the initial block of NGI grant money (the pot with
strings attached).  We currently owe Pavel about 21,000 EUR, and Paul
about 9,000 EUR, all for work done since the start of the NGI project
and submitted for payment.  That leaves about 47,000 EUR to get the
rest of the NGI project done.

Assuming we tick all the boxes from the project plan, our work is
approved as meeting what we said we'd do at the end, and we raise
enough money from other sources to satisfy the matching requirements,
we get about another 100,000 from NGI in September.  Not a sure thing.

We think that all the work Pavel has been doing qualifies under the
NGI deliverables (faster ModExp was on the plan).  The driver and
performance test work Paul has been doing should also qualify, same
reasoning.  The one bit of current work we're not sure about is the
stuff Paul did to support storing wrapped keys outside the HSM: this
is not listed explicitly in the "new SW core functionality" section of
the etherpad notes from November, but easily could have been, given
that it was the one missing feature ARIN said would have been a
showstopper for them, back when they were evaluating us for their
current HSM purchase round.  We're inclined to say it qualifies.

Given the size of the pot, the board is hereby proposing that, for the
duration of the NGI project or until we (somehow) obtain adequate
funding from other sources, we do the following:

1. Pay the amounts currently owed.  Yes they're large compared to the
   total size of the current pot, but the work was done in good faith
   with the expectation of being paid, expecting developers to accept
   a retroactive rule change does not seem fair or reasonable.

2. Effective immediately, we switch to a model where the remaining
   funding is split up equally among the project goals, with the
   understanding that if, by some miracle, achieving one of the goals
   does not take that goal's full share, the remainder gets thrown
   back into the pot to be shared among the other goals.  This seems
   the least unfair way to allocate limited funding.  It's not great,
   it just sucks less than the alternatives.  If and when we get
   sufficient other funding, we can go back to the old rules.

   "Effective immediately" in the previous paragraph refers to work
   done after today.  Given that there is active work in progress, we
   will almost certainly owe a bit more than the sums above already
   owed to Paul and Pavel (mostly past due at this point, ouch).

3. 7,000 of the current 47,000 presumably comes from non-NGI sources.
   In an ideal world, we'd spend that covering any outstanding
   requests for payment from before the NGI project started, eg
   anything left unpaid from work Pavel did on ModExpNG over the
   summer.  Further, we would argue that Pavel has first call on such
   funding, because that was what the core team agreed a year ago when
   it became obvious that we were going to be going through a dry
   period: core discussed work in progress and concluded that ModExpNG
   was the most critical project in progress, and therefore should get
   what funding we could find.

   All that said, at this point 7,000 is a significant portion of what
   we have left, so we would understand if core feels that we can't
   spare it at this time.  Nevertheless, the board's recommendation is
   that we earmark this 7,000 towards paying down whatever we still
   owe Pavel for the period before the NGI project started.

So now it's up to core to decide whether to adopt the above plan or
not.  This has been dragging on for much too long, so there's some
urgency.  In the interest of resolving this, silence will be construed
as agreement with the above plan.

-- Your Friendly Neighborhood Cryptech Board (Leif, Stephen, and Rob)