[Replicant] Replicant funds usage, Handshake donation, and nlnet funding.

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Tue Jan 15 17:29:40 UTC 2019


The Replicant project has received 200 000$ from Handshake[1][2].
The kind of amount we received will enable the Replicant project to
fund development.

The nlnet foundation also has some funding for privacy and trust
enhancing technologies. The deadline for the submissions is the first

= What tasks we should fund, and who could be funded =
Before that, at the Open Source Firmware Conference[3], I've discussed
about how to fund work on Replicant with Paul Kocialkowski.

More specifically the focus of the discussions was on the kind of tasks
that Replicant should or should not fund if the Replicant project
managed to get enough money, and which criteria we would use to
understand if the people applying would be fit to work on the tasks.

The general consensus was that we could use the fund mainly to fix some
pressing issues and to lower the amount of work required to maintain

Pressing issues:
Replicant has some urgent bugs to fix, for instance:
- We have several freedom issues to fix (for instance the build depends
  on Debian which is not compliant with the Free Software Distribution
- Some SIM cards are not recognized
- Under some conditions, the call audio is garbled.
- Adding support for devices that can still easily be found new or
  second hand. The devices currently supported by Replicant already
  cannot be found in local second hand shop (in Paris, France) anymore,
  but can still be found online.

Longer term tasks:
The most important tasks we could want to fund would be the ones that
lower the amount of work required to maintain Replicant. For instance:
- Finishing libsamsung-ipc and samsung-ril, and upstreaming them in
- Making Replicant work with upstream kernels.
- Find a way to lower the amount of maintenance required to keep
  Replicant up to date with security fixes. We could for instance make
  it easier to update the Android version in Replicant, and lower the
  attack surface by bundling applications coming straight from
  f-droid instead of shipping applications that comes from Replicant
  source code. 

As for the criteria used to choose which person could be paid to work
on some of the tasks, we agreed on requiring at least the following to
make sure that the money is spent wisely:
- The people applying will need to already have some code in Replicant.
  If it's not the case, they can simply send patches. Outreachy[4][5]
  use a similar criteria.
- The people applying for a given task will need to have done work in a
  similar area in a free or open source software project (this way
  it's possible to look at the contribution).

Note that the above only represent our views at the time.
I summarized our discussion here, not to force this point of view, but
rather to use it as a good basis for starting a wider discussion about

I've also started working on a list of tasks[6] which is based on the
main task page[7] and on the former page for the Google Summer of

Tasks dependencies:
If we go this route, I think that we should also try to understand the
dependencies between tasks. For instance working to complete
libsamsung-ipc and samsung-ril should not have a very strong dependency
on the Android version. However for some of the tasks it would make
sense to work on porting Replicant to a newer Android version first.
Fixing some of the freedom issues could also be done automatically when
switching to a newer Android version.

I also personally wonder if it makes sense to spend some money in the
project infrastructure or not, for instance we could build a test
infrastructure that could help finding and fixing bugs. For instance we
could use something like that to reproduce the bug where the voice call
audio is garbled and to test our GSM stack (libsamsung-ril and

I've started doing some research on that here:

I think that the main issue here is that we need to keep the running
costs very low in order to be able to continue operating such
infrastructure when the Replicant project won't have the same amount of
money than now, and currently a larger scale test setup that uses the
OsmoGSMTester seem to cost a lot to operate. 

So far, most of Replicant contributions were done by volunteers.
So the Replicant project could also not want to fund work that people
want to as Volunteers but but instead fund important work that no one
want to do.

= nlnet funding =
We could use that to fund some of the tasks that match the
nlnet funding requirements.

As the deadline is really soon, I think we should concentrate on
defining the tasks and finding the people that could work on them.

Also, if I remember well, the individuals being paid to work on such
tasks are paid directly by the nlnet funds, so the Replicant funds
won't be involved here.

= Replicant funds usage and accountability =

I think that we will need to improve the funds usage accountability
before being able to draw substantial amounts of money from the
Replicant money. Note that this is independent from the nlnet funding.

Currently we are only two people on Replicant side that decide how to
use the funds. If I remember well we need the agreement of every person
from Replicant side, unless the other person doesn't respond in a
reasonable timeframe.
- Me (Denis Carikli)
- Paul Kocialkowski

On the FSF side our contact is John Sullivan.

The issue is that nowadays Paul Kocialkowski is very busy. Because of
that he doesn't have time to handle funding requests anymore.
This makes me the only person to decide how funds are used.

This is very problematic. We would need at least 2 more people. I also
am not comfortable at all with having to handle that much money alone.

Several people (me included) are already interested in being funded to
work on Replicant. It is very uncomfortable for me to be at the same
time the only person that would decide on what to use the funds for,
and a candidate to work on some of the tasks.

I think that it would be best if some present or past Replicant
developers could apply for that. The idea behind requiring Replicant
developers is to make sure that that the people applying have the
required technical background to take the decisions. The people
applying would also need to have some good understanding of software


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20190115/a9fd681d/attachment.asc>

More information about the Replicant mailing list