# GlobaLeaks Governance

## Introduction
[GlobaLeaks](https://www.globaleaks.org) is free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.

The software project has been started in 2011 and [originally authored](https://github.com/globaleaks/GlobaLeaks/blob/main/AUTHORS) by Arturo Filastò, Claudio Agosti, Fabio Pietrosanti, Giovanni Pellerano and Michele Orrù.

Authored in 2021, this document is a responsible and tentative attempt to analyze the existing governance status, define roles and responsibilities in order to properly define a proper project governance and thus be sure to be able to continue to protect whistleblowers in the long run.

## Roles and Responsibilities
This section defines the main project roles and respective responsibilities for the [GlobaLeaks Team](https://www.globaleaks.org/about/people/) and other project [Contributors](https://github.com/globaleaks/GlobaLeaks/graphs/contributors).

### Project Lead
The Project Lead is responsible for coordinating the overall work of the GlobaLeaks team and of the GlobaLeaks FLOSS community with the aim of continuously improving the software and methodology and protecting whistleblowers.

The project is currently led by [Giovanni Pellerano](https://www.globaleaks.org/about/people/#giovanni-pellerano), who is currently the lead developer and has continuously guided and advised contributors and users since 2011. This lead role and responsibility is focused on doing what's best for this project, guiding contributors through the analysis of user requirements and the definition and execution of the [Project Roadmap](https://docs.globaleaks.org/en/main/roadmap/) in adherence to [Contributributors Guidelines](https://github.com/globaleaks/GlobaLeaks/blob/main/CONTRIBUTING.md) and the [Best Practices](https://bestpractices.coreinfrastructure.org/en/projects/3816). The technical lead has commit rights on the software, and administrative rights to the project infrastructure.

### Community Lead
The Community Lead is responsible for identifying community needs, verifying and enforcing the project’s [Code of Conduct](https://github.com/globaleaks/GlobaLeaks/blob/main/CODE_OF_CONDUCT.md), making sure everybody feels represented and safe.

[Rima Sghaier](https://www.globaleaks.org/about/people/#rima-sghaier) is the current Community Lead.

### Compliance Manager
The Compliance Manager ensures that the project complies with its national, European and international regulatory and legal requirements, as well as internal policies and bylaws.

[Alessandro Rodolfi](https://www.globaleaks.org/about/people/#alessandro-rodolfi) is current Compliance Manager.

### Data Protection Officer
The Data Protection Officer (DPO) is responsible for educating the members of the team and the contributors about data compliance, training members of the team who are involved in processing data, and carrying out regular security audits. They also serve as the main point of contact between the company and the relevant data protection authorities.

[Rima Sghaier](https://www.globaleaks.org/about/people/#rima-sghaier) is the current DPO.

### Contributors
Everyone is welcome!

[Contributors](https://github.com/globaleaks/GlobaLeaks/graphs/contributors) are invited to adhere to the [Contributors Guidelines](https://github.com/globaleaks/GlobaLeaks/blob/main/CONTRIBUTING.md), participate in the project [Slack Community](https://slack.globaleaks.org) and [Forum](https://forum.globaleaks.org) and to propose contributions opening Tickets and Pull Requests on the project’s [Ticketing System](https://github.com/globaleaks/GlobaLeaks/issues).

List of team members, current and previous contributors and related statistics can be found at:

* https://www.globaleaks.org/about/people
* https://github.com/globaleaks/GlobaLeaks/graphs/contributors
* https://www.openhub.net/p/globaleaks

### Maintainers
Maintainers of the project are individuals who have been given permissions to push commits to one of the git repositories.

Maintainers are free to push commits to the repositories at their own will. Maintainers are however expected to listen to feedback from users and any change that is non-trivial in size or nature should be brought to the project as a Pull Request to allow others to comment/object before merging.

Anyone can aspire to become a GlobaLeaks maintainer.

If you think you can help make the project better by shouldering some maintaining responsibilities, then please get in touch. There are no mandatory duties. We hope and wish that maintainers consider reviewing patches and help merging them.

### Former Maintainers
For security reasons, after 6 months of inactivity, maintainers get their push permissions revoked. When a maintainer resumes their contribution activities, they can ask to restore their push permissions.

### Security Team
The security team consists of all people who are subscribed to the GlobaLeaks security mailing list, that receive security reports from users and developers.

This list of people vary over time and include experts familiar with the overall project threat model and risks.

The security team is responsible for evaluating reports of security vulnerabilities and issues received according to the [Security Policy](https://github.com/globaleaks/GlobaLeaks/security/policy), as well as scheduling and publishing periodic independent security audits of the software.

### Server Admins
We run some infrastructure used to support the community during work and discussions and implemented using open source and socially committed providers.

The servers are legally administered by [Whistleblowing Solution Impresa Sociale](https://www.whistleblowingsolutions.it), an enterprise mandated to ensure security and compliance for the project resources.

Every part of the GlobaLeaks infrastructure is assigned to 2+ administrators. Access to critical infrastructure is granted with multi-factor authentication.

### Governing organizations
Many are the organizations that participate in the GlobaLeaks project and that contribute to the project’s sustainability and evolution.

Here are listed the main organizations behind the project’s governance and sustainability:

* [Hermes Center for Transparency and Digital Human Rights](https://www.hermescenter.org/): association of social promotion incorporated in 2012 to develop and promote Globaleaks software, support anonymous whistleblowing and digital anonymity, fiscal sponsor for the initial development lifecycle and owner of the AGPLv3 License and Trademark;
* [Whistleblowing Solutions Impresa Sociale](https://www.whistleblowingsolutions.it/): social enterprise incorporated in 2016 to support GlobaLeaks's sustainability and the definition of the project’s compliance by providing professional services and re-investing by statutory rules any earnings into the maintenance of the Globaleaks software.

## Possible improvements
The GlobaLeaks team looks forward to improving the project governance and is exploring the following possibilities:

* incorporating a Foundation specifically dedicated to GlobaLeaks governance;
* appointing a Steering Committee including representatives of the Original Authors & Contributors and involving relevant figures in the field of Whistleblowing, Investigative Journalism, Anti-Corruption, Security and Open Source;
* implementing a contribution model based on [Contributor License Agreement (CLA)](https://en.wikipedia.org/wiki/Contributor_License_Agreement) or [Developer Certificate of Origin (DCO)](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)

Feedback is welcome by any former or new contributor.

## Annexes

* [Project Roadmap](https://docs.globaleaks.org/en/devel/roadmap/index.html)
* [Project Code of Conduct](https://github.com/globaleaks/GlobaLeaks/blob/main/CODE_OF_CONDUCT.md)
* [Contributors Guidelines](https://github.com/globaleaks/GlobaLeaks/blob/main/CONTRIBUTING.md)
* [Project Security Policy](https://github.com/globaleaks/GlobaLeaks/security/policy)
* [Project Best Practices](https://bestpractices.coreinfrastructure.org/en/projects/3816)