Job: Is it OK to post a job listing in this forum?

[Kathleen Wilson]

Hi All,

I have been asked if it is OK to post job listings in mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked that question before, and I am not aware of a written policy about the content of postings to mozilla.dev.security.policy.

So, here is a proposal:
~~
Jobs may be posted if they meet the following criteria:
* The company/organization name is clearly listed
* The person posting the job information actually works for that company/organization and is not a contracted recruiter
* A single posting only (for each job opportunity)
* The person posting the job info is actively engaged in this mozilla.dev.security.policy forum
* The job opportunity is a role relevant to the forum's audience
* The posting consists of a paragraph outline and a "read more" URL
* The Subject of the posting begins with "Job: "
~~

Does that sound reasonable?

As always, I will appreciate thoughtful and constructive input.

Thanks,
Kathleen

[Eric Mill]

I could tolerate a policy like that, and it's always possible to revisit it
if it turns out to be abused, or causes people to unsubscribe (which I
would recommend Mozilla watching, especially right after postings go out).

One suggested change:

> * The Subject of the posting begins with "Job: "

I would suggest "Job Posting:" (or something else equally specific), so
that I could apply a filter if I wanted, without accidentally filtering
threads along the lines of "Is it the CA's job to police malware?"

-- Eric

On Thu, May 26, 2016 at 6:17 PM, Kathleen Wilson <kwi...@mozilla.com>
wrote:

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



--
konklone.com | @konklone <https://twitter.com/konklone>

[David E. Ross]

> On Thu, May 26, 2016 at 6:17 PM, Kathleen Wilson <kwi...@mozilla.com>
> wrote:
>
>> Hi All,
>>
>> I have been asked if it is OK to post job listings in
>> mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked
>> that question before, and I am not aware of a written policy about the
>> content of postings to mozilla.dev.security.policy.
>>
>> So, here is a proposal:
>> ~~
>> Jobs may be posted if they meet the following criteria:
>> * The company/organization name is clearly listed
>> * The person posting the job information actually works for that
>> company/organization and is not a contracted recruiter
>> * A single posting only (for each job opportunity)
>> * The person posting the job info is actively engaged in this
>> mozilla.dev.security.policy forum
>> * The job opportunity is a role relevant to the forum's audience
>> * The posting consists of a paragraph outline and a "read more" URL
>> * The Subject of the posting begins with "Job: "
>> ~~
>>
>> Does that sound reasonable?
>>
>> As always, I will appreciate thoughtful and constructive input.
>>
>> Thanks,
>> Kathleen

I would have several concerns, mostly about Mozilla's ability to verify
the criteria are met and the effort to do that verification. For
example, how would anyone here verify the following?

* The company/organization name is clearly listed [that the listed
company would indeed be the actual employer]

* The person posting the job information actually works for that

company/organization and is not a contracted recruiter [that the person
posting is a W2 employee of the actual employer and not a 1099-MISC
contractor]

* The job opportunity is a role relevant to the forum's audience [who
would review the posting to verify this?]

If this is a valid use of news.mozilla.org, then perhaps a new MODERATED
newsgroup would be appropriate. However, that would still require
assigning staff to moderate and monitor the postings, for which there
would be a cost.

--
David E. Ross
<http://www.rossde.com/>.

Donald Trump claims he is a successful businessman.
If so, how does he explain the number of his
enterprises that have gone bankrupt?

[Gervase Markham]

On 27/05/16 04:09, David E. Ross wrote:
> I would have several concerns, mostly about Mozilla's ability to verify
> the criteria are met and the effort to do that verification. For
> example, how would anyone here verify the following?

This is partly why there is an important criterion that jobs only be
posted by people who are already active forum participants. If jobs can
only be posted by people we know, we hope that will avoid the "gaming of
the rules" scenarios.

> If this is a valid use of news.mozilla.org, then perhaps a new MODERATED
> newsgroup would be appropriate. However, that would still require
> assigning staff to moderate and monitor the postings, for which there
> would be a cost.

There is already a mozilla.jobs forum; however, the traffic is near-zero
and I suspect few if any members of this forum are also members there,
so posting there would be pointless. If having a separate forum has not
worked in practice, I think it's reasonable to try the integrated
approach if we can make sure we don't get the more obvious forms of
abuse, at least.

Gerv

[Peter Kurrasch]

I'm opposed to allowing job postings in this forum. The focus should be policy as that is the reason we have gathered here.

Job postings generally are intended for people in a particular country ‎with a particular level of experience who are actively seeking or receptive to a new job. Sending out off-topic messages that are intended for a subset of a subset of a subset of people here sounds like spam to me.



  Original Message  
From: Kathleen Wilson
Sent: Thursday, May 26, 2016 5:17 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Job: Is it OK to post a job listing in this forum?

Hi All,

I have been asked if it is OK to post job listings in mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked that question before, and I am not aware of a written policy about the content of postings to mozilla.dev.security.policy.

So, here is a proposal:
~~
Jobs may be posted if they meet the following criteria:
* The company/organization name is clearly listed
* The person posting the job information actually works for that company/organization and is not a contracted recruiter
* A single posting only (for each job opportunity)
* The person posting the job info is actively engaged in this mozilla.dev.security.policy forum
* The job opportunity is a role relevant to the forum's audience
* The posting consists of a paragraph outline and a "read more" URL
* The Subject of the posting begins with "Job: "
~~

Does that sound reasonable?

As always, I will appreciate thoughtful and constructive input.

Thanks,
Kathleen

[Peter Bowen]

On May 26, 2016, at 3:17 PM, Kathleen Wilson <kwi...@mozilla.com> wrote:
> I have been asked if it is OK to post job listings in mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked that question before, and I am not aware of a written policy about the content of postings to mozilla.dev.security.policy.
>
> So, here is a proposal:
> ~~
> Jobs may be posted if they meet the following criteria:
> * The company/organization name is clearly listed
> * The person posting the job information actually works for that company/organization and is not a contracted recruiter
> * A single posting only (for each job opportunity)
> * The person posting the job info is actively engaged in this mozilla.dev.security.policy forum
> * The job opportunity is a role relevant to the forum's audience
> * The posting consists of a paragraph outline and a "read more" URL
> * The Subject of the posting begins with "Job: "
> ~~
>
> Does that sound reasonable?

I think it does seem reasonable. However, in fairness, I should disclose that I was the one who asked Kathleen about this.

I think that the spirit of the criteria is fairly clear. If the posting says something like "I’m currently searching for a Duck Hunt expert for our financial client in Ankh-Morpork” or "regarding a Chief Triforce Scientist role with my client, a leading multi-Billion dollar enterprise software company”, it is pretty clear that the first and second items are not being met. We already have a requirement that people responding to CA inclusion requests be a representative of the CA, and I don’t think this is much different — the person posting the job needs to be a representative of the company.

In the instant case, I (someone actively engaged in this forum) am interested in posting two jobs. Amazon (clearly listed company and my employer) is looking for a product manager for PKI/CA services (relevant to this audience). We are also looking for a software development engineer to work on PKI/CA services (also relevant to this audience). If considered acceptable, I will limit the posts to a descriptive paragraph that includes clear relevance to this group and provide links to more info.

I’m sure other companies involved with the Mozilla CA program would be interested in posting similar things and I think that participants and readers of this group would probably find value in knowing what is out there.

Thanks,
Peter

[Ryan Sleevi]

On Friday, May 27, 2016 at 7:23:03 AM UTC-7, Peter Kurrasch wrote:
> I'm opposed to allowing job postings in this forum. The focus should be policy as that is the reason we have gathered here.
>
> Job postings generally are intended for people in a particular country ‎with a particular level of experience who are actively seeking or receptive to a new job. Sending out off-topic messages that are intended for a subset of a subset of a subset of people here sounds like spam to me.
>

Policy and engineering are often intertwined - especially in the CA
space. Our ability to enact meaningful policies that protect users is
often directly correlated to CAs (and site operators) abilities to
enact changes. Things like CAA, name constraints, and short-lived
certificates are all prime examples of this - they relate to policies
but require engineering.

I would think that if we want to improve the state of the ecosystem,
we also need to improve the state of the engineering. And it's clear
that this forum, of perhaps all those out there, has the right
confluence of people passionate about policy and interested in the
engineering side.

While I don't know to what extent the broader (lurking) community is
able and receptive to such postings, the active participants are at
least interested in developing a robust approach to user security -
that is why we're here and care about the policies. If they could get
paid for that (as many presently are volunteers), isn't that a win?

[Peter Kurrasch]

These are worthy goals, for sure. I'm not necessarily persuaded that posting jobs here is the best way to do that.

With the exception of a few people, we usually only hear from CA's when their stuff is up for consideration or when they've done something wrong. Perhaps if CA's were more engaged here generally, I'd feel better about posting jobs? If CA's were more active in sharing their good works and seeking input or feedback from the broader community, perhaps we'd see better, more robust security as well? Just a thought.

Also, what will we do if just anyone starts posting jobs?


  Original Message  
From: Ryan Sleevi
Sent: Saturday, May 28, 2016 11:29 PM
To: Peter Kurrasch
Reply To: ry...@sleevi.com
Cc: Kathleen Wilson; mozilla-dev-s...@lists.mozilla.org
Subject: Re: Job: Is it OK to post a job listing in this forum?

Reposing from the right email address...

[Steve]

While we only hear from CAs at certain times there are many lurkers who,
like me, gain information and opinions so valuable to our cause that we
consider reading mds.policy to be one of the first actions of our day. I'd
even say that any CA that doesn't monitor what this group contributes
should probably reconsider their purpose.

So that covers a lot of people, who can be in a lot of situations. I'm
biased, I gained information from this thread and took action on it.

I think the goal of CAs sharing work and seeking feedback would be limited
based on the type of business operating the CA. Unfortunately, on the side
of PKI where currency changes hands, patents and IP protection often trump
the laudable goal of advancing the greater good even with the intangibles
it can bring. To this day, what I say here is blocked by NDAs.