How to become a Maintainer

Converting Criticism into todolists

As a maintainer, you get to also be paid for writing valid (and actionnable) todolists, since you get to have authority on what they contain, and you get to decide if they are valid or not. This is why it is important for you to take part in the debates that are happening in the public OPSEC chatroom.

As a maintainer, you are getting rewarded 2 euros per valid todolist, all you need to do is write them (coming from criticisms that you either make, or that the other community members make), then you need to put them on each git issue that they are related to. So if you write a new todolist, please make sure that you save the link to the todolists that you wrote so that you can ask to recieve payment at the end of the month for all of the todolists you wrote, in one go.

The financial incentive lies is in tracking all the valid criticisms that are being thrown at us in the public chatrooms (which are all opportunities to improve, that's why we welcome it) to then write alot of todolists, for example if you write 10 valid todolists in 1 month time, you'll recieve 20 euros in monero for correctly writing them (as the payment is 2 euros PER todolist correctly written).

If there are any valid criticisms to tutorials that are supposed to be finished (meaning there are tutorials that need to be improved), write the todolist on the issue (in the completed column), and move it back to the "to be assigned" column

Therefore make sure that you take part in the criticisms and debates in in the opsec chatroom, as this is the place where you'll see the most criticism coming from, so if there are any valid criticisms coming from there, make sure that the criticism is at least saved somewhere (ideally on the targeted git issue, or on a new one that you created yourself.)

If you want to save the criticism somewhere on the git repo for later, go into the maintainers project board and create a git issue there, with the title starting with "Criticism - For the tutorials XYZ", and make sure you add the label "criticism to convert into todolists", that'll help us make sure that criticisms aren't lost forever, but rather are stored somewhere, to be treated at a later time:

See this git issue for instance, that i created to contain the valid criticism i recieved for the Sensitive VMS tutorial, that i saved here to treat (or let another maintainer) treat at a later time.

When you decide to turn criticisms into todolists, follow the usual format as detailed in the previous "how to become a contributor" tutorial:


to be explained: (why + what)
-
-
-

to be showcased: (How)
-
-
-

If you are not sure about if a particular todolist/criticism is valid or not, you can ask an administrator their opinion to know if it's OK or not aswell, to double check. But by default, as a maintainer your judgement is going to be trusted to write correct todolists. (With only other maintainers or administrators being able to overrule your judgement)

What's Offtopic?

Here are the list of things that are offtopic, and that we will NOT cover in the blog (for the foreseeable future at least):

1) General security and hacking: (making sure a software is secure, how to test if it is secure or not) this is a BOTTOMLESS rabbithole that we won't go into again. I went down that rabbithole myself, in the Hacking section. Point being, you anyway cannot defend against the threat that you don't know anything about (0days). You're never going to eliminate all 0day risks by going for ultra minimalism, since every damn line of code your minimal software contains can potentially contain a vulnerability. Trying to protect against the threat you don't know about (0days) IS a pointless and futile endeavor. You can reduce the risks of 0days by going for ultra-minimalism, but we'll leave that at the discretion of the viewers. TLDR: Tell the viewer to run the software on it's latest update. If a malicious commit is pushed into the software, don't trust that repository and maintainer anymore, fork it on your own .onion forgejo instance, remove the bad commits, and compile the software yourself. We will consider some FOSS software as suitable for opsec use until proven otherwise (so don't bring up the 0day excuse) , not the other way around.

2) Closed-source hardware privacy workarounds: no, we won't recommend to the 90% average joes out there to wire up cables to their CPU in order to disable intel ME, install coreboot, or whatever else, and risk bricking their motherboards/CPUs permanently. We will recommend that average joe to purchase fully open hardware devices, that are free of potential backdoors in the first place, when they are available on the market. We do with the tools at our disposal, so until those tools are made available, we use what we can use. We will consider FOSS Host OS as suitable for privacy, even on closed-source hardware for the time being. (so don't bring up the google pixel graphene OS or the Intel/AMD CPU hardware backdoor argument until you find an actual open hardware alternative that does the job aswell)

3) Unrealistic advice: the advice we bring forth in this blog should be doable by 90% of the average joes out there, by explaining it correctly. For instance, no, 90% of the average joes out there are not going to go dressed up in black coats, wear an anonymous mask, sit in mcdonalds, to try and use someone else's public wifi anonymously for entire days on end just to browse the web anonymously and avoid it being tied back to their irl identity. NOBODY is going to do that. Keep that unrealistic advice off this blog, as it doesn't help anyone. The realistic approach to this is to just do a (you -> vpn -> tor -> destination) setup, it defeats 99% of the attack vectors, and 90% of the joes out there can do it if you explain it properly. End of the story. I don't care about the 1% most unlikely scenario that only the top 1% non-average joe can pull off. Simply mention the other options briefly, while focusing on the method that 90% of the people out there are the likely to be able to adopt.

4) Overcomplications: I want you to go for the simplest option that actually leads to the intended result. If, from point A you can go to point B, to arrive at result Z, then if you try to go from point A to B to C to D to E to G to H to then arrive at point Z, you are offtopic because you are overcomplicating something that should have been simpler. If a simpler solution exists, show that option only, do not waste diskspace writing innefficient methods that the readers don't need to read or know about. I will categorically refuse any overcomplications that isn't properly justified with adequate opsec scenarios and threat modeling.

Reviewing Contributions

And lastly, the maintainer's role is to review contributions whenever a contributor submits one, That's probably the most time consumming part. For example, we have the following contributor that's assigned on this issue:

As you are most likely already aware since you are supposed to already be a contributor, whenever someone submits a contribution, they need to follow the quality standard, as a maintainer, you are supposed to make sure that they follow that standard whenever they try to contribute new content.

Here for example, the contributor "optimist" submits a contribution after having followed the "how to contribute" guide, and lets you know in the contributors chatroom:

Going there you see that the contributor correctly made a PR, but you need to git clone it to review the changes:


[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~]
→ cd Documents

[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents]
→ torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/optimist/blog-contributions blog-contributions.optimist
Cloning into 'blog-contributions'...
remote: Enumerating objects: 6608, done.
remote: Counting objects: 100% (6608/6608), done.
remote: Compressing objects: 100% (5362/5362), done.
remote: Total 6608 (delta 3302), reused 3611 (delta 1133), pack-reused 0 (from 0)
Receiving objects: 100% (6608/6608), 342.55 MiB | 522.00 KiB/s, done.
Resolving deltas: 100% (3302/3302), done.

[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents]
→ cd blog-contributions.optimist

If they wrote their changes in a separate git branch, switch to the correct branch like so:


[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud]
→ git switch branchname

Then in the cloned repository, navigate to the new tutorial folder to get the path:


[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents/blog-contributions.optimist]
→ cd opsec/nextcloud

[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud]
→ pwd
/home/nihilist/Documents/blog-contributions.optimist/opsec/nextcloud

And in there from your local browser you can assess if the contribution is completed, and if it follows the quality standard:

Here as you can see, this is clearly garbage. It does not follow the quality standard at all, and it even deviates from the todolist that the contributor agreed to work on. So you can either spend 10x more time reviewing what they took to write by making the following assessment, or since this was a low effort you could simply post a low effort review like so:


1) re-read the quality standard
2) re-read the methodology on how to contribute
3) re-read the todolist again and follow it this time 

this is 30% completed.

On the contrary, if the user actually tried his best to write the contribution, (meaning it has to be above 30% completed FOR SURE, ideally 95% completed) then yes give them a lengthy review to help them better their contribution like the one that oxeo wrote:

Then the contributor pushes some more commits to fix their mistakes and ask for a second review, so since we already git cloned their repository we just need to do a git clone to pull their new commits:

Then, locally you can do a git pull to review their updates, in order to review their contribution locally again:


[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud]
→ cd ../..

[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents/blog-contributions.optimist]
→ torsocks git pull

And from there, if there are still mistakes that they can improve on, tell them that the contribution is (depending your assessment) for example 80% completed, stating what's missing still. Otherwise confirm that the contribution is OK and ready to be merged (using the good to merge git label)

Then the administrator issues payment for both the contributor and to you the maintainer, for correctly reviewing a contribution. For maintainers specifically, the payment for the reviews will depend on how tedious the reviewing was.


- 1 back and forth: (easy review) 3 euros
- 2 backs and forth: (average review) 5 euros
- 3+ backs and forth: (tedious review) 8 euros

Obviously, no need to be an ultra-perfectionnist for every detail that doesnt truly matter, however The top priority here is that the blogpost needs to be CRYSTAL CLEAR It needs to be easy to understand, from start to finish, while containing all the information one needs to understand what we are talking about, and how to achieve the targeted setup. If the noobs out there don't understand what the hell we're talking about, then we are doing them a disservice by writing those blogposts.

Dealing with Lazy and Incompetent Contributors

Just warning you, this is the most annoying part of being a maintainer, so if the reviewing is extra-tedious becuase you are facing an incompetent or lazy contributor, don't worry i'll send you extra monero your way for your trouble.

I don't want this blog to contain ANY half-assed content, the only acceptable content is VALID, FINISHED, QUALITY content. It takes time to have quality, that's why we give a 1 month default deadline (which is more than enough 99% of the time, even for complex contributions). if contributor A is not going to write a tutorial correctly before the deadline, REJECT THEIR CONTRIBUTION, contributor B will write it correctly later on (Sum Nihil, don't care who does what, only care about what they do).

With a 1 month deadline, there's no rush. Do not tolerate laziness or incompetence coming from contributors. Whoever wants to contribute to the blog is expected to follow the todolist, and follow the quality standard. If that contributor does not contribute quality, it means that they do not WANT to contribute quality. And if that's the case, do not waste your time on them.

I repeat, If a contributor doesn't contribute quality after being told to do so, DO. NOT. CARE. REJECT THEIR CONTRIBUTION. It's not for you to do it for them, it is for them to step up to do it themselves, do not treat them like a baby, if something needs to be fixed, tell them to fix it, and wait for them to fix it. From my own experience, if the contributor is not competent, it is not worthwhile to keep recieving contributions coming from them, as they are simply wasting the reviewers' time.

The contributor is expected to know what they are talking about, and they must be willing to write it in the correct way, so that their knowledge is correctly transmitted to the readers out there.

How to become a Maintainer

Onboarding new Contributors

Converting Criticism into todolists

What's Offtopic?

Assigning contributors onto todolists

Reviewing Contributions

Dealing with Lazy and Incompetent Contributors

Nihilism

My Links

About nihilist