Domesday* is the name of the software which will run a Mozilla Contributor Directory. (Issues specific to Mozilla's implementation are on a separate page.) This document gives the overall vision and full feature set - the features for the 1.0 release are more limited, and those pages are where the action is at the moment.
We aim to build a system where community members can create a simple profile that includes their basic contact information and references to their identities in other systems. In this way, it will associate someone's identity in Bugzilla, Hg, IRC, etc., allowing people who know one to find out the others, and also provide community members with a bit of (opt-in) biographical information about the person they are interacting with.
In addition, it will allow people in the same geographical area to connect up for local events.
The software will be open source, so other groups can pick it up to build their own Domesday servers.
There are some things we are explicitly not doing as part of this project:
- Building an extranet
- Building an 'identity server' or single signon server
- Building an OpenID provider
- Building an authorization system
Data from the system may later help in the construction of one or more of the above, but this is not any of them.
Privacy is a first-class UI design principle in Domesday. One function of the software will be to demonstrate that it's possible to do software which holds personal information in a way which allows all users easy control of the privacy of each individual data item, without overwhelming UI complexity. We want to show the Facebooks of this world how to do it right :-)
There is a UI mockup of one way we could do this.
- Minimum possible set - do one thing well
- Individual profiles
- Profile management - creation, deletion
- Search (by any identifier)
- Configure the privacy level of each item of information
The key way of interacting with Domesday will be via its API - it is expected that most information it serves will be consumed via "plugins" for other apps - mail clients, Bugzilla, IRC clients, SCM web interfaces, etc.
Anyone can create an account But individual Domesday implementations may well make some tags particularly meaningful, either within their communities or as a method of revealing more data (see "Data and Privacy").
If people in the Directory slow or cease their involvement their profiles are not automatically removed, but can be flagged as "inactive".
An initial (and likely incomplete) list of possible use cases for this system:
- Answer the question "who is that?" in various systems.
- Identify a community member by searching for their first name and scanning through photos in the search results.
- Compile a list of people to invite to a Leadership Summit (all currently-active trusted contributors who are team/project leaders or above).
- Find everyone working on a particular project.
- Find all our contributors who live within 50km of Ottawa, Canada.
- Generate a world map of all our contributors.
- Accept invitation
- Log in/out
- Create profile
- Edit profile
- Delete profile
- Reset password
Everything a User does plus...
- Delete profile (at user request only)
Data and Privacy
The directory will be publicly searchable and viewable, but with fine-grained privacy controls so users can control who gets to see what information in their profile. Given that the purpose of the directory is to disseminate information, the key thing here is not to keep everything as private as possible by default, but to set expectations and meet them. The privacy system must be clear.
Each field will have an attached privacy value, so a user can specify who can or cannot see what information. That privacy value is either "Public" (the whole world) or one of a small set of nominated special tags, which are defined on a per-installation basis. (See Mozilla's ideas here.) You have to have that particular tag to see that data. By default, one or two of these might be set up, but installations could remove them and define their own.
So, for example, you could define a "trusted" tag. Then, the server would give everyone a "trusted" box into which they could drag data items, so they could only be seen by people with that tag. (This would not provide much security unless the "trusted" tag were one of those tags which cannot be self-awarded!)
In terms of UI, it could be that the editing screen presents fields in different coloured sections, corresponding to different levels of privacy. If the user wants to change the privacy of a data point, they have to physically move it from one section to another. There is a UI mockup of this idea.
Users should be able to delete their profile completely at any time, with all data being completely removed and no longer available via any interface to anyone, including admins. For practical reasons, copies will remain as part of normal archived backups of the system.
Current suggestions for initial fields are as follows. Only given name, one email address and password are compulsory.
(NOTE: Much of this is Mozilla-specific, so this stuff must be easily changed/customized so other projects can use this code to create their own Directories.)
|Field||Default Privacy||Description||LDAP Attribute (if LDAP is used)|
|Given Name||Public||given name||givenName|
|Family Name||Public||family name||sn (also cn and displayName, containing both)|
|Call Me||Public||name by which they prefer to be addressed||[new - or xmozillanickname??]|
|Mozilla IRC Nick||Public||[account objectClass]|
|Tags (see below)||Public||[groupOfNames objectClasses]|
|Bio||Public||limited to 1024 chars or so||description|
|Photo||Public||strongly encouraged, but not required||jpegPhoto|
|Start Year||All Users||Year they started working on Mozilla stuff||[new]|
|System IDs||All Users||system:id pairs for e.g. Bugzilla, version control, IM, social networks, 140-character status sites||[account objectClasses]|
|Website||All Users||Website||labeledURI - 'website'|
|Blog||All Users||Blog URL||labeledURI - 'blog'|
|Job Title||All Users||just for fun||title|
|Email Address(es)||All Users|
|City||All Users||name as text; also located on a map and stored as a rough lat-long||l|
|Country||All Users||c (not in inetOrgPerson)|
|Phone Number(s)||Trusted Users||telephoneNumber and/or mobile|
|T-shirt Size||Contributor Community Team||(Men’s/Women’s :: XS/S/M/L/XL/XXL/XXXL + link to size chart)||[new]|
|Street Address||Contributor Community Team||if we were to send you a t-shirt, where should it go?||postalAddress and postalCode|
The tags system will be in two parts - public and personal. Public tags are those on you that anyone can see and edit (but see below); personal tags are those you add to other people that are not visible by default. However, anyone who knows who you are and the name of the tag can see the list of people to whom it is added.
So personal tags are for pulling together set of people like "fosdem-invitees". One person may be making the list, but anyone else can see it by querying on email@example.com
Each tag has another tag associated with it, a "bless tag" - which defines who can add or remove that tag. Say tag "sumo" has bless tag "sumo-blessers". Anyone with sumo-blessers can add and remove the sumo tag from any other account. Tags may be their own bless tags, in which case it's an "anyone inside can invite new people in" system. Tags may also have a bless tag of "mozillian", which means that all validated people can add and remove that tag. If a tag has no bless tag, anyone can add or remove it.
Bless tags can be used to restrict changes and so make sure particular data sets remain correct. Uses cases for this include "driver", "trusted", "reviewer" or "mozpaid".
In general, we expect people to maintain their own public tags, but we make it so anyone can edit them because in some cases, keeping data sets current will be much easier if the person caring about the data can fix things rather than contacting everyone concerned. Bad behaviour in removing or adding tags is dealt with by social rather than technical sanctions.
Tags may also be in name:value format, in which case restrictions are defined on the name only. This allows us to have tags like 'module-owner:Places', but have the appointment of module owners restricted to a certain set of people without having to enumerate all the possible modules. Perhaps this might be implemented as: "name:value" tag inherits the bless tag from the "name" tag.
The aim was to have something up and accepting registrations by the end of Q1 2011. However, that is looking increasingly unlikely. It'll be done when it's done :-)
- Python and Django, because that's what webdev are most familiar with and I want to be able to ask for their help :-)
- Profile and search outputs (via templates) as HTML (with HCard), JSON (perhaps using PortableContacts schema), VCard, XRD (for WebFinger)
- LDAP vs. SQL - tricky. A directory back end means that perhaps it could one day run on top of Mozilla's LDAP authorization infrastructure, using the same database. But I know SQL much better. To be investigated.
- The Mozilla LDAP also contains lots of sensitive corporate IT details that might be best to keep isolated from a public directory, for what it's worth
- I plan to rip the HTML UI off from the current intranet Phonebook.
- Making it actually happen is more important than the use of any one particular technology.
- Gerv :-) I'll be writing the code.
- Contributor Engagement are very interested in the project, and are offering help.
- L10n are interested in the project, and can offer help.
- David Boswell has offered to help.
- Design Needs
- We'll need someone to help design form pages, maybe just the main profile page that allows you to adjust your privacy settings as seen in the Privacy UI Demo.
- Deb Richardson's "Sigil/Signa" proposal, from which much of this page is shamelessly stolen (link on Mozilla Intranet)
- Gravatar's new Profile feature (courtesy mhanson)
- gitHub "identity page" (courtesy mhanson)
- Flavors.me profile pages (courtesy mart3ll)
* - OK, so this is about the sixth name this project has had. But what does it mean to write a piece of software if you don't get naming rights? :-)