Hacker News new | past | comments | ask | show | jobs | submit | it33's comments login

Mattermost CEO here, thanks for the mention! Excited to see the integration!


Mattermost CEO here, thank you so much, you are very nice!


Hi all, Mattermost CEO here,

We've had administrative error in our compliance automation. If you received an email from compliance@mattermost.com on June 23, 2022 titled "Our limitations due to new United States sanctions" please disregard it.

Ian


Also, I apologize for the confusion this has caused.


I think the most interesting part about OP’s story is the question about how did self-hosted solution notify Mattermost server about potential Russian/Belarus connection? Even if the compliance automation was faulty, it’s still interesting how Mattermost found out of a Russian connection at all. (I am assuming this compliance email wasn’t sent out to everyone/larger group of people by mistake, and the OP happened to have a Russian user)


Mattermost CEO here, Thanks for the question. Like many companies we use a 3rd party service to check if someone we’re doing business with a company that has been flagged on export compliance.

This was more a blanket error than on specific to an account, tweeted about it just now as it’s hit a number of customers: https://twitter.com/iantien/status/1540039939089367040?s=21&...


Hi all,

To answer some of the other questions on this thread, no customer logs nor PII get submitted to the 3rd party service that we use, which is called Descartes: https://www.descartes.com/solutions/global-trade-intelligenc...

We pass name and billing address only.

HN has a lot of people building SaaS and open core companies, so hopefully this thread is a good way to learn about export compliance, which is something we've been doing for many years, though it's gotten extra important in 2022 due to so many new sanctions showing up.

Think of it this way (in a simplified, high level view that doesn't capture all the detail, but intended to share the aesthetic):

1. When you're an early stage company based in the U.S. starting to sell open core licenses or SaaS you typically hire a lawyer to do the legal agreements and help negotiate contracts.

2. If it's a good lawyer, they might talk about "export compliance" and how your company might need to think about doing an assessment on how your product is classified in the context of U.S. export compliance restrictions.

3. If they're a really good lawyer, they may even recommend an export compliance consultant for you to use.

4. After you get your export compliance classification, you're going to need a way to implement the right checks to ensure you're not violating U.S. export compliance laws based on your classification and your customers.

5. You quickly realize you need to buy a tool to do this--not only to check at the time of transaction, but also to alert you if the status of a customer changes (for example, if a customer is added to a list of organizations flagged by public sector organizations).

6. You look at different options, and end up purchasing one and integrating it with your other systems, including Salesforce (sales automation) and Marketo (email automation). In this case, we purchased a subscription to Descartes.

Hopefully that helps share context. Please feel free to ask other questions here.

PS: Here's our ECCN classification for those interested: https://docs.mattermost.com/about/certifications-and-complia...


Ian, you might want to clarify that the only thing submitted to the 3rd party service is the company name of the customer and there was no submission of any customer logs.

Some other commenters in this thread think that you log their ip and submit their ip.


Those people are jumping to conclusions without evidence.


It's a pretty reasonable conclusion when the vendor claims to know where you're using the software, and the evidence is that the vendor claims to know where you're using the software.


Fuck I don't know, maybe they looked at the website of the company? Like, is what country your business in supposed to be secret? Good grief.


My impression from the OP is that the company does not claim to operate out of Russia or Belarus. Presumably, neither would the website. Clearly there's some other method by which that third party makes that determination, and clearly that method produces false positives.


Thanks @jsprogram, agree, hopefully this response and links to details help out the folks on this thread: https://news.ycombinator.com/item?id=31852914#31854019


> Like many companies we use a 3rd party service to check if someone we’re doing business with a company that has been flagged on export compliance.

Can you elaborate on which service y'all use and what data y'all provide to that service?



Thanks.


Can you please explain why a legal counsel is necessary to even ask you why you did this?


Mattermost CEO here, thanks for your question. While we haven’t announced an official date yet you can track progress and share feedback on screen concepts on this ticket: https://mattermost.atlassian.net/wiki/spaces/MSU/pages/10533...


This is the thing that keeps me from recommending Mattermost in education. We had no end of trouble with MS Teams for the same reason. Students logged into our instance couldn't access their work systems. MS has made some progress to fixing this, though it has a way to go before it's as easy as Slack/Discord etc.

In my mind the gold standard is Discord. One login/password/mfa and I have access to hundreds of "servers". I have over 30 slack passwords and MFA tokens in my password manager and I know people with many more. Though I suspect the ability to self host Mattermost will make it more like Slack than Discord there.

I would also like to say thank you. Mattermost is one of the few products I've seen that doesn't lock MFA behind an enterprise subscription. I can't stress enough how happy I was to see that.


Discord still has basic usability issues there if you want to, for example, keep your work and personal accounts separate. Slack is really the gold standard because it understands the need for that separation.


It's a pain, in my opinion to switch between accounts in Slack. I've only been able to keep up with one a time, especially on mobile. I realize that is a feature, but I haven't wanted to introduce Slack outside work setting since I didn't think I could keep up.


Mattermost CEO here, sorry to hear you had a negative experience with the admin adviser. Thank you for the feedback.

Mattermost Team Edition is designed for teams (I.e. groups of people that work together and trust each other) and there were issues when Team Edition was deployed to unintended use cases—-like hosting hundreds of users, saving millions of posts, or other scenarios outside of what a team was meant to do.

Admin adviser was meant to help admins who hit those scenarios, and some of the advisory in scenarios Team Edition wasn’t intended to handle was for the Enterprise Edition. It sounds like that came across the wrong way and we should revisit.

Note: I think a fair chunk of admin advisor was paused a while ago. Not sure how much is running these days. Regardless we should take a look.


Any suggestions for FOSS communities?

I run a fairly big instance with hundreds of users. We wanted to support/promote a more free/libre alternative to Slack, but you are basically saying we should not use Mattermost?

(I think that channel deletion was a concern at some point, but archiving mitigates it, we are happy users in general)


Hi, Mattermost PM here,

We offer a non-profit license for open-source projects [0] with special nonprofit pricing. We also plan to move the System Permissions Scheme into the open source Team Edition with the 6.0 release on September 15 [1].

Thanks for being a user, feedback is always welcome!

[0] https://mattermost.com/nonprofit/ [1] https://forum.mattermost.org/t/granular-permissions-coming-s...


Thank you, much appreciated :)


Thanks @paxys, Mattermost CEO here. I appreciate your comment and I can see where you’re coming from.

At the same time, if people are using our open source project to showcase their work, I am a fan.

We definitely do that ourselves talking about React, React Native and Golang :)


Hi @bachmeier, thanks for the feedback!

On 1), our SaaS version is equivalent to our higher end Enterprise Edition E20 and aimed at larger orgs. For small orgs we have the open source version that can be easily self-hosted. That said, it sounds like price is material for you, so maybe there’s something we can do at a lower price tier, with features closer to our open source product.

On 2), Focalboard is still in its early days. We are using it internally and with early adopters of the open source version and are pretty excited about where it could go—replacing Trello, Asana, Notion, Jire, Confluence on-prem and as SaaS in the long run, and on an open source platform you can customize.

Our hope is in future there could be a “Why we switched to Mattermost and Focalboard” with a blog post on replacing a fair chunk of the collaboration stack with an open source alternative that could be extended.


Mattermost CEO here, what are your thoughts on this page? https://mattermost.org/

We go back and forth on whether we should have a .org and a .com, curious as to your thoughts.


.org and .com is common practice for many project - just maybe should make sure there is a link between 2 sites - I checked your site .com and even when opensource is mentionnned, it's on the .com site - instead of linking to the .org... just my 2cents


Thanks @yashasolutions, makes sense, we should take a look at those, highly appreciate the feedback!


I googled you, i saw this https://imgur.com/lvEaBCQ got extremely confused and never new the .org existed until your comment


Thanks @dustingetz, makes sense, we should spend some extra time looking at how we show up on Google, much appreciated!


I don’t know what the parent comment said, but more screenshots on your site would be great! The .org site you linked to had screenshots on the front page, which was great, but a gallery link would be fantastic.


Thanks @edoceo! Mattermost CEO here, appreciated the feedback. Just curious, what foreign keys do you feel should be added?


Well, users aren't FKd to their messages for one.

And basically every table with a user_id column.

My install created none.

My contact is in my profile if you want more info


Thanks @xvilka, Mattermost CEO here. Categories are a new feature, in beta in a lot of deployments. It’ll take a little bit for the other clients to catch up. Definitely one of the most popular new features.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: