lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180928165653.17bbdb13@alans-desktop>
Date:   Fri, 28 Sep 2018 16:56:53 +0100
From:   Alan Cox <gnomes@...rguk.ukuu.org.uk>
To:     Bernd Petrovitsch <bernd@...rovitsch.priv.at>
Cc:     xDynamite <dreamingforward@...il.com>,
        "jonsmirl@...il.com" <jonsmirl@...il.com>,
        Theodore Tso <tytso@....edu>, fche@...hat.com,
        riel@...riel.com, ec429@...tab.net,
        Olof Johansson <olof@...om.net>,
        Jonathan Corbet <corbet@....net>,
        lkml <linux-kernel@...r.kernel.org>
Subject: Re: Code of Conduct: Let's revamp it.

> Well, then I have to repeat myself: Signed-off source code (in form of
> patches) in a well-known programming language for a (nowadays)
> well-known GPLv2 licensed project mailed on "everyone can subscribe"
> mailinglists, (thus) to be found in several $SEARCH_ENGINE-indexed
> mailinglist archives, if accepted to be found in lots of publicly
> accessible git repos can be not intended to be published?
> 
> I wonder what else must happen.

There is a bigger problem in the ambiguity.

It's easy to deal with signed off by lines because I had the sense to
make sure that the DCO covered us for EU data protection and thus it's
explicit.

It's relatively easy to deal with the case of 'I contributed some code'.

It's really not at all obvious what happens with 'I got some code from
another project that contains it's authors name'.

The wording IMHO just needs tightening up - and that's a useful
discussion that ought to he bad. I tihnk everyone understands the *inent*
of such wording - don't go around doxing people, or posting their home
address on facebook and calling for people to attend with pitchforks.

There's a second related area that needs sorting out in wording which is
the implication of any kind of privacy in a complaint - which is really
bad in two ways

As it is set up now the tab is not a lawyer so the tab could not claim
any kind of legal privilege. That means in the event of a complaint the
tab would be powerless not to release almost all the info in the
complaint if hit by a data protectin request in many jurisdictions. Sure
they'd have to (and be required to) remove some of the information that
might identify the complainant.

Secondly one thing that we've learned repeatedly (and notably from the
church scandals) is that there are some complaints that should upon
receipt be handed directly to law enforcement, but there is no carve out
for this.

The other issue is that whoever handles any complaint system needs a
budget and lawyers because they will potentially have to field judicial
reviews and other challenges. That means the TAB needs to have
exemplary record keeping and process because anyone who stands up in a
legal challenge and says 'Umm.. we read it and talked about it and kind
of decided X but I don't remember why and there are no minutes and there
is on process document' is going to get fried. Someone needs to have that
process in place well in advance.

Alan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ