lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKMK7uGvgttqL_RoXumd0F4w8UMqwaVODaMWnOZz5weSFzDJ2A@mail.gmail.com>
Date:   Sun, 7 Oct 2018 11:04:48 +0200
From:   Daniel Vetter <daniel.vetter@...ll.ch>
To:     James Bottomley <James.Bottomley@...senpartnership.com>
Cc:     ksummit <ksummit-discuss@...ts.linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [Ksummit-discuss] [PATCH 1/2] code-of-conduct: Fix the ambiguity
 about collecting email addresses

On Sat, Oct 6, 2018 at 11:36 PM James Bottomley
<James.Bottomley@...senpartnership.com> wrote:
>
> From 4a614e9440148894207bef5bf69e74071baceb3b Mon Sep 17 00:00:00 2001
> From: James Bottomley <James.Bottomley@...senPartnership.com>
> Date: Sat, 6 Oct 2018 14:21:56 -0700
> Subject: [PATCH 1/2] code-of-conduct: Fix the ambiguity about collecting email
>  addresses
>
> The current code of conduct has an ambiguity in the it considers publishing
> private information such as email addresses unacceptable behaviour.  Since
> the Linux kernel collects and publishes email addresses as part of the patch
> process, add an exception clause for email addresses ordinarily collected by
> the project to correct this ambiguity.
>
> Signed-off-by: James Bottomley <James.Bottomley@...senPartnership.com>
> ---
>  Documentation/process/code-of-conduct.rst | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Documentation/process/code-of-conduct.rst b/Documentation/process/code-of-conduct.rst
> index ab7c24b5478c..aa40e34e7785 100644
> --- a/Documentation/process/code-of-conduct.rst
> +++ b/Documentation/process/code-of-conduct.rst
> @@ -31,7 +31,7 @@ Examples of unacceptable behavior by participants include:
>  * Trolling, insulting/derogatory comments, and personal or political attacks
>  * Public or private harassment
>  * Publishing others’ private information, such as a physical or electronic
> -  address, without explicit permission
> +  address not ordinarily collected by the project, without explicit permission
>  * Other conduct which could reasonably be considered inappropriate in a
>    professional setting

We've discussed this a bit with freedesktop.org people a while ago,
both from a CoC and privacy regulations pov, and we concluded that
attaching random people's emails in Reported-by: and similar lines,
without their consent, is indeed a problem. Bugzilla is rather
problematic in this way, since it looks like it's protecting your
email address and keeping it private, but then you can still just grab
it from the bugzilla emails without first asking for permission.
That's one of the reasons why fd.o admins want to retire Bugzilla in
favour of gitlab issues (where this is handled a lot more strictly).

What we discussed in the older thread here on ksummit-discuss is
making it clear that email addresses sent to public mailing lists are
considered public information, which I think is worth clarifying. But
what you're excempting here is anything collected without permission
in the past, which I don't think is a good wording. I've definitely
been skimping on the rules here in the past. At least in my
understanding of the legal situation, if you get a bug report through
a private channel, or at least a channel that hides private address
information (like Bugzilla does, albeit sloppily), then you do have to
ask for explicit consent to publishing that information.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ