lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20181008164950.71793583@coco.lan>
Date:   Mon, 8 Oct 2018 16:49:50 -0300
From:   Mauro Carvalho Chehab <mchehab+samsung@...nel.org>
To:     James Bottomley <James.Bottomley@...senPartnership.com>
Cc:     Daniel Vetter <daniel.vetter@...ll.ch>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        ksummit <ksummit-discuss@...ts.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [PATCH 1/2] code-of-conduct: Fix the
 ambiguity about collecting email addresses

Em Sun, 07 Oct 2018 08:29:01 -0700
James Bottomley <James.Bottomley@...senPartnership.com> escreveu:

> On Sun, 2018-10-07 at 11:04 +0200, Daniel Vetter wrote:
> > On Sat, Oct 6, 2018 at 11:36 PM James Bottomley
> > <James.Bottomley@...senpartnership.com> wrote:  
> > > 
> > > From 4a614e9440148894207bef5bf69e74071baceb3b Mon Sep 17 00:00:00
> > > 2001
> > > From: James Bottomley <James.Bottomley@...senPartnership.com>
> > > Date: Sat, 6 Oct 2018 14:21:56 -0700
> > > Subject: [PATCH 1/2] code-of-conduct: Fix the ambiguity about
> > > collecting email
> > >  addresses
> > > 
> > > The current code of conduct has an ambiguity in the it considers
> > > publishing private information such as email addresses unacceptable
> > > behaviour.  Since the Linux kernel collects and publishes email
> > > addresses as part of the patch process, add an exception clause for
> > > email addresses ordinarily collected by the project to correct this
> > > ambiguity.
> > > 
> > > Signed-off-by: James Bottomley <James.Bottomley@...senPartnership.c  
> > > om>  
> > > ---
> > >  Documentation/process/code-of-conduct.rst | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/Documentation/process/code-of-conduct.rst
> > > b/Documentation/process/code-of-conduct.rst
> > > index ab7c24b5478c..aa40e34e7785 100644
> > > --- a/Documentation/process/code-of-conduct.rst
> > > +++ b/Documentation/process/code-of-conduct.rst
> > > @@ -31,7 +31,7 @@ Examples of unacceptable behavior by participants
> > > include:
> > >  * Trolling, insulting/derogatory comments, and personal or
> > > political attacks
> > >  * Public or private harassment
> > >  * Publishing others’ private information, such as a physical or
> > > electronic
> > > -  address, without explicit permission
> > > +  address not ordinarily collected by the project, without
> > > explicit permission
> > >  * Other conduct which could reasonably be considered inappropriate
> > > in a
> > >    professional setting  
> > 
> > We've discussed this a bit with freedesktop.org people a while ago,
> > both from a CoC and privacy regulations pov, and we concluded that
> > attaching random people's emails in Reported-by: and similar lines,
> > without their consent, is indeed a problem. Bugzilla is rather
> > problematic in this way, since it looks like it's protecting your
> > email address and keeping it private, but then you can still just
> > grab it from the bugzilla emails without first asking for permission.
> > That's one of the reasons why fd.o admins want to retire Bugzilla in
> > favour of gitlab issues (where this is handled a lot more strictly).  
> 
> This is a code of conduct example of a violation.  While I agree we
> should exercise sensitivity in reporter expectations I don't think a
> maintainer getting it wrong should be equated to doxxing.
> 
> In many ways, this is why having examples sections in quasi legal
> documents is a bad thing to do because it's arguable (as you have done)
> that if some behaviour isn't explicitly mentioned in the unacceptable
> examples it must be acceptable.
> 
> Look at it this way: if a maintainer screws up and adds a reported by
> from someone who didn't expect their email to be published should that
> be treated as an immediate code of conduct violation by whatever
> enforcement process we come up with?  I think most maintainers would
> answer "no" to this. 

Agreed. 

I'd say more: what happens if someone adds a diff inside a bug
report? Not adding the author can be problematic too.

People should assume that, when reporting a bug, replying to
a patch, etc, his e-mail will be visible by people, and it can be
used when a fixup patch is produced. If someone doesn't want that,
it should *explicitly* say otherwise.

The text changes suggested by James reflects that: an e-mail sent in
private, with an explicit message saying to not use the personal
address is not an "electronic address not ordinarily collected by the
project".

Of course, it is up to the maintainer/developer that receives
such e-mails to either use its content, anonimizing the submitter
as requested (and eventually taking associated risks with regards
to GPL - if the email contains a patch) or to just ignore it.

Anyway, such "special cases" are the kind of thing that makes sense
on a FAQ, and not at the letter of the document itself.

Thanks,
Mauro

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ