lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 May 2019 00:57:08 -0400 From: "Theodore Ts'o" <tytso@....edu> To: Konstantin Ryabitsev <konstantin@...uxfoundation.org> Cc: Joe Perches <joe@...ches.com>, linux-kernel@...r.kernel.org Subject: Re: PSA: Do not use "Reported-By" without reporter's approval On Wed, May 22, 2019 at 03:58:04PM -0400, Konstantin Ryabitsev wrote: > > If the report is public, and lists like vger are public, > > then using a Reported-by: and/or a Link: are simply useful > > history and tracking information. > > I'm perfectly fine with Link:, however Reported-By: usually has the person's > name and email address (i.e. PII data per GDPR definition). If that pehrson > submitted the bug report via bugzilla.kernel.org or a similar resource, > their expectation is that they can delete their account should they choose > to to do so. However, if the patch containing Reported-By is committed to > git, their PII becomes permanently and immutably recorded for any reasonable > meaning of the word "forever." Many (most?) bugzilla.kernel.org components result in e-mail getting sent to vger.kernel.org mailing lists. So even if they delete the bugzilla account, there e-mail will be immortalized in lore.kernel.org and their associated git repositories. So perhaps a better approach is to put a warning alerting bug reporters that submitting a bug means their e-mail will end up get broadcasting in public mailing list archives and public git repositories? I assume distro engineers who are fixing bugs from their Distro bugzillas which support non-public bugs already know that they shouldn't be revealing their customers' identities. But realistically, while I agree it would be nice to ask people if they don't mind being immortalized in git repositories, we should probably warn people that when they submit a bug, or for that matter, send e-mail to a kernel mailing list, they're going to be immortalized in a git repository *already*. - Ted
Powered by blists - more mailing lists