| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f50c7b22-2b31-47d2-8353-41d80f5241c1@leemhuis.info> Date: Sat, 8 Feb 2025 16:36:47 +0100 From: Thorsten Leemhuis <linux@...mhuis.info> To: Laurent Pinchart <laurent.pinchart@...asonboard.com> Cc: Jonathan Corbet <corbet@....net>, workflows@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, Simona Vetter <simona.vetter@...ll.ch>, Mauro Carvalho Chehab <mchehab+huawei@...nel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Shuah Khan <skhan@...uxfoundation.org> Subject: Re: [PATCH v4] docs: clarify rules wrt tagging other people On 07.02.25 10:05, Laurent Pinchart wrote: > Thank you for the patch. Thx for saying that! > On Thu, Feb 06, 2025 at 03:30:10PM +0100, Thorsten Leemhuis wrote: >> Point out that explicit permission is usually needed to tag other people >> in changes, but mention that implicit permission can be sufficient in >> certain cases. This fixes slight inconsistencies between Reported-by: >> and Suggested-by: and makes the usage more intuitive. >> >> While at it, explicitly mention the dangers of our bugzilla instance, as >> it makes it easy to forget that email addresses visible there are only >> shown to logged-in users. >> >> The latter is not a theoretical issue, as one maintainer mentioned that >> his employer received a EU GDPR (general data protection regulation) >> complaint after exposing a email address used in bugzilla through a tag >> in a patch description. > [...] >> -Be careful in the addition of tags to your patches, as only Cc: is appropriate >> -for addition without the explicit permission of the person named; using >> -Reported-by: is fine most of the time as well, but ask for permission if >> -the bug was reported in private. >> +Be careful in the addition of the aforementioned tags to your patches, as all >> +except for Cc:, Reported-by:, and Suggested-by: need explicit permission of the >> +person named. For those three implicit permission is sufficient if the person >> +contributed to the Linux kernel using that name and email address according >> +to the lore archives or the commit history -- and in case of Reported-by: >> +and Suggested-by: did the reporting or suggestion in public. Note, >> +bugzilla.kernel.org is a public place in this sense, but email addresses >> +used there are private; so do not expose them in tags, unless the person >> +used them in earlier contributions. > > I like this text very much, it's concise and clear. Glad to hear! > My only possible > concern is that "explicit permission" isn't defined. I assume that > someone sendubg a Reviewed-by or Acked-by tag in a public mail thread > counts as permission, but strictly speaking it's not explicit. > > Regardless of that, I think we can clarify what explicit permission > means in a follow-up patch. If you would like to merge this one as-is, Hmmmm. Not totally sure that I exactly understand what you mean, but I think I see it. But I'm not sure how to solve that. Would simply dropping the "explicit" solve this? Or should I start the section like this: "" Be careful in the addition of the aforementioned tags to your patches, almost all need permission by the person named; one can be assumed if the person provided that tag in a reply or acknowledged its inclusion after being made aware that name and email address will end up in public places where they can't be removed. The tags Cc:, Reported-by:, and Suggested-by: are an exception: for those three implicit permission is sufficient, ... """ Ciao, Thorsten
Powered by blists - more mailing lists