This may seem a bit odd, but I was asked if Gentoo had a privacy policy in general. We've got one for the mailing lists, but not for anything else. I think we need one for Bugzilla at the least, but also a broad one to cover the rest of our sites (primarily for weblogs that contain user IPs). The Fedora privacy policy is maybe a good one to base it off: http://fedoraproject.org/wiki/Legal/PrivacyPolicy
For www.g.o (i.e. weblogs) we could use something like http://www.sfconservancy.org/privacy-policy/ Its nice and simple. The Fedora version would need to be tailored a bit, most likely, and I think it might provide a nice starting point for an "authenticated user" privacy policy. Regardless, I have contacted the Foundation attorney for assistance.
Nothing the GDP can do anything about. Reassigning to infra@ for the time being -- I or another member can put it in /main/en/ and link it once it's done. (We could use a public www@ address for this kind of bug, if there's anyone on the team besides me that is.) GDP members, feel free to CC yourselves on this bug if you feel like helping out with the policy wording, or something. :)
I am still on www; but I watch all infra-bugs as well ;)
(In reply to comment #1) > The Fedora version would need to be tailored a bit, most likely, and I think it > might provide a nice starting point for an "authenticated user" privacy policy. > Regardless, I have contacted the Foundation attorney for assistance. Any updates here?
I don't mind taking a stab at creating a privacy policy. Personally, I'd like to have it clear which information is kept for what service. I can make a draft with what I assume is kept, and have it then proof-read by infra to see if my assumptions stick.
https://wiki.gentoo.org/wiki/User:A3li/Privacy_Policy_Draft Adapted from the Fedora policy, minus lots of the 'raffle/giveaway' and partner stuff we don't do. Comments or edits welcome.
Alex, thanks for taking this up. The only comment I have is about the "Our Commitment to Data Security". It mentions the use of SSL(/TLS) but not about password protection. Considering that leaked password databases are a, well, humiliating PR nightmare if found out that the database was not properly protected (and the passwords not properly hashed and salted and what not)... would it make sense to mention this as well?
(In reply to Sven Vermeulen from comment #7) > Alex, thanks for taking this up. > > The only comment I have is about the "Our Commitment to Data Security". It > mentions the use of SSL(/TLS) but not about password protection. Considering > that leaked password databases are a, well, humiliating PR nightmare if > found out that the database was not properly protected (and the passwords > not properly hashed and salted and what not)... would it make sense to > mention this as well? I added a sentence about that. No text will make us look any better in the even this happens though.
swift: I've added a few bits so it's correct to the best of my knowledge now (mostly that LDAP has birthdays). Do you want to give it one last review, then infra will post it as needed?
Ah, I missed this one. Yes, looks good!
(In reply to Sven Vermeulen from comment #10) > Ah, I missed this one. Yes, looks good! Is this the official confirmation from trustees@ that this is our official privacy policy now?
No, not yet. I've added it to the agenda for the coming trustees meeting (for September as August is our AGM). https://wiki.gentoo.org/wiki/Foundation:Meetings/2016/09 I will mail the trustees after the AGM when the new trustees take place.
Looks good, thanks everyone.
Do we have a COPPA option everywhere? The forums does, I couldn't find it on the Wiki. Do we need a few words aimed at users based in the EU to the effect that their personal data may be held and processed outside of the EU? We mention IRC but we don't operate our own IRC network, so this privacy policy does not apply. Should we point to the freenode privacy policy? The statement of a policy and its implementation are two different things. It looks like a good comprehensive document.
Privacy policy slightly adjusted [1] and approved on Gentoo Foundation trustees meeting, dd 2016/09/18 [1] https://wiki.gentoo.org/index.php?title=User%3AA3li%2FPrivacy_Policy_Draft&type=revision&diff=544754&oldid=327638
Also added paragraph regarding non-coverage (cfr trustee meeting). Forgot to mention that in previous comment. https://wiki.gentoo.org/index.php?title=User%3AA3li%2FPrivacy_Policy_Draft&type=revision&diff=544756&oldid=544754
a3li: The edit as of 2016/Sep/18 20:09 UTC is the final version now. Where do you want to put it on the main website?
(In reply to Robin Johnson from comment #17) > a3li: > The edit as of 2016/Sep/18 20:09 UTC is the final version now. Where do you > want to put it on the main website? Something like https://gentoo.org/legal/privacy-policy.html that can be linked to from sign-up forms and/or page footers?
I've been commissioned by the Trustees to move this page...starting work now.
For the record, this privacy policy was approved at this Trustee meeting: https://projects.gentoo.org/foundation/2016/meeting-20160918-log.txt I have, for now, moved the draft to the Foundation namespace: https://wiki.gentoo.org/wiki/Foundation:Privacy_Policy
I have removed the Work in Progress (WIP) template and have made minor punctuation improvements (capitalization and added an oxford comma). Not sure if changes such at these constitute a re-approval. I did NOT bump the "last amended" date near the bottom of the document but can do so if requested. Not sure it's needed since I add or remove any content, but I guess that may be considered relative. Please review: https://wiki.gentoo.org/wiki/Foundation:Privacy_Policy
For the wiki, redirecting this page: https://wiki.gentoo.org/wiki/Gentoo_Wiki:Privacy_policy to https://wiki.gentoo.org/wiki/Foundation:Privacy_Policy
The privacy policy is live, and there are separate bugs now to add it to all sites.
> The only comment I have is about the "Our Commitment to Data Security". It > mentions the use of SSL(/TLS) but not about password protection. Considering > that leaked password databases are a https://mathcool.games/, well, humiliating PR nightmare if > found out that the database was not properly protected (and the passwords > not properly hashed and salted and what not)... would it make sense to > mention this as well?
