Please change GLEP 76 to allow contributions to public repositories without forcing contributors to publish their legal names or other SPI. Reproducible: Didn't try
No.
Please reconsider. ps I believe your real name policy is in conflict with the GDPR.
(In reply to grumpytetra from comment #2) > Please reconsider. We don't consider requests from people who didn't even bother to provide a single sentence of explanation. > ps I believe your real name policy is in conflict with the GDPR. No, it isn't. Please read GDPR before claiming what it is.
What would you like me to explain? AFAIK requiring a user to post SPI on a public forum is a violation of the GDPR but you're right, I didn't read the entire GDPR. I assume you did? If so, please explain to me why/how I am wrong in my understanding of the GDPR.
(In reply to grumpytetra from comment #4) > What would you like me to explain? I would like to explain why you believe we should accept contributions that aren't signed with one's real name. > AFAIK requiring a user to post SPI on a public forum is a violation of the > GDPR but you're right, I didn't read the entire GDPR. I assume you did? If > so, please explain to me why/how I am wrong in my understanding of the GDPR. I have no clue what SPI is, so you may want to expand it. But if you mean your real name, then nobody is forcing you to do anything. It's your choice. If you don't want to contribute to Gentoo on our terms, you don't have to. Simple as that.
> I would like to explain why you believe we should accept contributions that aren't signed with one's real name. Because users that care about their privacy shouldn't be excluded from contributing IMHO. > I have no clue what SPI is, so you may want to expand it. SPI is 'sensitive personal information': data that can be used to identify a person. Please see chapter 1 article 4 part 1 of the GDPR for a legal definition and wikipedia's article on personally identifiable information for more information and sources. > If you don't want to contribute to Gentoo on our terms, you don't have to. Simple as that. If it's as simple as that I'll have someone take a look and will lodge a complaint at an appropriate venue if applicable. Thank you for your time. Have an excellent new year! :)
(In reply to grumpytetra from comment #6) > > I would like to explain why you believe we should accept contributions that aren't signed with one's real name. > > Because users that care about their privacy shouldn't be excluded from > contributing IMHO. How do we distinguish users that 'care about privacy' from users that 'maliciously hide under a pseudonym to avoid legal responsibility'? > > I have no clue what SPI is, so you may want to expand it. > > SPI is 'sensitive personal information': data that can be used to identify a > person. Please see chapter 1 article 4 part 1 of the GDPR for a legal > definition and wikipedia's article on personally identifiable information > for more information and sources. Are you saying that your name is unique enough to make it sufficient to identify yourself? We're not asking for your address, phone number, anything specific. > > If you don't want to contribute to Gentoo on our terms, you don't have to. Simple as that. > > If it's as simple as that I'll have someone take a look and will lodge a > complaint at an appropriate venue if applicable. Please by all means do if you believe so. However, I would suggest that normally it is considered more appropriate to actually tell us what rule specifically we are violating than threaten us with formal actions.
> Please by all means do if you believe so. However, I would suggest that normally it is considered more appropriate to actually tell us what rule specifically we are violating than threaten us with formal actions. In light of your responses I see no added value in continuing this conversation. Any perceived threat of formal actions by my statement to address privacy issues in a less antagonistic venue is not in my purview. I have requested a copyright policy change which was met with a terse and, if I might say so, unfriendly response. I have acted in good faith and have alerted you to what I believe to be a violation of privacy regulations, which was met with an answer of the "if you don't like it don't contribute" variety; and that is exactly what I will do; which is a real shame. I have loved working with and on Gentoo for many years and enjoyed communicating with the very knowledgeable Gentoo community at almost every opportunity. Best regards and best wishes for the new year :)
It is not against GDPR. Like Michał said, if you want to "play" with us, you have to follow our rules. The majority of the Gentoo community decided that we want proper copyright so we created GLEP 76 to implement proper copyright. If you want to have anything changed *you* have to provide detailed reasons because *you* have to *convince* everyone else to follow *your* motion.. Just saying "Please change X" without providing any reasons is a rude behavior. Same like throwing in buzz words like "GDPR" without providing detailed reason why you think this violates GDPR (if you want to do it right you would post something like, "I think GLEP 76 must be revised because it violates GDPR chapter 5 art 77, paragraph 1b and 5d because of <your interpretation>" (just an example)). But even if you can provide detailed reasons, you first have to go through the mailing lists. That's the place where we discuss things. Bugs.gentoo.org is is not the place for general discussions. Thanks for your understanding.
I think, my friend, that you and I have a very different definition of the word "rude". I'll just leave it at that. I vehemently disagree that privacy issues with your copyright policy are "general discussion" I thank you for clarifying the council's position on the priority of copyright enforcement and it's importance over privacy. It's good to know where the (potential) contributor stands as part of the Gentoo project. Goodbye
@Michał, for someone living in an EU country you seem too "unfamiliar" with one of the top EU laws for data protection (GDPR) that also was a top notch discussion in 2018 :) ... ;) (just a small joke) Anyway just a couple of notes from me since my bug was referenced to this one :)... and since you want some discussion.... The problem is more serious than you think... sadly... 1. GLEP 76 is NOT GDPR compliant, not only because it forces the collection of "committer's legal name as a natural person, i.e., the name that would appear in a government issued document", but also because: - you do not collect a proper legal consent from the person doing the sign off... The Certificate of Origin's "I understand and agree that this project and the contribution... blah blah..." is not good enough because it mixes contribution, licensing and personal data consent; it also states that the data will be held indefinitely - which is generally speaking strictly forbidden by GDPR; it also doesn't state the exact rules for withdrawal of consent; It should be written in the signing person's native language... etc... etc.... - you do not have any proper public procedure for ‘processing’ the personal data - no publicly available DPO (data protection officer) - no publicly mentioned ‘controller’ of the data - no publicly mentioned ‘processor’ of the data - no procedure for withdrawal of persons consent to use his data - no way to delete personal data if the person requires ( especially in git :) ) - etc etc etc.... 2. >Are you saying that your name is unique enough to make it sufficient > to identify yourself? First of all it doesn't matter what @grumpytetra says (no offence), but it matters what the law says :) and it says a person's name is an identifier (reference - Chapter 1 Article 4 (1) - https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=EN )... and sadly for you... yes person's legal name collection AND PUBLISHING is enough as an action, so GDPR to be applied in its full extent (considering that the person is an EU citizen)... Besides with all the other indirect information about the user (that could easily be obtained by a simple Google search) like country, city etc... it is more than enough to identify someone :) -> so again GDPR rules apply if EU citizen or business, charity etc in EU... Anyway I do not want to go deeper into the legal issues that you have with this policy because it is a vast topic. But you should have someone in your team that understands and actually works with EU laws (after all @Matthew is an US citizen ;) ), so he/she can fix these issues, because sooner or later, someone is going to file a complaint and being a Foundation will not save you from prosecution... And just a side note for your info on the publicly available Board meeting minutes - with 5 mentions of GDPR for the whole year and no actual discussion ... this doesn't look good and is not giving an impression that you care a lot about the topic... plus it cannot even help you as a "proof of desire to be GDPR compliant" (legal term sorry) Going further... some questions that you maybe need to think of: 1. > How do we distinguish users that 'care about privacy' from users > that 'maliciously hide under a pseudonym to avoid legal responsibility'? - You cannot :) Even if you have all persons' legal documents at your disposal, it will not help you or stop him from doing "bad" things if he wants to... that is why a very good approve procedure for commits and review should exist :) - If something illegal is done by someone... well depending on the severity, hiding behind an alias (or pseudonym as you call it) usually will not help him avoid legal prosecution... reference - look at the last year's specific FBI prosecutions against digital fraud... - And what exactly will prevent a user from using a fake real name? Or you do collect pictures of their government issued documents? :) Really oh... that is not legal... anyway trying to joke with something not for joking... 2. Can you name me one other widely accepted and leading Open Source project that does forcibly require real names for their contributors? Hmmm lets see the biggest one - Ubuntu - with its huge user base for example... yeah they make you sign off a "Code of conduct" but not real names... Don't you think if legally that kind of thing was easy to accomplish, they would have already done it? :) And excuse me for the wording "forcibly require" but the notion "if you do not like it, you do not do/use/sign it" is leaving someone with no choice... no matter how you present it... And this (the caps are mine): >If you don't want to contribute to Gentoo ON OUR TERMS, > you don't have to. Sorry but it sounds disrespectful... What happened with the "Gentoo provides choices" and with the "Gentoo lives for the community, by the community. Gentoo strives to please its users." ( reference https://wiki.gentoo.org/wiki/Foundation:Main_Page ) Maybe the Foundation has lost its way? And with such rules/terms and attitude (RESOLVED WONTFIX, don't want to do on our terms.. etc) don't you think you drive the userbase (incl contributors) away... because people will move on and find other ways to contribute to other Open Source projects... and that is not good for the entire movement incl Gentoo... So to come to the point: 1. Why don't you really think over and reconsider the policy in such a way so contributors to be eased to make their contribution... especially proxy-maintaining and proxy-maintainers that really do not have any access to committing really any changes without supervision? 2. Don't you think some more relaxed rules and processes/procedures for those who want to contribute will help Gentoo more in reaching the goals it states in its Charter and Principles. And by relaxed, I do not mean security relaxed or security problematic... And signing off something with real name ... sorry but this is NOT security! And just a simple example showing the adverse effects of your contributing rules... even though of the control, checking, moderating, signing off of the commits to tree... lately more and more ebuilds that break dependencies and make the emerge process a nightmare are committed without being thoroughly tested before commit... :( That's all for now... I apologize for the long forum like post here in a bug reporting tool, but anyway Michał wanted a discussion, so I couldn't "restrain" myself... And again no offence intended to anyone... This is just my personal view on the topic... Thanks And Regards :) P.S. There are a lot of resources on the net about GDPR, and I am sure everyone can find them... but here are some essentials: 1. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=EN 2. https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en 3. https://www.i-scoop.eu/gdpr/gdpr-personal-data-identifiers-pseudonymous-information/ 4. https://eugdprcompliant.com/personal-data/ P.S.2 While I was writing the above there was some update/input from @Thomas Deutschmann that adds two more questions to the above :) 1. How exactly one defines the "The majority of the Gentoo community"? Is it above 50% ?? Or is it above 50% of the Council Members (which are actually a minority of the Gentoo community - though an important one :) ) 2. Do you really think the proper copyright includes forcing the user to sign off with a real name ONLY... Really??? Anyway Thanks and Regards again
Spamming us with long posts doesn't help anyone understand the problem or discuss it. We don't 'collect' or 'process' those names. We're not some proprietary company that steals your data and sells them to spammers in secret. Gentoo is open source, so every commit you make goes public and is distributed to a lot of people, by a lot of people. So I think it is reasonable to presume that -- knowing that your commit will be public -- if you publish your PII in that commit, you agree to it being shared as part of the commit. Do you believe we should put a big fat warning 'your public commits are public which means other will be able to read them'? Also, please don't confuse privacy vs anonymity.
LOL ... No comments on this one.. you leave me speechless :) Anyway I hope you do realize that the topic cannot be covered with a couple of words, so that it can be convenient to be read... And believe me, I am the last person who can "confuse privacy vs anonymity" ... 'cause I will be jobless otherwise :P Anyway this was my one time, 1 cent contribution to this topic and I am done with it. No need to waste more of my or your (or anyone's) time over this topic... Nice weekend ;)
*** This bug has been marked as a duplicate of bug 883715 ***
