-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/08/2012 03:42 PM, Tristan Santore wrote: > I personally believe there should be a very frank discussion about > this. There is a tendency to be quite liberal with personal > information, which in my very humble opinion, in terms of the fas > username is a security risk, in terms of the sign up email being > shown, can allow anyone to write a script to query fas, and spam > people to death, maybe harass them. In terms of the real name being > shown, if you make public statements, you might disgruntle future > employers, maybe your local judicial system, who do not value free > speech, as the US constitution does or even worse, somebody just > takes an exception to statements made, and you get arrested > (happens a lot in other countries I hear). Of course these are all > extreme examples, but I do not think we should underestimate these > issue. I understand what you are saying. We have to balance personal rights with the rights of the community to know who they are entrusting. The "know who" in an online world comes about by interacting with people, building trust, and so forth. In a simplistic sense, is what you are suggesting is that all FAS information be a secret that only a few sysadmins can access? Those sysadmins would be the centers of a trust web - I would have to trust those sysadmins that there are real people who can be reached (via email, for example) behind usernames. In order to contact another user who I hadn't personally traded addresses with, I would have to use perhaps a web interface? Or would username@xxxxxxxxxxxxxxxxx still be accessible information? > Further, speaking for myself, when I signed up years ago, I did > not realise that: a. I could not change my username after sign up > b. That this information was going to be public. Of course then, > legally "you" would say, well we had this 100 page document in our > terms and conditions, but does that make it right ? I'm unclear here - are you saying it is not your responsibility to read and understand terms and conditions of websites you sign up for? If it is not your responsibility, whose is it? If the document truly were 100 pages ... but I've always seen Fedora strive for brevity in all legal documents. > Should we as a free and open community not be better at respecting > people's beliefs ? What if I want to change my username ? Or what > if I want to delete my user/participation ? What are the procedures > for our users ? What guarantees do we give people to protect their > privacy/details after they leave, or they change their minds on > being so open, in terms of disclosure ? I can sort-of answer about the username change. I may be the only person in Fedora history who had this done - I asked for it especially because I had mistakenly signed-up as or received 'kwade' as my username. (I keep a strict separation so 'kwade=work' and 'quaid=community'.) It was a huge pain that still has little cracks in it - teams where I was signed up as 'kwade', for example. I don't blame the Infrastructure Team for not wanting to do it anymore. The problem AIUI is, FAS was never designed to allow for usernames to be changed. (I don't know of any account system that really is - it may allow for an alias to be changed, but underneath is a UUID of some sort that can never be reused. For example, accounts in FAS are not deleted but rather are locked-as-closed, so no new person can reuse another username. I think this is key in the web-of-trust - I want to know that 'spot' is always the same 'spot', or at least someone who has his credentials and can write as well as he does.) So that use case I suspect won't happen unless you or someone else rewrites FAS to allow for it. > I personally think, these are very real concerns, especially when > we see other corporations getting more and more greedy with > information on the general public and more and more laws by > government to snoop on people. We should also never forget, that it > is getting harder and harder to delete data, which is why the EU is > debating a "right to forget" law. > > The community should have have a very frank and open discussion > about these concerns and the board should then take up these issue, > discuss the findings and make appropriate changes to the policies > and how we inform our contributors about what happens with this > data, and what and how we help them to erase any data about them. The problem that I see so far about "right to forget" for Fedora is that we are a publicly accessible open source project. Our data is, by nature, shared and archived all around the Internet. People have come in the past and requested to e.g. have all their emails removed from our mailing list archives. The problem is, we don't control the dozens or hundreds of other locations that have that email archived. It is literally impossible for Fedora to erase public data related to a username, especially when that user willingly wrote to e.g. public mailing lists. So while I understand and sympathize with our sisters and brothers being oppressed around the world, if they have concern about what they say and do in Fedora, they should take appropriate steps to make themselves anonymous. It is likely there are users right now making copyright contributions to Fedora who are entirely anonymous fictitious persons to protect people who need or desire anonymity. Although I might not formally condone that, I certainly am able to build trust with someone who chooses anonymity - in fact, I've done that with someone whose anonymity and honesty stretches to not contributing actual copyright material nor making contribution agreements because "he" is anonymous. Myself, I have an equal concern that I can identify properly the people who have contributed copyright material to Fedora, so I can properly attribute and/or reuse as per the terms of the license. Does my concern outweigh the political and personal risk people have when they identify themselves in FAS? Maybe not in other venues, but in the venue of "free/libre/open source software project", perhaps my concern *does* outweigh a right to total privacy and anonymity. - - Karsten > Of course there have to be technical limits, especially as we use > fas in pretty much everything, but these should be discussed too, > and maybe work arounds found. > > I apologise for this long email, but these are just some concerns I > see with regards to this issue. > > > Regards, > > Tristan > > > - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPWVg92ZIOBq0ODEERAhxzAKCNCtNpQYG+8amhOVJceHZ0UvWy8wCgtPRS 8bYF9mD3GLpzK6q6XAUksWk= =PxK3 -----END PGP SIGNATURE----- _______________________________________________ legal mailing list legal@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/legal
