On Thu, Jun 07, 2018 at 10:53:13PM -0400, Theodore Y. Ts'o wrote: > The problem is you've left undefined who is "you"? With an open > source project, anyone who has contributed to open source project has > a copyright interest. That hobbyist in German who submitted a patch? > They have a copyright interest. That US Company based in Redmond, > Washington? They own a copyright interest. Huawei in China? They > have a copyright interest. > > So there is no "privately". And "you" numbers in the thousands and > thousands of copyright holders of portions of the open source code. Of course there is "privately". Every single one of those who have the author information can keep it, privately, for themselves. But those that have received a request to be forgotten must not keep publishing it on the Internet for download or distribute it to others. > And of course, that's the other thing you seem to fundamentally not > understand about how git works. Every developer in the world working > on that open source project has their own copy. There is > fundamentally no way that you can expunge that information from every > single git repository in the world. The misunderstanding is on your side. If you run a website where the world can access a repository, you are responsible for obeying the GDPR with respect to that repository. If you receive a request to be forgotten, you have to make sure you stop publishing that author's identity as part of the repository. You do NOT need to - delete it from a private copy you have - care about others who publish that data - or even make sure the data is deleted from private copies others may have, even if the number of copies is in the thousands. In practical terms, if someone wishes to exercise his right to be forgotten, he will usually send the request to the maintainer and stop him from distributing the information, and perhaps to a third party he might use as a platform for publication, such as github. Best wishes Peter -- Peter Backes, rtc@xxxxxxxxxxxxxxxxxxx