From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 199B3138334 for ; Wed, 10 Apr 2019 07:27:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8DCCEE096C; Wed, 10 Apr 2019 07:27:06 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 38926E08C0 for ; Wed, 10 Apr 2019 07:27:06 +0000 (UTC) Received: from gentoo.org (219x123x27x194.ap219.ftth.ucom.ne.jp [219.123.27.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alicef) by smtp.gentoo.org (Postfix) with ESMTPSA id 2F77B34090F; Wed, 10 Apr 2019 07:27:04 +0000 (UTC) Date: Wed, 10 Apr 2019 16:36:25 +0900 From: Alice Ferrazzi To: gentoo-project@lists.gentoo.org Cc: Alec Warner Subject: Re: [gentoo-project] call for agenda items -- council meeting 2019-04-14 Message-ID: <20190410073625.2b44peoeu2tkfpdp@gentoo.org> References: <20190401032055.GA9497@linux1.home> <4bbfc34f-335f-5521-310a-b66ffd0d9a9a@gentoo.org> <5e30d658-80c8-b608-1505-dc08db3625bf@gentoo.org> <20190403174315.32615d3b9574571e3ed4a399@gentoo.org> <80ed2e482e96c96555bf4fd9331731c4c9ad0d7f.camel@gentoo.org> <5e5d94b9-4930-ebb0-2efd-c32abe6827d8@gentoo.org> <2495c3061f522db40cbd37a6f809d309063294c0.camel@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <2495c3061f522db40cbd37a6f809d309063294c0.camel@gentoo.org> User-Agent: NeoMutt/20180716 X-Archives-Salt: 778adb61-a83d-489c-829a-04e829995036 X-Archives-Hash: 5d98f3d9e3c8e7007e58d3f10d0a45e2 The 04/10/2019 09:13, Michał Górny wrote: > On Tue, 2019-04-09 at 21:13 +0000, Gokturk Yuksek wrote: > > > To your second question, you could, but I think that would be wrong and if > > > I found out I'd probably talk to you about it and if it continued, I'd > > > probably take some kind of remedial action. The intent is to have a > > > reasonable suspicion of fraud or wrongdoing, not to do just do it willy > > > nilly. > > > > > > That being said I don't intend to forge a policy that is bullet-proof. If I > > > cannot trust fellow project members to act well, they might as well just > > > leave the project now. If project members are looking for "a list of rules > > > to follow" my only rules are "don't be an ass" and if you are told you are > > > being an ass, maybe listen and take that advice as opposed to objecting. > > > > > > > My point about the guidelines is for the concern on the receiving party. > > I suspect there may be situations where saying "I'm not convinced that > > this is a real name of a person. Would you please provide me a proof of > > ID?" is perceived offensive. Guidelines published by the Foundation help > > developers justify their stance and ease people into compliance, I think. > > > > > > > > Additional problem is personal data collection, it is > > > > > > restricted or heavily regulated in many countries. One can't just > > > > > > demand to show an ID via electronic means without following > > > > > > complicated data protection procedures which are likely to be > > > > > > incompatible between jurisdictions. > > > > > > > > > > Do you have any proof of that, or are you just basing your comments > > > > > on the common concept of misunderstanding GDPR and extending it to match > > > > > your private interest? > > > > > > > > > > > > > At the very least, insecure transportation and storage of legal > > > > documents has a potential to lead to identity theft, which makes it a > > > > legal liability in and of itself. I don't think we should be dismissive > > > > on this point. > > > > > > > > > > I don't believe any policies require collecting personal data currently. > > > > > > > If I have suspicions about a contributor's identity, would you advise me > > on a method of validation that doesn't require the electronic transfer > > of a government approved identification? > > My suggestion would be to use the solution that's been there for years > -- OpenPGP web of trust. Establish a path of trust and/or keysign with > the person in question. This naturally involves verifying one's ID, > and reduces the risk of stealing personal data to the minimum. I'm interested in using OpenPGP for verifying the identity. > > > > The Foundation has always carried legal risk. Only recently have we > > > (through the awesome work of ulm@ and others) had a policy to help mitigate > > > it. These contributors have not 'suddenly become a legal risk' but instead > > > the community (council and foundation combined) have adopted a more > > > risk-averse stance by adopting GLEP-76 and that results in some > > > contributors being unable to contribute. I'm not sure what else needs to be > > > explained. > > > > > > > > > > To the best of my knowledge, the Foundation has a long established > > practice of allowing developers to use pseudonyms on the condition that > > they reveal their legal identity to the Foundation for legal protection. > > Was the exclusion of developers with pseudonyms as per GLEP76 a result > > of a conclusion that the Foundation being informed about developers > > legal identity wrt copyright infringement carries more risk compared to > > their total exclusion from development? > > Did you read the Linux policy? It is clear: the problem's not > Foundation knowing, it's *community* knowing. Foundation is just > a temporary opaque body that's going to be dissolved one day. Code's > going to live much longer, and it needs to be sustainable without having > to refer to secret records of the Foundation. For example the debian project got in same problems in this last 10years about real names. In the end they decided to accept pseudonym. https://nm.debian.org/process/610/keycheck > > > > If you want to make a point that Gentoo leadership is bad at making > > > opposing feelings heard, well I'd probably agree with you (this thread is > > > one such example.) If you want to make some kind of point that "having an > > > opinion heard means we change the policy to suit that opinion" then I think > > > we just disagree on that point. Don't make it out like we made the decision > > > without thinking of anonymous / pseudonymous contributors; numerous > > > discussions were had about them and we could not find a way to include them > > > in the policy. > > > > > > That doesn't mean we didn't hear their thoughts and objections though. > > > > > Perhaps the people I talked to didn't find the right people to talk to > > before me. I'm not trying to paint the leadership as ignorant or bad. I > > understand that this is all volunteer work first and foremost. I wasn't > > implying to enact a change in the policy on the basis that people's > > opinions haven't been sufficiently heard. > > > > Perhaps the person you talked to don't 'take no for an answer'. > If the policy works for the majority of people, and there are only few > who disagree with it (no matter how much they try to exaggerate it), > and most of those few so far have failed to provide a really good > argument why they can't do it, then I'm sorry but that's just how things > work. If you have any better data, that is not just a presumption please show us. saying that the majority of people is contributing in Gentoo, is no meaning. On how many people you are talking about ? you are taking in consideration all the Gentoo users? For me having people quitting Gentoo devs or Gentoo contribution for a change in GLEP is a big deal, we are already not that many. That is just how things works for you. > > I'm certainly against changing the policy on arguments like 'but I want > to brand myself as X' or 'but you can't prove people are using fake > identities'. If you really want to push for the latter, I wouldn't mind > making some form of identity verification obligatory for everyone. > However, I doubt that's the result you want. Happy to ear your personal opinion but not everyone thinks in the same way as you. I think the opinion of other people is a valuable opinion whathever they say. What I think we want, is more people contributing in Gentoo. -- ====================================== Thanks, Alice Ferrazzi Gentoo Kernel Project Leader PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A ======================================