From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 03E76138334 for ; Wed, 20 Jun 2018 11:12:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3F172E0984; Wed, 20 Jun 2018 11:12:46 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DB3AEE0876 for ; Wed, 20 Jun 2018 11:12:45 +0000 (UTC) Received: from [10.100.0.22] (host-37-191-226-104.lynet.no [37.191.226.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: k_f) by smtp.gentoo.org (Postfix) with ESMTPSA id 7508A335CB3; Wed, 20 Jun 2018 11:12:43 +0000 (UTC) Subject: Re: [gentoo-project] Date-of-birth in developer applications To: gentoo-project@lists.gentoo.org, Rich Freeman References: <1529482561.2506.17.camel@gentoo.org> <756a345e-0209-9643-c94f-1cf94321eb2a@gentoo.org> <1529483543.2506.23.camel@gentoo.org> From: Kristian Fiskerstrand Openpgp: preference=signencrypt Autocrypt: addr=k_f@gentoo.org; prefer-encrypt=mutual; keydata= xsFNBEdj//4BEAC3zjKRryW1mLec38x0w9ByG50h6KJddkZe3UNdGhAa3S5E4NAi/fUoe3gD LUDDmpHZNqtbMgrobwUNjLrp+PDZNdMJFAnbWXvmsMwuax0SWJzy4alem34tvir3a2PpnVr9 ylyAyxPChMM0ANelT/fiYIEysjAbHXjri89qdT+yA16CMljoun7vIOmq7ohKdNd1Dci6qoyj 0NllvR2AiBI+ZJnoF4hkRKO1PNUJROzn/ku88idaNkWyq7rREI+WkhS+K6xg1R/d6mTp+bHP tmwGlN4U1Lgx9qeitYzirkQeA8EGK/EEPPZG85WvXSrTftoPvQswOtW7I+jkTdd30GHXf6JH Rq4oR0mT65mqckycPjXNw6RM0fxyx06/kbVG8x3tzc3roJF+hR+h5QWIWsQOc3ZAhbJPWnfP D/kEN20yvb6EXWha+70QJbrBsnN0M8MLF7x+ZWTKESOVpshUBG67iq/FWCpv3st2VTq4M0Ep b/ORIKlfEgSsGv6waooF0ik41ey3k6PIcuHTq/sCoFoC6EH75wqsbmLkVSyqTKm3MSjlN26d ei425iCXJSyH0L1WmeS0i0rzcF5BCu9V280DmNFHWkr4iHiyrVcNyccocMTeh6/ZG7XSI0wc TONVNnKtofVHkzwHMdDlDx4lFRG+V0ftimR5THlxtG8AzQKY9QARAQABzUJLcmlzdGlhbiBG aXNrZXJzdHJhbmQgPGtyaXN0aWFuLmZpc2tlcnN0cmFuZEBzdW1wdHVvdXNjYXBpdGFsLmNv bT7CwX8EEwEIACkCGwMCHgECF4ACGQEFCwkIBwMEFQoJCAUWAgMBAAUCWiWhXAUJFMX2sgAK CRALf4tg4+364/YeEACSDL8stCAArMoqgXlTAdAKQFedJHyoS2QFVzuLx+k7CCGt0jVrNh3d HRQ92pF2QJScWKw76/LHvh6lMBPJwBEXRIvQNDNUb/zyBx96FipC+Dkd8Fxu3s4W+6YCqUBa lmC5XKB6uF/W5wanvpAn1K8bvUb3sq86RYTD0qZui4LMhvm8A0A1Na4+ZeGyfBFhcH5Oh+nh wkZjL7mbMTe25QCeCs4wQpYowia70EZLcQF4MboF9GzH5PIb0ipG5Jtfk9QfSlT+bnkRL1KR DR6rHo7iAYcMt4oJVU1qo1akSBe0MsMI37OdWDtNvUy2Svd2BCLZl49KZnErleC3R/axrtkL 2w1f0P4FoiuPq7mPeiUBhLaZLlc2fz490cEwjsgsY6GuiCWlbyjBMtp0OKM4VBqt5tdxBo/R X5Y6kNOGWpDHx8D+Dl8ToTDJuH2I0k2wfcUibYzWfwXpPpwZ5iXidwLYXbBQ2qqlyB7MP3Po z3zl+UulJyxIYGjg2sO4FmmRs0tThceaNIiDtP5uPLu77oCkAAsWuFSfa6Iwq9+PIQTqTFhH nJ1v/xrdqKWSYB6tm9Tkb0KkUKxFhc7QVyphvh473UEAQ78bQFWrGHqiejQtiiR3MOubwUyt YkNi+ef068rs27SPfRmBAvRw2EMZWhWyX/P2xM4PPp24reOn4ZuAAM7ATQRVZfyNAQgAvppy gWUI21WpA8IZZC+HXywKOqAIXgEQG8m62kVE048A8gjwk8vcmDKU0vlD6OGZ0capeWzWK5kN Gi8kl4ejvgULXKQCAV8ycEUWXmBSmzabhGruMY96Hy1OILc9tb3Wpg3wggW+PZjc5IuLIa1k 9AiDg6SQExDhC27x1EUKZkxkIG+EThSKHbCFB3t4tbwlI8Na4LUfjOxCILA2KVl7CXD/eUNr apJeSGJOtYEhgNFhuHoSG7Po9k6cy2eRrviq9X9cEW10Y3ocCypKvenuUjrN4bUd0IUsODLy cZ3aL+zEmIdhZsG7dQeFmFeJKK+XDgLIMNgr+EP9+89U/COZ5QARAQABwsFlBBgBCAAPAhsM BQJXwxA2BQkE4salAAoJEAt/i2Dj7frjuDIP/2qDloXeGXfMLASc85cp09JLKrbISlTQZkvH WCQREQWzv9LJ4nUcELIhPTc18ntLhU+xJXLP+9d09cOlIiWWjRXXVCZ8IkcSkUplwCQz0Z2h XpmIOm/kycIDgo+qDCRrQhOCX3IhXGwslT7hWjUf/BlKN9f89Uy7VjBFLACOyP3hBZ1uLswN PcSfks/BzTtGTRZ/TEQxgmw0K2BwyJAwnMFqj8kQwc39P6euHln+33alzmUHDsp5rKUsMl58 x18jrV9KLokU/mDHZXoFeLY61dm9Nr46g+T9YYQagvGYfxIAyR9XcHeK1VxxCieSfC/jLKIT A9pu4Hgevl7DGm5/NHzUtqpwRwcbCqvj95Rgfe6lBwuD5g3olAXpZIQKbx73pWdoH0rwXGrQ Bs1weeFbIyVvoCozWoAoU7wVQSr8rHHZeq70b3Zp9DFdkXiSMu3LhU8Byl/spT3rQyLzCBoW DKDrKkifp+HV4mHoypxwD90CcEjeVObpCmhIEaxIDGKl2QaTm+RTwmVWCqr4YFv7QHRMmFVu STZpPmonZzK6VQJByeJMTDlbL0OpczJ8oVHp6txESKj/17xTs8JU1e/SSsdcYjFuLpzHvb97 0F5NQwMZeVuYRvJlCxL7z4Bpj7oPweATfwP43b+JWAser874u7AlBfonXTxe47pbYMioHPnb wsFlBBgBCAAPAhsMBQJaJaF0BQkGw/ojAAoJEAt/i2Dj7frjgbYQAIYDkXvyczRVnEZloYQb HsqjGwekWXTkTk74yYF5U+GoGGzbdFAmF2FhhWxlwIoPLtWoUXmdBknyqtAHCIlYrqPi0fsY 6SdIU3qdDDESjR9gixoPKOP5pFRC3KsPn0MNUXElbkdHvn0YSjuj0GdBi8YUa1XGRNW/O8PH 4HP900OipflQhuEC3yI5AYiq+Grd80RzJg8F108bn8YmoHapV5zZGfzp5L3pHCNOGsBlpTDr QA3XvlKti3AujaF88Nq3tj5kTsj73I30WOctGH3d9QWdySuK5RekAYvMSHU7M9oHtwV9dfVd RFbbuP4fhf+yF56Syu0k7jGe8e0d1xshwOMIXu8/3z4hYOpPfAvkl7n3QNHeqtT1KwRYqCCw KeK8pKZZlsBJ3D6XPuEZyTc/JIiZr8yALslTYubCCNyYQj7fByxM7neVPPaciNhbkGHImwfJ GPBSEuP/UXciroUcrvwwGfY76+WvezaU+O3SLcrT9i+emo9uA14Syb51RWz8h/x55Yu2UpON hArhearvW+0kJBx/YzG0Us7TLMNAiiQYlGibMmaBgRWW33vMXWT9H3FIN8L1NI/Qvy3/N0zD HawUOUvVMNtAzbWexFtxXQ7zyxLUBHHhFdezpWyXmm71qEaOMdDLnTwLqv3ENHUfZzmCc2Kt ZjTX0qrgBQD08nPn Message-ID: <29af132e-824d-3be5-9d11-3c80880ce9be@gentoo.org> Date: Wed, 20 Jun 2018 13:12:25 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ClATMkG3Q3adPDcgeMFkcgzGkLeReQPGz" X-Archives-Salt: c6c279dc-5b55-4460-b73c-3f9cb51b167a X-Archives-Hash: 56e5909bd8251c70c9d5aa8e7d452ac8 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ClATMkG3Q3adPDcgeMFkcgzGkLeReQPGz Content-Type: multipart/mixed; boundary="a8YiaGKCPs6x6c6iJ97VuyvUaqAqNxccD"; protected-headers="v1" From: Kristian Fiskerstrand Reply-To: k_f@gentoo.org To: gentoo-project@lists.gentoo.org, Rich Freeman Message-ID: <29af132e-824d-3be5-9d11-3c80880ce9be@gentoo.org> Subject: Re: [gentoo-project] Date-of-birth in developer applications References: <1529482561.2506.17.camel@gentoo.org> <756a345e-0209-9643-c94f-1cf94321eb2a@gentoo.org> <1529483543.2506.23.camel@gentoo.org> In-Reply-To: --a8YiaGKCPs6x6c6iJ97VuyvUaqAqNxccD Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 06/20/2018 12:52 PM, Rich Freeman wrote: > On Wed, Jun 20, 2018 at 4:32 AM Micha=C5=82 G=C3=B3rny wrote: >> >> Please tell me, how many times did we have to disambiguate two >> developers using the same name? Even if we ever have to do that, do y= ou >> really think we'd use one's birthday all over the place? >=20 > Even if we've had two people from the same location with the same > name, WHY would we ever have to use their date of birth to identify > them? We already have their nicks which is what we use internally, > and those are always unique. One morbid example would be someone getting a stone in the back of their head, at which point the nick will likely not help much... But the underlying need is likely to arise more due to other circumstances for needing to contact, say a retired dev needs to provide evidence in a copyright case and we need to track them down to get said statement. >=20 > And if we DID have to identify a specific individual legally, then why > aren't we collecting government ID numbers, which actually do the job > a LOT better than DOB? Storing those would require much higher security than a simple DOB >=20 > As far as I'm aware, under most privacy laws and policies I've seen, > name+DOB is just as sensitive as a government ID number. If > collecting the latter makes you recoil in horror, then you should be > just as concerned about DOB collection. I'm not, but views of truestees might differ on that; we have reasons to collect it, it is part of recruiting process known to developer, so the legal matter wouldn't be on the collecting part but the storage part, and here they differ quite a lot in practice (although it shouldn't as even SSN is just a Primary Key in theory). > Just ask put on the dev application a certification that they are > legally allowed to sign agreements. That depends on more than just > age anyway. The latter is an interesting point. >=20 > Could somebody lie? Sure, just as they can lie today about their DOB. I'm not too concerned about misrepresentation, there are other ways to pursue that, but at least there is an element of CYA. >=20 > This is just reasonable care. I don't think there is any expectation > by anybody that we have a higher level of certainty that our > developers are able to sign things (DCOs or otherwise - which are also > just reasonable care, unless we intend to start doing in-depth reviews > of every commit). >=20 > If we did need a higher level of certainty, then just asking for DOB > won't cut it. We'd need to verify IDs, take at least some level of > care that they aren't mentally incapacitated, and know the local age > of being able to sign such agreements. Indeed >=20 > I think we need to take a step back and consider the threat model > here. What is the threat we need to protect against? Is collecting > DOB an effective but least-intrusive way of mitigating that threat? >=20 This is always a good question, discussions are always helpful to determine that. --=20 Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 --a8YiaGKCPs6x6c6iJ97VuyvUaqAqNxccD-- --ClATMkG3Q3adPDcgeMFkcgzGkLeReQPGz Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEtOrRIMf4mkrqRycHJQt6/tY3nYUFAlsqNpkACgkQJQt6/tY3 nYUU8Qf/UlGFCTJL/bb5vb3d52gUn7PgLGJ3aTz+FXcge3LR12ZzBX6U5YqUWJwp ZVcGlfAbS8ZDMK3Msbl4XWrw15j3dirT1gnJ/P4Frk5Wpshs8+DhMyQAZ3r4XuxT RDdvnkYiQXfl1pJOBGEDdS0GrrPc0rE4KUo/HrBAHvALN0sgWulnlYYTHdJIA2sB E4e81P4U5uzCOuSWtH0tEIxhG4Flkf7YagrI8AB8gh0Wo0FC+XVjkD679L/7286d mqCZg4ZSsVcdKZVO1aPuw4sp60i8HbenUppmV/RgSzjeyPflK3a3Nnmg2FrtWl64 AqXfkED4/yAKzgiwQ5+kPM58viv7vg== =wdsa -----END PGP SIGNATURE----- --ClATMkG3Q3adPDcgeMFkcgzGkLeReQPGz--