1 |
On Tue, 2019-04-09 at 21:13 +0000, Gokturk Yuksek wrote: |
2 |
> > To your second question, you could, but I think that would be wrong and if |
3 |
> > I found out I'd probably talk to you about it and if it continued, I'd |
4 |
> > probably take some kind of remedial action. The intent is to have a |
5 |
> > reasonable suspicion of fraud or wrongdoing, not to do just do it willy |
6 |
> > nilly. |
7 |
> > |
8 |
> > That being said I don't intend to forge a policy that is bullet-proof. If I |
9 |
> > cannot trust fellow project members to act well, they might as well just |
10 |
> > leave the project now. If project members are looking for "a list of rules |
11 |
> > to follow" my only rules are "don't be an ass" and if you are told you are |
12 |
> > being an ass, maybe listen and take that advice as opposed to objecting. |
13 |
> > |
14 |
> |
15 |
> My point about the guidelines is for the concern on the receiving party. |
16 |
> I suspect there may be situations where saying "I'm not convinced that |
17 |
> this is a real name of a person. Would you please provide me a proof of |
18 |
> ID?" is perceived offensive. Guidelines published by the Foundation help |
19 |
> developers justify their stance and ease people into compliance, I think. |
20 |
> |
21 |
> > > > > Additional problem is personal data collection, it is |
22 |
> > > > > restricted or heavily regulated in many countries. One can't just |
23 |
> > > > > demand to show an ID via electronic means without following |
24 |
> > > > > complicated data protection procedures which are likely to be |
25 |
> > > > > incompatible between jurisdictions. |
26 |
> > > > |
27 |
> > > > Do you have any proof of that, or are you just basing your comments |
28 |
> > > > on the common concept of misunderstanding GDPR and extending it to match |
29 |
> > > > your private interest? |
30 |
> > > > |
31 |
> > > |
32 |
> > > At the very least, insecure transportation and storage of legal |
33 |
> > > documents has a potential to lead to identity theft, which makes it a |
34 |
> > > legal liability in and of itself. I don't think we should be dismissive |
35 |
> > > on this point. |
36 |
> > > |
37 |
> > |
38 |
> > I don't believe any policies require collecting personal data currently. |
39 |
> > |
40 |
> |
41 |
> If I have suspicions about a contributor's identity, would you advise me |
42 |
> on a method of validation that doesn't require the electronic transfer |
43 |
> of a government approved identification? |
44 |
|
45 |
My suggestion would be to use the solution that's been there for years |
46 |
-- OpenPGP web of trust. Establish a path of trust and/or keysign with |
47 |
the person in question. This naturally involves verifying one's ID, |
48 |
and reduces the risk of stealing personal data to the minimum. |
49 |
|
50 |
> > The Foundation has always carried legal risk. Only recently have we |
51 |
> > (through the awesome work of ulm@ and others) had a policy to help mitigate |
52 |
> > it. These contributors have not 'suddenly become a legal risk' but instead |
53 |
> > the community (council and foundation combined) have adopted a more |
54 |
> > risk-averse stance by adopting GLEP-76 and that results in some |
55 |
> > contributors being unable to contribute. I'm not sure what else needs to be |
56 |
> > explained. |
57 |
> > |
58 |
> > |
59 |
> |
60 |
> To the best of my knowledge, the Foundation has a long established |
61 |
> practice of allowing developers to use pseudonyms on the condition that |
62 |
> they reveal their legal identity to the Foundation for legal protection. |
63 |
> Was the exclusion of developers with pseudonyms as per GLEP76 a result |
64 |
> of a conclusion that the Foundation being informed about developers |
65 |
> legal identity wrt copyright infringement carries more risk compared to |
66 |
> their total exclusion from development? |
67 |
|
68 |
Did you read the Linux policy? It is clear: the problem's not |
69 |
Foundation knowing, it's *community* knowing. Foundation is just |
70 |
a temporary opaque body that's going to be dissolved one day. Code's |
71 |
going to live much longer, and it needs to be sustainable without having |
72 |
to refer to secret records of the Foundation. |
73 |
|
74 |
> > If you want to make a point that Gentoo leadership is bad at making |
75 |
> > opposing feelings heard, well I'd probably agree with you (this thread is |
76 |
> > one such example.) If you want to make some kind of point that "having an |
77 |
> > opinion heard means we change the policy to suit that opinion" then I think |
78 |
> > we just disagree on that point. Don't make it out like we made the decision |
79 |
> > without thinking of anonymous / pseudonymous contributors; numerous |
80 |
> > discussions were had about them and we could not find a way to include them |
81 |
> > in the policy. |
82 |
> > |
83 |
> > That doesn't mean we didn't hear their thoughts and objections though. |
84 |
> > |
85 |
> Perhaps the people I talked to didn't find the right people to talk to |
86 |
> before me. I'm not trying to paint the leadership as ignorant or bad. I |
87 |
> understand that this is all volunteer work first and foremost. I wasn't |
88 |
> implying to enact a change in the policy on the basis that people's |
89 |
> opinions haven't been sufficiently heard. |
90 |
> |
91 |
|
92 |
Perhaps the person you talked to don't 'take no for an answer'. |
93 |
If the policy works for the majority of people, and there are only few |
94 |
who disagree with it (no matter how much they try to exaggerate it), |
95 |
and most of those few so far have failed to provide a really good |
96 |
argument why they can't do it, then I'm sorry but that's just how things |
97 |
work. |
98 |
|
99 |
I'm certainly against changing the policy on arguments like 'but I want |
100 |
to brand myself as X' or 'but you can't prove people are using fake |
101 |
identities'. If you really want to push for the latter, I wouldn't mind |
102 |
making some form of identity verification obligatory for everyone. |
103 |
However, I doubt that's the result you want. |
104 |
|
105 |
-- |
106 |
Best regards, |
107 |
Michał Górny |