| 1 |
On Tue, 2019-04-09 at 21:13 +0000, Gokturk Yuksek wrote: |
| 2 |
> > To your second question, you could, but I think that would be wrong and if |
| 3 |
> > I found out I'd probably talk to you about it and if it continued, I'd |
| 4 |
> > probably take some kind of remedial action. The intent is to have a |
| 5 |
> > reasonable suspicion of fraud or wrongdoing, not to do just do it willy |
| 6 |
> > nilly. |
| 7 |
> > |
| 8 |
> > That being said I don't intend to forge a policy that is bullet-proof. If I |
| 9 |
> > cannot trust fellow project members to act well, they might as well just |
| 10 |
> > leave the project now. If project members are looking for "a list of rules |
| 11 |
> > to follow" my only rules are "don't be an ass" and if you are told you are |
| 12 |
> > being an ass, maybe listen and take that advice as opposed to objecting. |
| 13 |
> > |
| 14 |
> |
| 15 |
> My point about the guidelines is for the concern on the receiving party. |
| 16 |
> I suspect there may be situations where saying "I'm not convinced that |
| 17 |
> this is a real name of a person. Would you please provide me a proof of |
| 18 |
> ID?" is perceived offensive. Guidelines published by the Foundation help |
| 19 |
> developers justify their stance and ease people into compliance, I think. |
| 20 |
> |
| 21 |
> > > > > Additional problem is personal data collection, it is |
| 22 |
> > > > > restricted or heavily regulated in many countries. One can't just |
| 23 |
> > > > > demand to show an ID via electronic means without following |
| 24 |
> > > > > complicated data protection procedures which are likely to be |
| 25 |
> > > > > incompatible between jurisdictions. |
| 26 |
> > > > |
| 27 |
> > > > Do you have any proof of that, or are you just basing your comments |
| 28 |
> > > > on the common concept of misunderstanding GDPR and extending it to match |
| 29 |
> > > > your private interest? |
| 30 |
> > > > |
| 31 |
> > > |
| 32 |
> > > At the very least, insecure transportation and storage of legal |
| 33 |
> > > documents has a potential to lead to identity theft, which makes it a |
| 34 |
> > > legal liability in and of itself. I don't think we should be dismissive |
| 35 |
> > > on this point. |
| 36 |
> > > |
| 37 |
> > |
| 38 |
> > I don't believe any policies require collecting personal data currently. |
| 39 |
> > |
| 40 |
> |
| 41 |
> If I have suspicions about a contributor's identity, would you advise me |
| 42 |
> on a method of validation that doesn't require the electronic transfer |
| 43 |
> of a government approved identification? |
| 44 |
|
| 45 |
My suggestion would be to use the solution that's been there for years |
| 46 |
-- OpenPGP web of trust. Establish a path of trust and/or keysign with |
| 47 |
the person in question. This naturally involves verifying one's ID, |
| 48 |
and reduces the risk of stealing personal data to the minimum. |
| 49 |
|
| 50 |
> > The Foundation has always carried legal risk. Only recently have we |
| 51 |
> > (through the awesome work of ulm@ and others) had a policy to help mitigate |
| 52 |
> > it. These contributors have not 'suddenly become a legal risk' but instead |
| 53 |
> > the community (council and foundation combined) have adopted a more |
| 54 |
> > risk-averse stance by adopting GLEP-76 and that results in some |
| 55 |
> > contributors being unable to contribute. I'm not sure what else needs to be |
| 56 |
> > explained. |
| 57 |
> > |
| 58 |
> > |
| 59 |
> |
| 60 |
> To the best of my knowledge, the Foundation has a long established |
| 61 |
> practice of allowing developers to use pseudonyms on the condition that |
| 62 |
> they reveal their legal identity to the Foundation for legal protection. |
| 63 |
> Was the exclusion of developers with pseudonyms as per GLEP76 a result |
| 64 |
> of a conclusion that the Foundation being informed about developers |
| 65 |
> legal identity wrt copyright infringement carries more risk compared to |
| 66 |
> their total exclusion from development? |
| 67 |
|
| 68 |
Did you read the Linux policy? It is clear: the problem's not |
| 69 |
Foundation knowing, it's *community* knowing. Foundation is just |
| 70 |
a temporary opaque body that's going to be dissolved one day. Code's |
| 71 |
going to live much longer, and it needs to be sustainable without having |
| 72 |
to refer to secret records of the Foundation. |
| 73 |
|
| 74 |
> > If you want to make a point that Gentoo leadership is bad at making |
| 75 |
> > opposing feelings heard, well I'd probably agree with you (this thread is |
| 76 |
> > one such example.) If you want to make some kind of point that "having an |
| 77 |
> > opinion heard means we change the policy to suit that opinion" then I think |
| 78 |
> > we just disagree on that point. Don't make it out like we made the decision |
| 79 |
> > without thinking of anonymous / pseudonymous contributors; numerous |
| 80 |
> > discussions were had about them and we could not find a way to include them |
| 81 |
> > in the policy. |
| 82 |
> > |
| 83 |
> > That doesn't mean we didn't hear their thoughts and objections though. |
| 84 |
> > |
| 85 |
> Perhaps the people I talked to didn't find the right people to talk to |
| 86 |
> before me. I'm not trying to paint the leadership as ignorant or bad. I |
| 87 |
> understand that this is all volunteer work first and foremost. I wasn't |
| 88 |
> implying to enact a change in the policy on the basis that people's |
| 89 |
> opinions haven't been sufficiently heard. |
| 90 |
> |
| 91 |
|
| 92 |
Perhaps the person you talked to don't 'take no for an answer'. |
| 93 |
If the policy works for the majority of people, and there are only few |
| 94 |
who disagree with it (no matter how much they try to exaggerate it), |
| 95 |
and most of those few so far have failed to provide a really good |
| 96 |
argument why they can't do it, then I'm sorry but that's just how things |
| 97 |
work. |
| 98 |
|
| 99 |
I'm certainly against changing the policy on arguments like 'but I want |
| 100 |
to brand myself as X' or 'but you can't prove people are using fake |
| 101 |
identities'. If you really want to push for the latter, I wouldn't mind |
| 102 |
making some form of identity verification obligatory for everyone. |
| 103 |
However, I doubt that's the result you want. |
| 104 |
|
| 105 |
-- |
| 106 |
Best regards, |
| 107 |
Michał Górny |
Archives