Hi Rich , Super useful data, I can clearly see how we can extend this to extract more data/metrics around committer/ PMC growth as well.
My knowledge is limited . But in this area of software development and compliance and launching global software at the enterprise level I can explain related information, Here's what I understand: GDPR (General Data Protection Regulation) is a regulatory framework created by the European Union to protect the privacy and personal data of EU citizens. It applies to any organization worldwide that collects, processes, or stores data of EU residents. Key requirements include explicit user consent for data collection, the right to access, correct, and delete personal data, mandatory data breach notifications, data minimization, and purpose limitation, with heavy penalties for non-compliance (up to 4% of global revenue - we are non-profile so don't know :). ). This creates a conflict for ASF. Contributors voluntarily submit their names/emails, but GDPR requires explicit consent and clarity on how data will be stored or published. If an EU contributor requests deletion, ASF faces a tension: bylaws and open source principles require permanent archives for accountability, while GDPR enforces the ‘Right to be Forgotten.’ *To resolve this, ASF needs to clearly explain how public data is used, stored, and why it cannot be fully deleted, setting expectations before participation/publishing data.* Cheers, Kanchana On Thu, Oct 2, 2025 at 12:20 PM sebb <[email protected]> wrote: > On Thu, 2 Oct 2025 at 17:20, Rich Bowen <[email protected]> wrote: > > > > On Oct 2, 2025, at 11:36 AM, sebb <[email protected]> wrote: > > > > > >> Also, I suppose a related question is, do you think anyone would have > any objection to their name being listed on such a document on an Apache > website? I cannot personally think why they would (and this is all > already-public data) but I suppose it is possible that someone might, and I > want to be sensitive to that. > > > > > > AIUI, just because a particular item of PII is published in one > > > location does not mean it can be published elsewhere. > > > > Yeah, that’s what I was a little concerned about. The legalities (and, > indeed, just individual preferences or sensitivities) around aggregating > metrics remains a bit fuzzy to me. Do you think that this is better kept to > myself, then? > > > > > Does the data have to be fully public? > > > Indeed would it mean anything to the general public? > > > > > > I think it’s most valuable to other contributors on the same project - > who are not necessarily committers or PMC members. What I’m specifically > trying to encourage with this data is for individuals on projects to > welcome and celebrate new community participants, and milestones of > existing participants, since that kind of recognition tends to lead to > higher retention rates, according to research that I’ve seen at several > recent conferences. And that is, after all, the mandate of this PMC. > > > > But I do want to do this in a way that is respectful to those same > contributors. > > I were a new joiner, and I did not want to appear in the listings, I'm > not sure I would be happy to have to ask for my data to be omitted. > > > — > > Rich Bowen > > [email protected] > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
