I am not.a lawyer, but I don't think we publish any "new" information - this information is fully available to anyone who is reading (public) github API so it's already published. It's as easy as:
``` git clone URL (might be our public gitbox) git --no-pager log --pretty=format:"%h %an <%ae>" | sort | uniq ``` We are just providing an aggregation of this information. And we already did for years in not-so-distant-past - for many years our newsletter contained the most information about top 5 (I think) contributors. I don't think those reports provide "more" information than the one that is already public (and with explicitl consent of the user who sets "name" and "email" in their commits to public repository. It's also already available in countless aggregations summaries and statistics that various people do with that data - say https://insights.linuxfoundation.org/ for example. if someone does not want to, they are completely free to set their name/email to **anything they want** when they make commit. That's a very good privacy protection when they want to contirbute things and keep their privacy - but once you committed to a repo with your real name / email, it's **done**. you committed to it, and it's public. And telling that you committed "x" commits does not make it any more public than counting `git --no-pager log --pretty=format:"%h %an <%ae>"` that include your name/email. There might be some concerns whether you want to be "compared" with others publcly, but that's a different story. IMHO it does not change the PII status - since you are just aggregating things and your PII data (for the same things - commits to a specific repo) is alrady published. But maybe I am ignorant here - what's the source of your assumption that it might be different Sebb? Any prior art or specific chapters of GDPR regulation that made you think differently ? I am curious, as it's quite counterintuitive, but I am sure you have a reason to believe it is problematic? J. On Sat, Oct 4, 2025 at 10:27 AM Travis Wright <[email protected]> wrote: > What the fuk > > On Sat, Oct 4, 2025, 11:05 AM sebb <[email protected]> wrote: > > > On Sat, 4 Oct 2025 at 02:44, Craig Russell <[email protected]> wrote: > > > > > > > > > > > > > On Oct 2, 2025, at 09:58, sebb <[email protected]> wrote: > > > > > > > > On Thu, 2 Oct 2025 at 17:20, Rich Bowen <[email protected]> wrote: > > > >> > > > >> On Oct 2, 2025, at 11:36 AM, sebb <[email protected]> wrote: > > > >>> > > > >>>> Also, I suppose a related question is, do you think anyone would > > have any objection to their name being listed on such a document on an > > Apache website? I cannot personally think why they would (and this is all > > already-public data) but I suppose it is possible that someone might, > and I > > want to be sensitive to that. > > > >>> > > > >>> AIUI, just because a particular item of PII is published in one > > > >>> location does not mean it can be published elsewhere. > > > >> > > > >> Yeah, that’s what I was a little concerned about. The legalities > > (and, indeed, just individual preferences or sensitivities) around > > aggregating metrics remains a bit fuzzy to me. Do you think that this is > > better kept to myself, then? > > > >> > > > >>> Does the data have to be fully public? > > > >>> Indeed would it mean anything to the general public? > > > >> > > > >> > > > >> I think it’s most valuable to other contributors on the same project > > - who are not necessarily committers or PMC members. What I’m > specifically > > trying to encourage with this data is for individuals on projects to > > welcome and celebrate new community participants, and milestones of > > existing participants, since that kind of recognition tends to lead to > > higher retention rates, according to research that I’ve seen at several > > recent conferences. And that is, after all, the mandate of this PMC. > > > >> > > > >> But I do want to do this in a way that is respectful to those same > > contributors. > > > > > > > > I were a new joiner, and I did not want to appear in the listings, > I'm > > > > not sure I would be happy to have to ask for my data to be omitted. > > > > > > What we do know is that the contributors' github id and email address > > are public, assuming they appear in communications to the project's > public > > mail lists. So I have no privacy concerns "publishing" these bits of PII > > after they are already public. > > > > I thought once, but AIUI now, publication in one arena does not give > > carte blanche to publication anywhere else. > > > > > In any event, at the time when they accept an invitation for committer, > > these bits will necessarily become public via announcement that they have > > been voted and accepted for committer. > > > > There's also big a difference between being published as one name in > > hundreds or thousands of others, and as one name in a handful. > > > > > Craig > > > > > > > > > > >> — > > > >> Rich Bowen > > > >> [email protected] > > > >> > > > >> > > > >> > > > >> > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [email protected] > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > Craig L Russell > > > [email protected] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
