Debian Project Leader election 2022: First call for votes
Hi, This is the first call for votes for the 2022 Debian Project Leader election. Voting period starts 2022-04-03 00:00:00 UTC Votes must be received by 2022-04-16 23:59:59 UTC This vote is being conducted as required by the Debian Constitution. You may see the constitution at https://www.debian.org/devel/constitution. For voting questions or problems contact secret...@debian.org. The details of the candidate's platform can be found at: https://www.debian.org/vote/2022/platforms/ Also, note that you can get a fresh ballot any time before the end of the vote by sending a mail to bal...@vote.debian.org with the subject "leader2022". To vote you need to be a Debian Developer. HOW TO VOTE First, read the full text of the platform. You might also want to read discussions with the candidates at https://lists.debian.org/debian-vote/ To cast a vote, it is necessary to send this ballot filled out to a dedicated e-mail address, in a signed message, as described below. The dedicated email address this ballot should be sent to is: leader2...@vote.debian.org The form you need to fill out is contained at the bottom of this message, marked with two lines containing the characters '-=-=-=-=-=-'. Do not erase anything between those lines, and do not change the choice names. There are 4 choices in the form, which you may rank with numbers between 1 and 4. In the brackets next to your preferred choice, place a 1. Place a 2 in the brackets next to your next choice. Continue until you reach your last choice. Do not enter a number smaller than 1 or larger than 4. You may skip numbers, leave some choices unranked, and rank options equally. Unranked choices are considered equally the least desired choices, and ranked below all ranked choices. To vote "no, no matter what", rank "None of the above" as more desirable than the unacceptable choices, or you may rank the "None of the above" choice and leave choices you consider unacceptable blank. (Note: if the "None of the above" choice is unranked, then it is equal to all other unranked choices, if any -- no special consideration is given to the "None of the above" choice by the voting software). Finally, mail the filled out ballot to: leader2...@vote.debian.org. Don't worry about spacing of the columns or any quote characters (">") that your reply inserts. NOTE: The vote must be GPG signed (or PGP signed) with your key that is in the Debian keyring. You may, if you wish, choose to send a signed, encrypted ballot: use the vote key appended below for encryption. The voting software (Devotee) accepts mail that either contains only an unmangled OpenPGP message (RFC 2440 compliant), or a PGP/MIME mail (RFC 3156 compliant). To avoid problems I suggest you use PGP/MIME. VOTING SECRECY This is a secret vote. After the voting period there will be a record of all the votes without the name of the voter. It will instead contain a cryptographic hash. You will receive a secret after you have voted that can be used to calculate that hash. This allows you to verify that your vote is in the list. VOTING FORM - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=- 8802d270-eac5-4cbe-b2f4-1c4e4bba968f [ ] Choice 1: Felix Lechner [ ] Choice 2: Jonathan Carter [ ] Choice 3: Hideki Yamane [ ] Choice 4: None Of The Above - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=- -- The responses to a valid vote shall be signed by the vote key created for this vote. The public key for the vote, signed by the Project secretary, is appended below. -BEGIN PGP PUBLIC KEY BLOCK- mQINBGJIr0cBEADG44AxzgNMexGyk4v4Y4qqfnyNH9GRg2Ka7bOaXHbxPQgsQcrI NXv3Zzb6nYqXU7Eb4MigGemjf5vpSVdLq3pZlpxPOEebK2pmlERJbLEnB5th1aUY HuWSg9mZUHSDviKviUSlyfG7wOBEljw2AvL5TTknylmXxMDVCgyMNjj9sYCtxrIs e4OkGhxsC9kaR1vX/S60/pSsTfp2oUx9JRQug4YJsNoRi7EE27CsyrgDBHXS/akg 0dO4Lak+37770dvv3H1aBlk2rSVKeJlYeQEgE7UNpERTcAr4UwsCe9l5giEHqu3r FRed5A7P38XSZk0kxnztgULtKDh3zA2349bAl4BSGKYOOuAVRccrMLMwbZmSMVRm 7G8odoYyfbWsIKTwTIIoNhrcpJEOVeh2v5TMoRwEs/uBbLakBtdtXu50cPDje2p+ OqQQQ7e7xE8EIVgJ5ld3n48yfY/cINsJnFKiLrgxWMoUUExhg9dCVpDiftjNcY+i /HWPSedn6emQ5+Iw/XKqoowzkvhxzY/D4WGZLgk1H0ySe11zrTcQwr6iBRQoVg9y hFgP+qEQ4EQyHrkxnh1hZOOvxvIqQN31tiB6s6VB+fRm52QO3cDPtAw6Fzu8WdoI BdIqBBrW7wNdEzZzRw/Xy0m6y49UySjOaegKTv3PJ38KjOgQCnUiylQM+QARAQAB tCpEUEwgdm90ZSAyMDIyIDxsZWFkZXIyMDIyQHZvdGUuZGViaWFuLm9yZz6JAj0E EwEIACgFAmJIr0cCGwMFCQAbr4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ EPxk9slBl9xfGs0P+O5AYZHrzVW8qMrkdT/zwLiZ6Z83icQtB6JamESmpouNMX93 ODk3/dPTcz1NwPT8IU4NaBWvqhBhRRiFrrWVdQzhn5tpB4NHdDHKEDnPZRENQ/Vn kECzrX/oGblTSitWfIEh386JOlcbJtIh9QCbRaVbZemsAbvv2Pp2SvSYBn/M6ucz MD7BCJrIfsuWdT7WaBJ+PJNJBPjOQM2+IuZQk69t5/5errFHrmRBt3xqVhqkBMog ttri0o+0chA5fe6qXALoprapriQ8JE7m8UKIgxJGqrWMXGHCKy7S0C5umLBjGu65 P9U9rkvuExN/6XbQAWWlsc5yJxd1tE0+dFNFmoG4qwj6Y7DKwqFg2LIbtnfh5724
DPL vote draft ballot
Hi, Here is the draft ballot. Voting period starts 2022-04-03 00:00:00 UTC Votes must be received by 2022-04-16 23:59:59 UTC This vote is being conducted as required by the Debian Constitution. You may see the constitution at https://www.debian.org/devel/constitution. For voting questions or problems contact secret...@debian.org. The details of the candidate's platform can be found at: https://www.debian.org/vote/2022/platforms/ Also, note that you can get a fresh ballot any time before the end of the vote by sending a mail to bal...@vote.debian.org with the subject "leader2022". To vote you need to be a Debian Developer. HOW TO VOTE First, read the full text of the platform. You might also want to read discussions with the candidates at https://lists.debian.org/debian-vote/ To cast a vote, it is necessary to send this ballot filled out to a dedicated e-mail address, in a signed message, as described below. The dedicated email address this ballot should be sent to is: leader2...@vote.debian.org The form you need to fill out is contained at the bottom of this message, marked with two lines containing the characters '-=-=-=-=-=-'. Do not erase anything between those lines, and do not change the choice names. There are 4 choices in the form, which you may rank with numbers between 1 and 4. In the brackets next to your preferred choice, place a 1. Place a 2 in the brackets next to your next choice. Continue until you reach your last choice. Do not enter a number smaller than 1 or larger than 4. You may skip numbers, leave some choices unranked, and rank options equally. Unranked choices are considered equally the least desired choices, and ranked below all ranked choices. To vote "no, no matter what", rank "None of the above" as more desirable than the unacceptable choices, or you may rank the "None of the above" choice and leave choices you consider unacceptable blank. (Note: if the "None of the above" choice is unranked, then it is equal to all other unranked choices, if any -- no special consideration is given to the "None of the above" choice by the voting software). Finally, mail the filled out ballot to: leader2...@vote.debian.org. Don't worry about spacing of the columns or any quote characters (">") that your reply inserts. NOTE: The vote must be GPG signed (or PGP signed) with your key that is in the Debian keyring. You may, if you wish, choose to send a signed, encrypted ballot: use the vote key appended below for encryption. The voting software (Devotee) accepts mail that either contains only an unmangled OpenPGP message (RFC 2440 compliant), or a PGP/MIME mail (RFC 3156 compliant). To avoid problems I suggest you use PGP/MIME. VOTING SECRECY This is a secret vote. After the voting period there will be a record of all the votes without the name of the voter. It will instead contain a cryptographic hash. You will receive a secret after you have voted that can be used to calculate that hash. This allows you to verify that your vote is in the list. VOTING FORM - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=- 8802d270-eac5-4cbe-b2f4-1c4e4bba968f [ ] Choice 1: Felix Lechner [ ] Choice 2: Jonathan Carter [ ] Choice 3: Hideki Yamane [ ] Choice 4: None Of The Above - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=- -- The responses to a valid vote shall be signed by the vote key created for this vote. The public key for the vote, signed by the Project secretary, is appended below. -BEGIN PGP PUBLIC KEY BLOCK- mQINBGJIr0cBEADG44AxzgNMexGyk4v4Y4qqfnyNH9GRg2Ka7bOaXHbxPQgsQcrI NXv3Zzb6nYqXU7Eb4MigGemjf5vpSVdLq3pZlpxPOEebK2pmlERJbLEnB5th1aUY HuWSg9mZUHSDviKviUSlyfG7wOBEljw2AvL5TTknylmXxMDVCgyMNjj9sYCtxrIs e4OkGhxsC9kaR1vX/S60/pSsTfp2oUx9JRQug4YJsNoRi7EE27CsyrgDBHXS/akg 0dO4Lak+37770dvv3H1aBlk2rSVKeJlYeQEgE7UNpERTcAr4UwsCe9l5giEHqu3r FRed5A7P38XSZk0kxnztgULtKDh3zA2349bAl4BSGKYOOuAVRccrMLMwbZmSMVRm 7G8odoYyfbWsIKTwTIIoNhrcpJEOVeh2v5TMoRwEs/uBbLakBtdtXu50cPDje2p+ OqQQQ7e7xE8EIVgJ5ld3n48yfY/cINsJnFKiLrgxWMoUUExhg9dCVpDiftjNcY+i /HWPSedn6emQ5+Iw/XKqoowzkvhxzY/D4WGZLgk1H0ySe11zrTcQwr6iBRQoVg9y hFgP+qEQ4EQyHrkxnh1hZOOvxvIqQN31tiB6s6VB+fRm52QO3cDPtAw6Fzu8WdoI BdIqBBrW7wNdEzZzRw/Xy0m6y49UySjOaegKTv3PJ38KjOgQCnUiylQM+QARAQAB tCpEUEwgdm90ZSAyMDIyIDxsZWFkZXIyMDIyQHZvdGUuZGViaWFuLm9yZz6JAj0E EwEIACgFAmJIr0cCGwMFCQAbr4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ EPxk9slBl9xfGs0P+O5AYZHrzVW8qMrkdT/zwLiZ6Z83icQtB6JamESmpouNMX93 ODk3/dPTcz1NwPT8IU4NaBWvqhBhRRiFrrWVdQzhn5tpB4NHdDHKEDnPZRENQ/Vn kECzrX/oGblTSitWfIEh386JOlcbJtIh9QCbRaVbZemsAbvv2Pp2SvSYBn/M6ucz MD7BCJrIfsuWdT7WaBJ+PJNJBPjOQM2+IuZQk69t5/5errFHrmRBt3xqVhqkBMog ttri0o+0chA5fe6qXALoprapriQ8JE7m8UKIgxJGqrWMXGHCKy7S0C5umLBjGu65 P9U9rkvuExN/6XbQAWWlsc5yJxd1tE0+dFNFmoG4qwj6Y7DKwqFg2LIbtnfh5724 Af1JXQO1NbdFcS5/WqrJEEDyUiZ9F2EWO1D+gI9lbwmeEZnuOpCCVYrRxBH/iveG
Re: Question to all candidates: GDPR compliance review
On Sat, Apr 02, 2022 at 12:21:24PM +0200, Christian Kastner wrote: > On 2022-04-02 10:55, Adrian Bunk wrote: > > Where does our Privacy Policy[1] describe personal data where Debian and > > the community team are joint controllers? > > > Where does our Privacy Policy describe personal data where Debian and > > DAM are joint controllers? > > Has it been established yet that Debian fits the definition of a > controller as per Article 4 lit. 7 GDPR? > > I can see DAM, or CT, or the DPL possibly being controllers. What is the identity of DAM or CT? Likely each individual team members is a controller. If a person has suffered material or non-material damage as a result of a GDPR infringement, each controller or processor can be held liable for compensation of the entire damage (Article 82(4)). > But > without some form of officially recognized organization, I don't see how > Debian could be one. "Debian" doesn't even have an address, you couldn't > even determine which data protection authority has jurisdiction. What is "The Debian Project" in the Privacy Policy[2]? Providing the identity and the contact details of the controller is mandatory for processing of personal data (Articles 13(1)(a) and 14(1)(a)), failure to do so is subject to administrative fines of up to 20 Million Euro (Article 83(5)(b)). > This is just one of the things that, I think, would be a lot simpler if > Debian would register as an organization, hence my question [1] to the > candidates. >... This is likely required and desirable, as was also discussed in the thread starting with [3]. cu Adrian [1] Here in Finland the threshold for gift tax is 5000 Euro. [2] https://www.debian.org/legal/privacy [3] https://lists.debian.org/debian-project/2022/03/msg8.html
Re: Question to all candidates: GDPR compliance review
Hi Adrian, On Fri, 2022-04-01 at 23:48 +0300, Adrian Bunk wrote: > Will this handwritten note be available through > contributors.debian.org? > > If the personal information in the handwritten note did not come > directly from the person, who at Debian is responsible to ensure that > the person gets informed automatically about the existence of the > note when it is written? > > Same questions, with "local file" instead of "handwritten note". > > Same questions, with "stored on a Debian machine". I am fairly confident you store personal data about me. Could you please provide some information about it? Do you publish a privacy policy? What data do you store? (Please don't send a copy to the list; private mail is okay.) On what legal basis is the data processed? Where is the data physically stored? Who besides you has access to the data? For what purposes might the data be used? What retention period is defined for the data? Why was I not informed that data about me is being stored? Ansgar
Re: Question to all candidates: GDPR compliance review
On 2022-04-02 10:55, Adrian Bunk wrote: > Where does our Privacy Policy[1] describe personal data where Debian and > the community team are joint controllers? > Where does our Privacy Policy describe personal data where Debian and > DAM are joint controllers? Has it been established yet that Debian fits the definition of a controller as per Article 4 lit. 7 GDPR? I can see DAM, or CT, or the DPL possibly being controllers. But without some form of officially recognized organization, I don't see how Debian could be one. "Debian" doesn't even have an address, you couldn't even determine which data protection authority has jurisdiction. This is just one of the things that, I think, would be a lot simpler if Debian would register as an organization, hence my question [1] to the candidates. [1] https://lists.debian.org/debian-vote/2022/03/msg00135.html
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 09:25:46PM +0200, Jonathan Carter wrote: > On 2022/04/01 20:28, Adrian Bunk wrote: > > Would you commit to something more specific, like that our Data > > Protection team will reply to debian-project within 3 months discussing > > all issues mentioned in the discussion at [1] so far, and with their > > reply having been proof-read by our GDPR lawyer? > > > [1]https://lists.debian.org/debian-project/2022/03/msg8.html > > That mail asks a bunch of very, very broad questions. My opinion is that > it's better to direct specific problems at the data protection team as > noodles suggested. Then let's start with some very specific questions based on the email I just sent to Sam: Where does our Privacy Policy[1] describe personal data where Debian and the community team are joint controllers? On what legal basis is the data processed? Where is the data physically stored? Who has access to the data? For what purposes might the data be used? What retention period is defined for the data? How are people being informed when data about them is being stored? Where does our Privacy Policy describe personal data where Debian and DAM are joint controllers? On what legal basis is the data processed? Where is the data physically stored? Who has access to the data? For what purposes might the data be used? What retention period is defined for the data? How are people being informed when data about them is being stored? These are specific questions about items that are supposed to be written in our Privacy Policy. > -Jonathan cu Adrian [1] https://www.debian.org/legal/privacy
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 04:57:38PM -0600, Sam Hartman wrote: > > "Adrian" == Adrian Bunk writes: > Adrian> Your "services" approach does not work for the non-trivial > Adrian> cases where Debian might be a (joint) controller of personal > Adrian> data. > > Adrian> The Debian Community Team promises confidentiality regarding > Adrian> personal information they receive about other people,[1] > Adrian> which conflicts with the legal obligation of informing the > Adrian> person about whom personal information is being processed or > Adrian> stored. > > Based on legal advice I received while acting as DPL, the above is not > correct. > Most of the information the community team process is not information we > would need to disclose in response to a GDPR subject access request. Where does Debians Privacy Policy[1] describe this personal data where Debian and the community team are joint controllers? Where is the data stored? Who has access to the data? For what purposes might the data be used? What retention period is defined for the data? > Debian has already dealt with at least one subject access request that > dealt significantly with information held by DAM in its role as a > delegated team. Where does Debians Privacy Policy[1] describe this personal data where Debian and DAM are joint controllers? > Some of that information was responsive; some of that information was > covered by exceptions. This covers only a part where Debian might be compliant with the law. >... > > If the personal information in the handwritten note did not come > > directly from the person, who at Debian is responsible to ensure that > > the person gets informed automatically about the existence of the note > > when it is written? >... Exceptions might cover not having to disclose the contents of the data in some cases, but I would still expect that the person has to be informed that information exists. See [2] for background in what context I started thinking about these issues. >... > The data protection team was looped into the process we and our lawyer > used in responding to the request. > The data protection team (and my successor as DPL) received copies of > the legal advice we received. Are you saying that all handling of personal data in Debian is following the law, or are you just trying to make me stop asking inconvenient questions? I am feeling stonewalled and stalled regarding any attempts of receiving a review of handling of personal data in Debian, with a schedule that would be appropriate for potential illegal activity. I would like to emphasize and repeat [3,4]: IANAL and it is more likely than not that some things I am writing are not correct. What I want is to see the results of a proper review by an actual lawyer. If I fail to achieve visible progress on this topic inside Debian, the obvious option for getting a second opinion is to make a formal request for all personal data about me in Debian, followed by asking my questions to the Finnish Data Protection Ombudsman. If everything I am writing is just wrong, then I will be told just that by the ombudsman. > --Sam cu Adrian [1] https://www.debian.org/legal/privacy [2] https://lists.debian.org/debian-project/2022/03/msg00010.html [3] https://lists.debian.org/debian-project/2022/03/msg8.html [4] https://lists.debian.org/debian-vote/2022/03/msg00270.html