On Tue, Apr 17 2018, Peter Backes wrote:
> I'd like to ask whether anyone has best practices for achieving GDPR
> compliance for git repos? The GDPR will come into effect in the EU next
> month.
>
> In particular, how do you cope with the "Right to erasure" concerning
> entries in the history of
On Tue, Apr 17, 2018 at 11:38:26PM +0200, Ævar Arnfjörð Bjarmason wrote:
> I've been loosely following a similar discussion around blockchains and
> my understanding of the situation is that for a project such as say
> Linux the GDPR gives you this potential out for that[1]:
>
> "the personal
Hi,
Unfortunatly this important topic of GDPR compliance has not seen much
interest.
After asking github about how they would cope with the issue of erasing
the author field, they changed their privacy policy, which now
clarifies that this won't be done.
My guess is that this would ultimately
On Sun, Jun 03 2018, Peter Backes wrote:
> Unfortunatly this important topic of GDPR compliance has not seen much
> interest.
I don't think you can infer that there's not much interest, but maybe
people just don't have anything to say about it.
There's a lot of discussions about this that I've
On Sun, Jun 03, 2018 at 12:45:25PM +0200, Ævar Arnfjörð Bjarmason wrote:
> protection". I.e. regulators / prosecutors are much likely to go after
> some advertising company than some project using a Git repo.
Well, it is indeed rather unlikely that one particular git repo project
will be targeted
On Sun, Jun 03 2018, Peter Backes wrote:
> On Sun, Jun 03, 2018 at 12:45:25PM +0200, Ævar Arnfjörð Bjarmason wrote:
>> protection". I.e. regulators / prosecutors are much likely to go after
>> some advertising company than some project using a Git repo.
>
> Well, it is indeed rather unlikely tha
On Sun, Jun 03, 2018 at 02:59:26PM +0200, Ævar Arnfjörð Bjarmason wrote:
> I'm not trying to be selfish, I'm just trying to counter your literal
> reading of the law with a comment of "it'll depend".
>
> Just like there's a law against public urination in many places, but
> this is applied very di
From: "Peter Backes"
On Sun, Jun 03, 2018 at 02:59:26PM +0200, Ævar Arnfjörð Bjarmason wrote:
I'm not trying to be selfish, I'm just trying to counter your literal
reading of the law with a comment of "it'll depend".
Just like there's a law against public urination in many places, but
this is
On Sun, Jun 03, 2018 at 04:28:31PM +0100, Philip Oakley wrote:
> In most Git cases that legal/legitimate purpose is the copyright licence,
> and/or corporate employment. That is, Jane wrote it, hence X has a legal
> rights of use, and we need to have a record of that (Jane wrote it) as
> evidence o
correcting a negative /with/without/ and inserting a comma.
- Original Message -
From: "Philip Oakley"
[snip]
From a personal view, many folk want it to be that corporates (and open
source organisations) should hold no personal information with having
s/with/without/
explicit permi
On Sun, Jun 03, 2018 at 07:46:17PM +0200, Peter Backes wrote:
>
> Let's be honest: We do not know what legitimization exactly in each
> specific case the git metadata is being distributed under.
It seems like you are engaging in something even more dangerous than a
hardware engineering pretendin
On Sun, Jun 03, 2018 at 02:18:07PM -0400, Theodore Y. Ts'o wrote:
> I would gently suggest that if you really want to engage in something
> practical than speculating how the GPDR compliance will work out in
> actual practice, that you contact a lawyer and get official legal
> advice?
I completely
Addendum:
I one discussed with a philosopher the question: What is your argument
against libertarianism?
He said: It would be a tyranny of lawyers.
Let's not have a tyranny of lawyers. Let us, the engineers and hackers,
exercise the necessary control over those pesky lawyers by defining and
r
On Sun, Jun 03 2018, Peter Backes wrote:
> On Sun, Jun 03, 2018 at 02:59:26PM +0200, Ævar Arnfjörð Bjarmason wrote:
>> I'm not trying to be selfish, I'm just trying to counter your literal
>> reading of the law with a comment of "it'll depend".
>>
>> Just like there's a law against public urinat
On Sun, Jun 03, 2018 at 09:24:17PM +0200, Peter Backes wrote:
>
> He said: It would be a tyranny of lawyers.
>
> Let's not have a tyranny of lawyers. Let us, the engineers and hackers,
> exercise the necessary control over those pesky lawyers by defining and
> redefining the state of the art in
On Sun, Jun 03, 2018 at 09:48:16PM +0200, Ævar Arnfjörð Bjarmason wrote:
> Sure, but what I'm pointing out is a) you can't focus on git as the
> technology because it tells you nothing about what's being done with it
> (e.g. the log file case I mentioned b) nobody who came up with the GDPR
> was co
On Sun, Jun 03, 2018 at 04:07:39PM -0400, Theodore Y. Ts'o wrote:
> Why don't you try to implement your proposal then, and then benchmark
> it. After you find out how much of a performance disaster it's going
> to be, especially for large git repos, we can discuss who is being
> tyrannical.
See,
On Sun, Jun 03, 2018 at 10:52:33PM +02h00, hPeter Backes wrote:
> But I will take your message as saying you at least don't see any
> obvious criticism leading to complete rejection of the approach.
If you don't think a potential 2x -- 10x performance hit isn't a
blocking factor --- sure, go ahea
On Sun, Jun 03, 2018 at 05:03:44PM -0400, Theodore Y. Ts'o wrote:
> If you don't think a potential 2x -- 10x performance hit isn't a
> blocking factor --- sure, go ahead and try implementing it. And good
> luck to you. And this is not a guarantee that it won't get rejected.
> I certainly don't ha
From: "Peter Backes"
On Sun, Jun 03, 2018 at 04:28:31PM +0100, Philip Oakley wrote:
In most Git cases that legal/legitimate purpose is the copyright licence,
and/or corporate employment. That is, Jane wrote it, hence X has a legal
rights of use, and we need to have a record of that (Jane wrote
On Sun, Jun 03, 2018 at 11:28:43PM +0100, Philip Oakley wrote:
> It is here that Article 6 kicks in as to whether the 'organisation' can
> retain the data and continue to use it.
Article 6 is not about continuing to use data. Article 6 is about
having and even obtaining it in the first place.
Ar
Hi Peter,
(lost the cc's)
From: "Peter Backes"
On Sun, Jun 03, 2018 at 11:28:43PM +0100, Philip Oakley wrote:
It is here that Article 6 kicks in as to whether the 'organisation' can
retain the data and continue to use it.
Article 6 is not about continuing to use data. Article 6 is about
havi
On Mon, Jun 04, 2018 at 12:16:16AM +0200, Peter Backes wrote:
>
> Verifying the commit ID by itself wouldn't be any less efficient than
> before. Admitteldly, it wouldn't verify the author and authordate
> integrity anymore without additional work. That would be some overhead,
> sure, and could
On Mon, Jun 04, 2018 at 09:47:18AM -0400, Theodore Y. Ts'o wrote:
> For people who are doing real work on git repos, other commands that
> we very much care about include "git log --author=", "git
> tag --contains", "git blame", etc.
I do not see how those, or anything but git clone (and even that
I'm going to take the risk of inserting actual real-world data into the mix
rather than just speculation :-)
Here is an example of that the Rsyslog project is doing (main developers based
in Germany). I'll say as someone who's day job has been very involved with GDPR
stuff recently, this looks
Hi David,
thanks for your input on the issue.
> LEGAL GDPR NOTICE:
> According to the European data protection laws (GDPR), we would like to make
> you
> aware that contributing to rsyslog via git will permanently store the
> name and email address you provide as well as the actual commit and th
Hi Peter, David,
I thought that the legal notice (aka 'disclaimer') was pretty reaonable.
Some of Peter's fine distinctions may be technically valid, but that does
not stop there being legal grounds. The proof of copyright is a legal
grounds.
Unfortunately once one gets into legal nitpicking
On Thu, Jun 07, 2018 at 10:28:47PM +0100, Philip Oakley wrote:
> Some of Peter's fine distinctions may be technically valid, but that does
> not stop there being legal grounds. The proof of copyright is a legal
> grounds.
Again: The GDPR certainly allows you to keep a proof of copyright
privately
On Fri, 8 Jun 2018, Peter Backes wrote:
On Thu, Jun 07, 2018 at 10:28:47PM +0100, Philip Oakley wrote:
Some of Peter's fine distinctions may be technically valid, but that does
not stop there being legal grounds. The proof of copyright is a legal
grounds.
Again: The GDPR certainly allows you
On Thu, Jun 07, 2018 at 03:38:49PM -0700, David Lang wrote:
> > Again: The GDPR certainly allows you to keep a proof of copyright
> > privately if you have it. However, it does not allow you to keep
> > publishing it if someone exercises his right to be forgotten.
> someone is granting the world th
On Fri, 8 Jun 2018, Peter Backes wrote:
On Thu, Jun 07, 2018 at 03:38:49PM -0700, David Lang wrote:
Again: The GDPR certainly allows you to keep a proof of copyright
privately if you have it. However, it does not allow you to keep
publishing it if someone exercises his right to be forgotten.
s
On Fri, Jun 08, 2018 at 01:21:29AM +0200, Peter Backes wrote:
> On Thu, Jun 07, 2018 at 03:38:49PM -0700, David Lang wrote:
> > > Again: The GDPR certainly allows you to keep a proof of copyright
> > > privately if you have it. However, it does not allow you to keep
> > > publishing it if someone e
On Thu, Jun 07, 2018 at 04:53:16PM -0700, David Lang wrote:
> the license is granted to the world, so the world has an interest in it.
Certainly, but you need to have overriding legitimate grounds. An
interest is not enough for justification. You have to weight your
interests against those of th
On Thu, Jun 07, 2018 at 10:53:13PM -0400, Theodore Y. Ts'o wrote:
> The problem is you've left undefined who is "you"? With an open
> source project, anyone who has contributed to open source project has
> a copyright interest. That hobbyist in German who submitted a patch?
> They have a copyrigh
On Fri, 8 Jun 2018, Peter Backes wrote:
you are the one arguing that the GDPR prohibits Git from storing and
revealing this license granting data, not me.
It prohibits publishing, and only after a request to be forgotten. It
does not prohibit storing your private copy.
Wrong, if you have to
On Fri, Jun 08 2018, Peter Backes wrote:
> On Thu, Jun 07, 2018 at 10:53:13PM -0400, Theodore Y. Ts'o wrote:
>> The problem is you've left undefined who is "you"? With an open
>> source project, anyone who has contributed to open source project has
>> a copyright interest. That hobbyist in Ger
On Fri, Jun 08, 2018 at 10:13:20AM +0200, Ævar Arnfjörð Bjarmason wrote:
> Can you walk us through how anyone would be expected to fork (as create
> a new project, not the github-ism) existing projects under such a
> regiment?
I don't see your point. Copy the repository to fork. Nothing changes
a
On Fri, Jun 08, 2018 at 12:42:54AM -0700, David Lang wrote:
> Wrong, if you have to delete info, you are not allowed to keep a private
> copy.
Yes you are allowed. See Art. 17 (3) lit e GDPR.
> There is _nothing_ in the GDPR about publishing information,
> everything in it is about what you are a
On Fri, Jun 08, 2018 at 08:26:57AM +0200, Peter Backes wrote:
>
> If you run a website where the world can access a repository, you are
> responsible for obeying the GDPR with respect to that repository. If
> you receive a request to be forgotten, you have to make sure you stop
> publishing tha
On Fri, Jun 08, 2018 at 10:45:51AM -0400, Theodore Y. Ts'o wrote:
> *Anyone* can run a repository. It's not just github and gitlab. The
> hobbiest in New Zealand, who might never visit Europe (so she can't
> be arrested when she visits the fair shores of Europe) and who has no
> business interest
On Fri, 8 Jun 2018, Peter Backes wrote:
On Fri, Jun 08, 2018 at 12:42:54AM -0700, David Lang wrote:
Wrong, if you have to delete info, you are not allowed to keep a private
copy.
Yes you are allowed. See Art. 17 (3) lit e GDPR.
There is _nothing_ in the GDPR about publishing information,
ev
Am 08.06.2018 um 04:53 schrieb Theodore Y. Ts'o:
And of course, that's the other thing you seem to fundamentally not
understand about how git works. Every developer in the world working
on that open source project has their own copy.
Everyone here understands how Git works, of course.
"*shrug
Hi,
Peter Backes wrote:
> I'd like to ask whether anyone has best practices for achieving GDPR
> compliance for git repos? The GDPR will come into effect in the EU next
> month.
This is a reasonable question to ask other Git users on this list to
share ideas, so thanks for asking it.
> In parti
On Fri, Jun 08 2018, Peter Backes wrote:
> On Fri, Jun 08, 2018 at 10:13:20AM +0200, Ævar Arnfjörð Bjarmason wrote:
>> Can you walk us through how anyone would be expected to fork (as create
>> a new project, not the github-ism) existing projects under such a
>> regiment?
>
> I don't see your po
On Fri, Jun 08 2018, Jonathan Nieder wrote:
> Separate from that legal context, though, I think it's an interesting
> feature request. I don't think it goes far enough: I would like a way
> to erase arbitrary information from the history in a repository. For
> example, if I accidentally check
From: "Theodore Y. Ts'o"
Sent: Friday, June 08, 2018 3:53 AM
On Fri, Jun 08, 2018 at 01:21:29AM +0200, Peter Backes wrote:
On Thu, Jun 07, 2018 at 03:38:49PM -0700, David Lang wrote:
> > Again: The GDPR certainly allows you to keep a proof of copyright
> > privately if you have it. However, it
On Sat, Jun 09, 2018 at 11:50:32PM +0100, Philip Oakley wrote:
> I just want to remind folks that Gmane disappeared as a regular list because
> of a legal challenge, the SCO v IBM Unix court case keeps rumbling on, so
> clarifying the legal case for:
> a) holding the 'personal git meta data', and
>
Adding one more datapoint here, I reached out to Github to find out their
stance.
Here is what I got back
Quote:
Thanks for reaching out to us about this.
It's important to remember that the Right to Erasure only applies to personal
data, not all data. It only applies to data a controller (G
On Tue, Jun 12, 2018 at 11:56:13AM -0700, David Lang wrote:
> [quoting github]
>
> It's important to remember that the Right to Erasure only applies to
> personal data, not all data. It only applies to data a controller (GitHub,
> for example) is processing _solely_ on the basis of consent.
This
On Tuesday, June 12, 2018 09:12:19 PM Peter Backes wrote:
> So? If a thousand lawyers claim 1+1=3, it becomes a
> mathematical truth?
No, but probably a legal "truth". :)
--
The Qualcomm Innovation Center, Inc. is a member of Code
Aurora Forum, hosted by The Linux Foundation
On Tue, Jun 12, 2018 at 09:12:19PM +0200, Peter Backes wrote:
> This incorrect claim is completely inverting the logic of Art. 17.
>
> The logic is clarly that if ANY of lit (a) to (f) is satisfied, the
> data must be deleted.
>
> It is not necessary for ALL of them to be satisfied.
>
> In part
On Wed, Jun 13, 2018 at 10:12:18AM -0400, Theodore Y. Ts'o wrote:
> Sure, but given that you are the one trying to claim that people need
> to do all sorts of extra development work (I don't see any patches
No. I am not. I said it is desirable to have a convenient solution for
the problem. I did
52 matches
Mail list logo