On Fri, Aug 19, 2022 at 1:08 PM Ben Cotton <bcotton@redhat.com> wrote:
On Fri, Aug 19, 2022 at 2:46 AM Merlin Cooper
<mxanthropocene@outlook.com> wrote:
>
> I like this policy, but it strikes me as odd that the packagers' email
> addresses are posted publicly on the Pagure tickets... Wouldn't that
> make it easier for spammers to get more email addresses?

The script has a flag I can use in the future which (I believe) will
mask the addresses in the tickets. I didn't use it this time because
email addresses are already displayed all over the place. If a spammer
gets an email address from these tickets that they didn't have before,
then I'll be very surprised.

I really wish people would stop making the argument that just because other places/systems have terrible data hygiene, we can have terrible data hygiene too. Fedora should be trying to set the example of how to interact and behave, and the "follow the herd" mentality here is not acceptable in my opinion.

Email address could be considered PII, and so there is a debate about when the GDPR-type regulations would apply to them (from what I read, it would apply for work email addresses giving full names or personal email addresses). While there is a legal basis for keeping the email address in the system and using it, I fail to see a legal basis that would allow publicly displaying an email address in this way.

Many systems are also trying to reduce the exposure of personal email addresses, with major git hosting providers even creating anonymous commit emails that can be associated with user accounts on those systems and then used for your commits should you choose.

So in short, I strongly argue for masking/removing the email address from all tickets like this, and the fact that they are displayed there was is so concerning to me that I opened a ticket about it last night: https://pagure.io/find-inactive-packagers/issue/619.

-Ian
 

That said, if there's a general consensus that addresses should be
masked in the ticket, then we can do that in the future. I considered
whether the tickets should default to private, but the downside is
that people wouldn't be able to log in and comment on the ticket via
the Pagure web interface, only by email.

--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue