-----BEGIN PGP SIGNED MESSAGE-----
On 03/08/2012 03:42 PM, Tristan Santore wrote:
I personally believe there should be a very frank discussion about
this. There is a tendency to be quite liberal with personal
information, which in my very humble opinion, in terms of the fas
username is a security risk, in terms of the sign up email being
shown, can allow anyone to write a script to query fas, and spam
people to death, maybe harass them. In terms of the real name being
shown, if you make public statements, you might disgruntle future
employers, maybe your local judicial system, who do not value free
speech, as the US constitution does or even worse, somebody just
takes an exception to statements made, and you get arrested
(happens a lot in other countries I hear). Of course these are all
extreme examples, but I do not think we should underestimate these
I understand what you are saying. We have to balance personal rights
with the rights of the community to know who they are entrusting. The
"know who" in an online world comes about by interacting with people,
building trust, and so forth.
In a simplistic sense, is what you are suggesting is that all FAS
information be a secret that only a few sysadmins can access? Those
sysadmins would be the centers of a trust web - I would have to trust
those sysadmins that there are real people who can be reached (via
email, for example) behind usernames.
In order to contact another user who I hadn't personally traded
addresses with, I would have to use perhaps a web interface? Or would
username(a)fedoraproject.org still be accessible information?
Further, speaking for myself, when I signed up years ago, I did
not realise that: a. I could not change my username after sign up
b. That this information was going to be public. Of course then,
legally "you" would say, well we had this 100 page document in our
terms and conditions, but does that make it right ?
I'm unclear here - are you saying it is not your responsibility to
read and understand terms and conditions of websites you sign up for?
If it is not your responsibility, whose is it?
If the document truly were 100 pages ... but I've always seen Fedora
strive for brevity in all legal documents.
Should we as a free and open community not be better at respecting
people's beliefs ? What if I want to change my username ? Or what
if I want to delete my user/participation ? What are the procedures
for our users ? What guarantees do we give people to protect their
privacy/details after they leave, or they change their minds on
being so open, in terms of disclosure ?
I can sort-of answer about the username change. I may be the only
person in Fedora history who had this done - I asked for it especially
because I had mistakenly signed-up as or received 'kwade' as my
username. (I keep a strict separation so 'kwade=work' and
It was a huge pain that still has little cracks in it - teams where I
was signed up as 'kwade', for example. I don't blame the
Infrastructure Team for not wanting to do it anymore. The problem AIUI
is, FAS was never designed to allow for usernames to be changed. (I
don't know of any account system that really is - it may allow for an
alias to be changed, but underneath is a UUID of some sort that can
never be reused. For example, accounts in FAS are not deleted but
rather are locked-as-closed, so no new person can reuse another
username. I think this is key in the web-of-trust - I want to know
that 'spot' is always the same 'spot', or at least someone who has his
credentials and can write as well as he does.)
So that use case I suspect won't happen unless you or someone else
rewrites FAS to allow for it.
I personally think, these are very real concerns, especially when
we see other corporations getting more and more greedy with
information on the general public and more and more laws by
government to snoop on people. We should also never forget, that it
is getting harder and harder to delete data, which is why the EU is
debating a "right to forget" law.
The community should have have a very frank and open discussion
about these concerns and the board should then take up these issue,
discuss the findings and make appropriate changes to the policies
and how we inform our contributors about what happens with this
data, and what and how we help them to erase any data about them.
The problem that I see so far about "right to forget" for Fedora is
that we are a publicly accessible open source project. Our data is, by
nature, shared and archived all around the Internet. People have come
in the past and requested to e.g. have all their emails removed from
our mailing list archives. The problem is, we don't control the dozens
or hundreds of other locations that have that email archived. It is
literally impossible for Fedora to erase public data related to a
username, especially when that user willingly wrote to e.g. public
So while I understand and sympathize with our sisters and brothers
being oppressed around the world, if they have concern about what they
say and do in Fedora, they should take appropriate steps to make
themselves anonymous. It is likely there are users right now making
copyright contributions to Fedora who are entirely anonymous
fictitious persons to protect people who need or desire anonymity.
Although I might not formally condone that, I certainly am able to
build trust with someone who chooses anonymity - in fact, I've done
that with someone whose anonymity and honesty stretches to not
contributing actual copyright material nor making contribution
agreements because "he" is anonymous.
Myself, I have an equal concern that I can identify properly the
people who have contributed copyright material to Fedora, so I can
properly attribute and/or reuse as per the terms of the license. Does
my concern outweigh the political and personal risk people have when
they identify themselves in FAS? Maybe not in other venues, but in the
venue of "free/libre/open source software project", perhaps my concern
*does* outweigh a right to total privacy and anonymity.
- - Karsten
Of course there have to be technical limits, especially as we use
fas in pretty much everything, but these should be discussed too,
and maybe work arounds found.
I apologise for this long email, but these are just some concerns I
see with regards to this issue.
name: Karsten 'quaid' Wade, Sr. Community Architect
team: Red Hat Community Architecture & Leadership
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----