On 20.05.2012 14:47, Daniel Gruno wrote: > This will effectively make for two (or three) new votes for adopting > each piece: > > - Adopt a privacy policy for the docs and refer to the various tracking > methods used as they get implemented - see the draft at > http://wiki.apache.org/httpd/PrivacyPolicy
Thanks for preparing this draft. As previously stated, I consider such a policy a mandatory requirement before integrating any tool into httpd.apache.org which systematically processes user data [1]. The section "Additional tracking by third parties" of the draft currently says: "The Apache HTTP Server project makes use of additional third party tools, such as the Disqus commentary system, which itself may apply visitor tracking for internal purposes." In the interest of an early declaration, let me say that I'm (rather strongly) opposed to running the project's site in a way that requires us to have such a generic disclaimer in the privacy policy, for several reasons. First, my expectation would be that an ASF project, and in particular ours, is able to run the infrastructure of those features it considers essential for its operations on its own. It's true that some other projects are using Google Analytics, but this doesn't mean that others should follow this practice, IMO. Second, I see several technical issues when integrating third-party tools which basically rely on JS code being injected into the HTML on httpd.apache.org: "surreptitious" tracking is one of them, but it's also problematic from a security point of view: by pulling in JS from remote URLs we expose our visitors to the risk of running untrusted code in the context of our site. (As an aside: having to turn off JS for httpd.apache.org as a whole, as - rightfully - suggested in the draft privacy policy for effectively turning off GA, would have the collateral damage of disabling the newly-added syntax highlighting as well, which seems quite unfortunate.) Third, *iff* we really decide to do user tracking on httpd.apache.org, it should at least be opt-in, not opt-out, in my view (i.e., we should e.g. make sure to honor "DNT: 1" headers before pulling in JS tracking code, and ensure that visitors agree to being tracked before we do so). > - Implement the Disqus commentary system for the docs - see the proposal > at http://wiki.apache.org/httpd/DocsCommentSystem In the meantime I skimmed over its Terms Of Service [2], and it took me only a short time to identify several elements which made me quite worried: a) User Content: Disqus is granted a "a royalty-free, sublicensable, transferable, perpetual, irrevocable, non-exclusive, worldwide license to use, reproduce, modify, publish, list information regarding, edit, translate, distribute, syndicate, publicly perform, publicly display, and make derivative works of all such User Content" etc. b) Changes to the service: "We may, without prior notice, change the Service; stop providing the Service or features of the Service, to you or to users generally; or create usage limits for the Service." c) Advertisements: "You agree that Disqus may include advertisements and/or content provided by Disqus and/or a third party (collectively "Ads") as part of the implementation of the Service." This just a small sample of rules I consider highly problematic, and to be honest, they pretty much rule out the option of using Disqus on httpd.apache.org, I think. PHP's system, on the other hand, uses an approach [3] I'm completely comfortable with: no dependencies on third-party sites, comments are covered by a Creative Commons license, and do not rely on any remote JS code or so. > - Implement visitor tracking for the docs so we can improve on them - > see proposal at http://wiki.apache.org/httpd/DocsAnalyticsProposal I would highly prefer Piwik over the others (or more generally: a tool we run ourselves, not a third-party service). Kaspar [1] see also http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200809.mbox/%[email protected]%3E and other messages in that thread, e.g. [2] http://docs.disqus.com/help/29/ [3] http://www.php.net/manual/add-note.php
