On Tue, Nov 04, 2014 at 11:05:44PM +0000, Ekaterina Gerasimova wrote: > community members do. To this end, it would be very helpful if the > members of the sysadmin team would be willing to sign an NDA > (non-disclosure agreement) with the Foundation which would cover the > handling of user data.
I don't like signing. NDA, copyright assignments, contributor license agreements, they're all the same to me. I'm ok to make a statement. Signing is way too one-sided. For one, it should be a given that I can be trusted. I'm not an active sysadmin by any measure. During the time that I was I was putting in a lot of hours for GNOME. Instead of being appreciated, I need to put myself through understanding an NDA and investigating possible legal risk. What do I get out of it except hassle, uncertainty and legal risk? What could be a result? > "I agree and confirm that I will not publish, sell, transfer or > otherwise share any information gained in the scope of my sysadmin > work for the GNOME Foundation with anyone outside the sysadmin team > and the Foundation board without prior written approval from the > board. Amongst other things, this includes user passwords for GNOME "Any information gained in the scope of my sysadmin work". That's very broad. It then says "Amongst other things", but it can really be anything. Too vague. > services and IP addresses of visitors to GNOME websites. I will take In case of weird stuff happening, I have posted IP addresses and ranges in #sysadmin. Non-sysadmins are in that channel. This NDA is too black and white. Sharing a few IP addresses during investigation is totally different from sharing the entire access log. In case of weird behaviour I have sent logs to the network admins of those ranges. Apparently that's going to require red tape in future. I'd prefer a slightly more vague text with a clearer intention. Say something that I should do my utmost not to disclose any confidential or private information. If deemed needed for sysadmin work, then ok. In doubt, ask board. PS: Maybe an additional thing that as sysadmin, I won't just read confidential stuff even if able to (the "just because I could does not make it ok"). This is a bit difficult though, because that is more to do with clear confidential info, not access logs (NDA lumps everything together). Another example is for instance the access that has been granted to someone logging into webapps or e.g. bugzilla. They'll have access to the apache logs as well. Did a sysadmin now disclose things to a non-sysadmin? Is that person limited by an NDA? Examples like above make me not want to sign anything. In the time I was only a bugmaster (not a sysadmin), I regularly downloaded the entire Bugzilla database. Including passwords, IP addresses and all. > all reasonable steps to protect the secrecy of and avoid disclosure or > use any of this confidential information. I will notify the board in This is too vague vague. IP addresses aren't confidential, they can affect someones privacy. I understand the reasoning behind the text, but it is written in a way where I could pretend that I can disclose confidential information. The text refers to "this confidential information" with IP addresses. Instead it should start with confidential and privacy related information and say that these things should not be disclosed if learned during sysadmin work. e.g. the wiki has a lot private stuff on there, the focus of the text seems a bit off IMO. To be clear: I'm very careful with confidential information and anything privacy related. In almost same extreme as confidential information I take legal texts; for confidential info I try to avoid to even know (e.g. the wiki stuff I know through seeing the titles appear in RecentChanges. I don't want to read it and have not read it) and will take a lot before I'd ever disclose the stuff that I do know. > writing of any misuse or misappropriation of or request for > confidential information may come to my attention. Notwithstanding the > above, confidential information shall not include information which: > (i) was rightfully known by me prior to my receiving the information > in the course of my sysadmin duties; (ii) is publicly available > through no fault of mine or failure of me to act; or (iii) is required > to be disclosed by law. Additionally, all private information which > was submitted by a user may be shared freely by the sysadmin team with > that user once suitable steps have been taken to verify the identity > of the user." -- Regards, Olav _______________________________________________ gnome-infrastructure mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
