2014-11-10 2:07 GMT+01:00 Olav Vitters <[email protected]>: > In case of weird stuff happening, I have posted IP addresses and ranges > in #sysadmin. Non-sysadmins are in that channel. This NDA is too black > and white. Sharing a few IP addresses during investigation is totally > different from sharing the entire access log.
Honestly that's a very bad habit, you should not post any IP address on a public channel with or without a NDA in place. The idea is to communicate that information privately to the user having difficulties accessing the service itself. What I generally do is: 1. check the user experiencing difficulties is really the one it claims to be 2. ask for the IP to be sent privately to start diagnose 3. keep chatting privately or switch to the public channel for other debugging comments > Another example is for instance the access that has been granted to > someone logging into webapps or e.g. bugzilla. They'll have access to > the apache logs as well. Did a sysadmin now disclose things to a > non-sysadmin? Is that person limited by an NDA? Well, this is very limited now that logs aren't stored on /var/log/httpd anymore. All logs are now sent to a main logging host (log01-back) which is only accessible by sysadmins. Just one or two services (l10n, ego, bugzilla) have their logs exposed to one or two people I trust for debugging purposes. (or for scripts requiring the file to be located on the same machine as the script itself for obvious reasons) > In the time I was only a bugmaster (not a sysadmin), I regularly > downloaded the entire Bugzilla database. Including passwords, IP > addresses and all. Yes, and that's legit as long as you don't disclose the private contents of the database itself which is the point of the NDA. >> all reasonable steps to protect the secrecy of and avoid disclosure or >> use any of this confidential information. I will notify the board in > > This is too vague vague. IP addresses aren't confidential, they can > affect someones privacy. I understand the reasoning behind the text, but > it is written in a way where I could pretend that I can disclose > confidential information. The text refers to "this confidential > information" with IP addresses. No, please read the relevant text once again: """ I agree and confirm that I will not publish, sell, transfer or otherwise share any information gained in the scope of my sysadmin work for the GNOME Foundation with anyone outside the sysadmin team and the Foundation board without prior written approval from the board. Amongst other things, this includes user passwords for GNOME services and IP addresses of visitors to GNOME websites. """ IP addresses are part of the items you should not publish, sell or trasfer to anyone. > Instead it should start with confidential and privacy related information and > say that these things > should not be disclosed if learned during sysadmin work. This is exactly what the text I quoted above says. Any information you could gather during your sysadmin work should never be disclosed to third parties, *including* IP addresses and user passwords. -- Cheers, Andrea Debian Developer, Fedora / EPEL packager, GNOME Infrastructure Team Coordinator, GNOME Foundation Board of Directors member, GNOME Foundation Membership & Elections Committee Chairman Homepage: http://www.gnome.org/~av _______________________________________________ gnome-infrastructure mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
