On Mon, Nov 10, 2014 at 01:11:44PM +0100, Andrea Veri wrote: > 2014-11-10 2:07 GMT+01:00 Olav Vitters <[email protected]>: > > > In case of weird stuff happening, I have posted IP addresses and ranges > > in #sysadmin. Non-sysadmins are in that channel. This NDA is too black > > and white. Sharing a few IP addresses during investigation is totally > > different from sharing the entire access log. > > Honestly that's a very bad habit, you should not post any IP address > on a public channel with or without a NDA in place. The idea is to > communicate that information privately to the user having difficulties > accessing the service itself. What I generally do is:
I was talking about strange behaviour. Meaning: a DDoS or potential spammer. Then *I POSSIBLY WILL* (and have) mention that IP address in e.g. the sysadmin channel. That is complete normal behaviour. NDA means I can be sued as a result. This NDA exercise seems to far like a checkbox to have, without actually considering what the intention is. I guess the idea is "GNOME should have a privacy policy". Cool, but that doesn't require GNOME to have the option to sue a sysadmin. Helping out shouldn't lead to myself being exposed to legal risk. In Netherlands, my employer is responsible for my actions. Here you're doing something for free and then get legal responsibility with it. > 1. check the user experiencing difficulties is really the one it claims to be > 2. ask for the IP to be sent privately to start diagnose > 3. keep chatting privately or switch to the public channel for other > debugging comments Does not apply. > > Another example is for instance the access that has been granted to > > someone logging into webapps or e.g. bugzilla. They'll have access to > > the apache logs as well. Did a sysadmin now disclose things to a > > non-sysadmin? Is that person limited by an NDA? > > Well, this is very limited now that logs aren't stored on > /var/log/httpd anymore. All logs are now sent to a main logging host > (log01-back) which is only accessible by sysadmins. Just one or two > services (l10n, ego, bugzilla) have their logs exposed to one or two > people I trust for debugging purposes. (or for scripts requiring the > file to be located on the same machine as the script itself for > obvious reasons) You're ignoring my point. If you grant bugzilla permissions will or won't I possible expose myself to being sued? Instead of e.g. apache logs, it can be the Bugzilla database or anything else. The NDA is very broad, giving answers on specific cases won't ease my mind at all. > > In the time I was only a bugmaster (not a sysadmin), I regularly > > downloaded the entire Bugzilla database. Including passwords, IP > > addresses and all. > > Yes, and that's legit as long as you don't disclose the private > contents of the database itself which is the point of the NDA. Not my point. As a bugmaster, it seems you don't need to sign the NDA. Thus totally ok to share the information. Thus bad if as a sysadmin I'd grant bugzilla shell to anyone. Sharing any IP address with a bugmaster: could be sued. I think I am a good judge when something should be kept private and when not. I have shared IP addresses to just bugmasters. That's a breach of this NDA! > >> all reasonable steps to protect the secrecy of and avoid disclosure or > >> use any of this confidential information. I will notify the board in > > > > This is too vague vague. IP addresses aren't confidential, they can > > affect someones privacy. I understand the reasoning behind the text, but > > it is written in a way where I could pretend that I can disclose > > confidential information. The text refers to "this confidential > > information" with IP addresses. > > No, please read the relevant text once again: > > """ I agree and confirm that I will not publish, sell, transfer or > otherwise share any information gained in the scope of my sysadmin > work for the GNOME Foundation with anyone outside the sysadmin team > and the Foundation board without prior written approval from the > board. Amongst other things, this includes user passwords for GNOME > services and IP addresses of visitors to GNOME websites. """ > > IP addresses are part of the items you should not publish, sell or > trasfer to anyone. No, it doesn't state that. It states "any information". That is very broad. Learning e.g. something new about e.g. Python as part of sysadmin work *will* be part of this NDA. Then if what I learned is public, then I am not going to be sued. > > Instead it should start with confidential and privacy related information > > and say that these things > > should not be disclosed if learned during sysadmin work. > > This is exactly what the text I quoted above says. Any information you > could gather during your sysadmin work should never be disclosed to > third parties, *including* IP addresses and user passwords. The text is legal text. The way I read it, it doesn't state above. There is a big uncertainty -- Regards, Olav _______________________________________________ gnome-infrastructure mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
