On Tue, Mar 02, 2010 at 11:08:16AM +0100, Gerfried Fuchs wrote: > Like suggested by Lucas himself, I bring up this issue on the debian > project list. The context is that Lucas did put up a new "service" and > data collector in UDD that contains the PTS subscription. He announced > it in his blog: <http://www.lucas-nussbaum.net/blog/?p=453> I believe it is now clear from the thread that there are several people that consider the current approach a privacy violation. That being clear now, it is pretty pointless to continue finger pointing (that's not targeted at Rhonda, it is a completely general comment). I try to summarize here (my interpretation of) some of the points that have been raised in a brief follow-up to this discussion happened on #debian-qa a few hours ago (sorry, I don't have logs). - it is considered unacceptable to let non-DDs access the subscription information - using hashes it is not enough to solve that, as long as hashes are computable by anyone Lucas reported that in a past discussion with DSA, it has been evaluated the possibility of restricting access to specific tables, so that they are accessible only by specific machines. If that were possible, we could restrict the access to the machine implementing the web interface to PTS subscriptions [1], or any other DD-only service FWIW, and close access to all guest accounts on alioth.debian.org (which is pretty much the same as having public information, since everyone can get an account on alioth). Back then, such a solution was considered non feasible (that's what I've been told), but I don't know the details. I'm hence copying DSA list to check whether we can re-evaluate the solution and/or know more details about that. In general, I believe having a DD-restricted place which has privileged access to UDD can be useful, as it will allow storing into UDD sensible data. That would for instance enable to do some "sensible" QA work (a-la MIA), without disclosing data into the wild. Cheers. [1] Yes, the web interface would then need some form of authentication, but that's a different problem, let's go step-by-step, shall we? -- Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7 zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/ Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
Attachment:
signature.asc
Description: Digital signature