[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

GR Proposal: Declassification of -private

Hello world,

One of the issues Debian often stands for is transparency and openness
-- indeed, the openness of our bug tracking system is codified in the
Social Contract's statement "We will not hide problems". However, one
particular area of significance within the project is not open at all:
the debian-private mailing list.

This list has hosted a number of significant discussions over the years,
including most of the discussion inspiring the original statement
of Debian's Social Contract and the Debian Free Software Guidelines,
the reinvetion of the new-maintainer process, debate on the qmail to
exim/postfix transition for Debian mail servers and more. This trend
continues today, with the six months just past have averaged around 190
posts per month.

Especially given Debian is the focus of academic work (such as Biella
Coleman's paper), and has inspired other groups to emulate our commitment
to free software and our community (GenToo, Wikipedia, the Open Directory
Project and OpenSolaris), we should make our discussions on issues like
these and the reasoning behind the solutions we adopt accessible to the
rest of humanity.

I think the easiest way to do that is to adopt an approach similar to that
of governments that deal with classified documents; that is by setting a
specific time after which -private posts will be required to be considered
for declassification (ie, publication) and redacting only those posts (or
portions of posts) for which there's still a good reason to keep private.

Thus, I propose that the Debian project resolve that:

In accordance with principles of openness and transparency, Debian will
seek to declassify and publish posts of historical or ongoing significance
made to the Debian Private Mailing List.

This process will be undertaken under the following constraints:

  * The Debian Project Leader will delegate one or more volunteers
    to form the "debian-private declassification team".

  * The team will automatically declassify and publish posts made to
    that list after three years, with the following exceptions:

    - the author and any named recipients of messages being reviewed
      will be contacted, and allowed between four and eight weeks
      to comment;

    - posts that reveal financial information about individuals or
      organisations other than Debian, will have that information

    - posts of no historical or other relevance, such as vacation
      announcements, or posts that have no content after personal
      information is removed, will not be published, unless the author
      requests they be published;

    - publication of posts that would reveal otherwise unpublished
      security vulnerabilities in currently supported releases of a
      Debian distribution will be deferred;

    - requests by the authors of posts, or others who would be affected
      by the publication of the post, will be taken into account by
      the declassification team;

    - the list of posts to be declassified will be made available to
      developers two weeks before publication, so that the decisions of
      the team may be overruled by the developer body, if necessary.

According to the interweb, classified US government documents relating
to national security have to be released after at most ten years (unless
there're particular reasons to extend that); the oldest mail in the
-private archives turns ten on January 21st next year. I don't want to
see Debian be more secretive than the US military industrial complex :)

And beyond that, there really are a lot of good ideas stuck in the
-private archives that it'd be nice to be able to refer to properly.

Comments, suggestions and seconds appreciated.


Attachment: signature.asc
Description: Digital signature

Reply to: