Hello world, One of the issues Debian often stands for is transparency and openness -- indeed, the openness of our bug tracking system is codified in the Social Contract's statement "We will not hide problems". However, one particular area of significance within the project is not open at all: the debian-private mailing list. This list has hosted a number of significant discussions over the years, including most of the discussion inspiring the original statement of Debian's Social Contract and the Debian Free Software Guidelines, the reinvetion of the new-maintainer process, debate on the qmail to exim/postfix transition for Debian mail servers and more. This trend continues today, with the six months just past have averaged around 190 posts per month. Especially given Debian is the focus of academic work (such as Biella Coleman's paper), and has inspired other groups to emulate our commitment to free software and our community (GenToo, Wikipedia, the Open Directory Project and OpenSolaris), we should make our discussions on issues like these and the reasoning behind the solutions we adopt accessible to the rest of humanity. I think the easiest way to do that is to adopt an approach similar to that of governments that deal with classified documents; that is by setting a specific time after which -private posts will be required to be considered for declassification (ie, publication) and redacting only those posts (or portions of posts) for which there's still a good reason to keep private. Thus, I propose that the Debian project resolve that: --- In accordance with principles of openness and transparency, Debian will seek to declassify and publish posts of historical or ongoing significance made to the Debian Private Mailing List. This process will be undertaken under the following constraints: * The Debian Project Leader will delegate one or more volunteers to form the "debian-private declassification team". * The team will automatically declassify and publish posts made to that list after three years, with the following exceptions: - the author and any named recipients of messages being reviewed will be contacted, and allowed between four and eight weeks to comment; - posts that reveal financial information about individuals or organisations other than Debian, will have that information removed; - posts of no historical or other relevance, such as vacation announcements, or posts that have no content after personal information is removed, will not be published, unless the author requests they be published; - publication of posts that would reveal otherwise unpublished security vulnerabilities in currently supported releases of a Debian distribution will be deferred; - requests by the authors of posts, or others who would be affected by the publication of the post, will be taken into account by the declassification team; - the list of posts to be declassified will be made available to developers two weeks before publication, so that the decisions of the team may be overruled by the developer body, if necessary. --- According to the interweb, classified US government documents relating to national security have to be released after at most ten years (unless there're particular reasons to extend that); the oldest mail in the -private archives turns ten on January 21st next year. I don't want to see Debian be more secretive than the US military industrial complex :) And beyond that, there really are a lot of good ideas stuck in the -private archives that it'd be nice to be able to refer to properly. Comments, suggestions and seconds appreciated. Cheers, aj
Attachment:
signature.asc
Description: Digital signature