Re: Proposal for *Real* Declassification of debian-private archives

[Florian Weimer <fw@deneb.enyo.de>]

* MJ Ray:

> Nearly all messages sent to debian-private are covered by copyright
> and I think republishing any such past message could get Debian into
> legal trouble, in general, unless there's explicit permission from its
> author. If someone has a good global argument against that, please post
> it here and/or the debian-legal thread. ("Fair use" is somewhat
> variable globally.)

Globally, I'm not sure.  A typical mailing list article is not subject
to German copyright law because it lacks originality.  I know that the
U.S. situation is somewhat different.

> I've not thought much about trade secrets and privacy laws. Can someone
> explain how they cause problems, please?

For a couple of years, I dealt with security issues for a large
institution, and we received quite a bit of sensitive information on
our security@ mailbox from external parties: IP addresses of attackers
and victims, excerpts from communication, the fact that someone was
attacked successfully, embarrassingly incorrect log file analysis.
Nothing you'd really like to see published, and some of it is probably
also protected by law.

> All in all, it looks like redefining -private to have no privacy
> would be evil, bad and wrong. 

Indeed.  But in some sense, people are already anticipating that:
-private is mostly unused.  Developers prefer to operate in almost
complete secrecy.

> It would still be good to see a team trying to publish the stuff
> that shouldn't be on there or that is public interest, but that can
> happen without a policy change GR.

I don't understand why a GR is needed.  But then, I can't find a
policy document which makes postings on -private confidential, either.