New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
maintainers-list: add a GDPR note, avoid unnecessary data collection #93343
maintainers-list: add a GDPR note, avoid unnecessary data collection #93343
Conversation
c1d54fd
to
8e42690
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I don't think any existing tooling will look very carefully at arbitrary new fields, though maybe the evaluation check will confirm it matches the spec. Let's see what the PR checks say. Nice!
I made the field into a list based on feedback. |
7401add
to
08e36fc
Compare
pronoun
field to maintainers-list.nixpronouns
field to maintainers-list.nix
Needs a new option in |
08e36fc
to
b2a57ab
Compare
What's the use case for this? If we don't have tools that address maintainers by pronoun, then we shouldn't add it to maintainers.nix (since it's just another bit of info that can get outdated). |
Also, from a GDPR perspective, it's probably a good idea to minimize the amount of PII stored in the nixpkgs repo. |
It’s for manually looking up the pronouns of maintainers before addressing them on Github, not intended for tooling. |
Use case that prompted this: I wanted to nominate @FRidh for an RFC maintainership but was unsure of how to address them. |
This is voluntary though, right? Anyone who wants their pronouns not to be known can omit them, and if someone's pronouns change they can update them. |
Consent can be withdrawn (right to be forgotten and all that). Ideally maintainers-list.nix would be stored outside of the nixpkgs repo so we don't have to worry about that. But in the meantime it's better to only have essential information in that file. |
pronouns seem to me to be equally essential to "real name" |
if not more essential, as you can talk about a person using their github information just fine, but talking about a person without knowing their pronouns is rather cumbersome |
Full name and github username are also non-essential information; are there any tools that make use of your full name, and you can look up a github username from the user ID, so why do we have that information in there?
If I were to say, GDPR the nixpkgs repository to remove any references to my name, you would already have to forcefully rewrite history. Adding pronouns to that is not going to materially change the risk profile. |
Removing the full name would certainly be a good idea since we're indeed not using it. But this file pre-dates the GDPR by many years... In any case that's a slippery slope argument. Just because we already have some PII doesn't mean we have to make the problem bigger, especially when there is no compelling need. |
Personally I would suggest people putting their preferred pronouns in their github profile. There they can add, edit and revoke this information without it being stored distributedly everywhere. |
As much as I'd love to have pronouns for maintainers, I think @edolstra makes a valid point. Git repos can't reasonably comply with GDPR for name and email, even though that's totally personal information. By introducing pronouns into the git history we just add more personal information which can't ever be deleted. |
What you are proposing here is keeping an irrevocable permanent history of people’s pronouns. It makes anybody would want to do bad things with it one small script away from a list of which Nixpkgs contributors are trans. Even looking at the history of name changes (which we probably also shouldn’t store) wouldn’t be nearly as reliable a source. While it might be tempting to say that participating in this would be optional, it would be establishing a de facto standard location for this information, that might make people feel compelled to participate or accept having the wrong pronoun used. Compounding this is the fact that the people who will be most comfortable using this field are the people who have never changed their pronouns. If they decide to in future, they now have to choose between permanently marking themselves as somebody who changed or deleted their pronouns (which is dangerous) or leaving the wrong pronouns up. Because of this, I think that over time this list would probably result in even more people being referred to by the wrong pronouns, because of outdated entries that are dangerous to correct. This idea is extremely dangerous. If somebody wants to publish their pronouns, they can already do that on their website or GitHub profile, without having to include that information in a large public dataset with history tracking. |
I didn’t think of it that way, that makes a lot of sense to me. Let’s not put more information than necessary then, and ask people to check the Github profiles of maintainers, or use |
Can this be closed, then? |
@alyssais I added a commit that removes the field, quoting your reply anonymously. If you are okay with that of course. A second commit adds a note concerning GDPR. |
I would like to add a note somewhere, encouraging maintainers to put their pronouns in their Github profile if they want people to use them, but unsure where this would fit. |
2502611
to
fc70d03
Compare
Well, it probably doesn’t make much sense to include a commit that adds a pronoun field, and another that immediately drops it. So probably you should just drop those commits.
Technically I believe GDPR has an exception for data that would be difficult-to-impossible to remove, which I have seen theorised could include git. (IANAL.) I think bringing the law into it is probably unnecessary anyway. I think a note that just says that we should be wary about storing personal information in Nixpkgs, and be mindful that git makes it easy to see changes in data, and near-impossible to ever remove it, would cover it just as well without risking tempting people into armchair lawyering. |
I think it would be better to encourage people to look at GitHub profiles and websites if they’re not sure of people’s pronouns. I think that shifts the burden to the people using the pronouns without proscribing how people should publish them, which they might not want to do in any particular way for any number of legitimate reasons. This could go in the contributor documentation. |
It’s useful for the commit history, since github issues are going to be lost sooner or later. |
By that argument all proposed changes should go into the git history. I think it’s presence in the git history would imply that at some point it happened. |
That’s reductio ad absurdum, but we can squash of course. |
This change was preceded by the idea of adding a pronoun field to the file, which we determined to be a bad idea: * maintainers-list: add pronoun to the optional fields I often do not know how to address maintainers, so giving them the ability to specify their pronouns is helpful for communication purposes. * maintainers-list: add pronoun for Profpatsch maintainers-list: make the pronoun field into a list Some people have a set of pronouns they are fine with, so let’s make that possible. Based on feedback by somebody With An Idea™ of the topic. * maintainers-list: remove the pronouns field The discussion around the field raised a good point, quoting: > What you are proposing here is keeping an irrevocable permanent > history of people’s pronouns. It makes anybody would want to do bad > things with it one small script away from a list of which Nixpkgs > contributors are trans. Even looking at the history of name > changes (which we probably also shouldn’t store) wouldn’t be nearly > as reliable a source. While it might be tempting to say that > participating in this would be optional, it would be establishing a > de facto standard location for this information, that might make > people feel compelled to participate or accept having the wrong > pronoun used. Compounding this is the fact that the people who will > be most comfortable using this field are the people who have never > changed their pronouns. If they decide to in future, they now have > to choose between permanently marking themselves as somebody who > changed or deleted their pronouns (which is dangerous) or leaving > the wrong pronouns up. Because of this, I think that over time this > list would probably result in even more people being referred to by > the wrong pronouns, because of outdated entries that are dangerous > to correct. > > **This idea is extremely dangerous**. If somebody wants to publish > their pronouns, they can already do that on their website or GitHub > profile, without having to include that information in a large > public dataset with history tracking. So let’s remove it again.
fc70d03
to
f13283c
Compare
This looks good to me if the PR title is adjusted as well |
pronouns
field to maintainers-list.nix
Indeed, I was thinking the exact same thing, and because of those exact reasons I would never publish this information into the nixpkgs repository. That thing would be as annoying as a gender marker on a birth certificate 🤣 |
Thanks for raising this compelling point very quickly @alyssais 👍 |
So if there is no further input, I’m gonna merge the half-line change ;) |
Thanks @Profpatsch |
Add an optional
pronouns
field, some documentation on the content and my own pronoun.@grahamc is there any extra care to be taken when adding a field, to make sure evaluation is not broken?
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)