From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id uCGSEO3weV8zFwAA0tVLHw (envelope-from ) for ; Sun, 04 Oct 2020 15:57:33 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id yA3TC+3weV/mVQAA1q6Kng (envelope-from ) for ; Sun, 04 Oct 2020 15:57:33 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B23619402A2 for ; Sun, 4 Oct 2020 15:57:32 +0000 (UTC) Received: from localhost ([::1]:42636 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kP6OB-0006Uh-5u for larch@yhetil.org; Sun, 04 Oct 2020 11:57:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55056) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kP6Ni-0006UO-W9 for bug-guix@gnu.org; Sun, 04 Oct 2020 11:57:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35069) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kP6Ni-000114-N2 for bug-guix@gnu.org; Sun, 04 Oct 2020 11:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kP6Ni-0003FJ-Mu for bug-guix@gnu.org; Sun, 04 Oct 2020 11:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#43796: Privacy policy Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 04 Oct 2020 15:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43796 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 43796@debbugs.gnu.org, pelzflorian@pelzflorian.de X-Debbugs-Original-To: bug-guix@gnu.org, "pelzflorian (Florian Pelz)" , 43796@debbugs.gnu.org Received: via spool by 43796-submit@debbugs.gnu.org id=B43796.160182698212407 (code B ref 43796); Sun, 04 Oct 2020 15:57:02 +0000 Received: (at 43796) by debbugs.gnu.org; 4 Oct 2020 15:56:22 +0000 Received: from localhost ([127.0.0.1]:46611 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kP6N3-0003E3-Ti for submit@debbugs.gnu.org; Sun, 04 Oct 2020 11:56:22 -0400 Received: from lepiller.eu ([89.234.186.109]:53268) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kP6N0-0003Dq-LG for 43796@debbugs.gnu.org; Sun, 04 Oct 2020 11:56:20 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 9fb8dda3; Sun, 4 Oct 2020 15:56:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:from:message-id; s=dkim; bh=IvVN611zKtJ4HEtz/xYwtisdCcXswBq4YVH5ieK6KFo=; b=AOxkTe2qOxld erwQGzm6KOSUJwy0u6dqtpLUK52O9viMrbmjDoK65kFPMUJo0J+xDDkHNj2Sxle3 qV57pGwaporqag27wuCweLwjDKHXqCyoFY7SV+TMEAJWt0M+tkz6aKPGHc9bcrQl zn2HEf1AT0o23SeEHxvq6/hXpeZ9/0jXnSk0k+vjb4jG3Tji3S3TV0CJ3B9pn7FV PX65wNyDGpTGL7CjQWhmOFsH6kS3UWs8pf0JT8v9Ur9KgFN7qJbr92fIJmkX82Kl fODZqC5WWzDqUz67RRblU6kvNxkEc7SqYISSK75VeYEhT/QfN/fwvrlWolqsos10 Q9aAY09HFw== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id e2eb3d15 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Sun, 4 Oct 2020 15:56:14 +0000 (UTC) Date: Sun, 04 Oct 2020 11:56:04 -0400 User-Agent: K-9 Mail for Android In-Reply-To: <20201004153419.kyacfjdwmok6yybg@pelzflorian.localdomain> References: <20201004153419.kyacfjdwmok6yybg@pelzflorian.localdomain> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----313ODKVVAFIHC11CFAPKZL9TOW38IB" Content-Transfer-Encoding: 7bit From: Julien Lepiller Message-ID: <90C37536-BB8F-47D4-ABD8-BA8493E9485E@lepiller.eu> X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=lepiller.eu header.s=dkim header.b=AOxkTe2q; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: 1.09 X-TUID: 5w/UQN8++SDB ------313ODKVVAFIHC11CFAPKZL9TOW38IB Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Looks nice, but: The GDPR is not the only legislation that applies to us=2E For services ho= sted in France for instance, there is a legal obligation to keep logs for a= t least one year (not sure exactly who that applies to)=2E There could be s= omething similar in Germany where berlin is located=2E I think some of the wording is vague=2E Does "can be used to identify" mea= n we will use the IP to identify the person (is it the reason we process th= is data?) Or is it something that we could technically do, but refuse to do= ? Le 4 octobre 2020 11:34:19 GMT-04:00, "pelzflorian (Florian Pelz)" a =C3=A9crit : >IANAL but I think Guix needs a privacy policy for both its website and >the Guix software in general=2E > >Attached is a patch for the website that also documents data use by >Guix and Guix System=2E Maybe I=E2=80=99ve overdone some parts and proba= bly >something important is missing=2E > >In particular, the GDPR requires IP addresses to be deleted from logs >after a reasonable time=2E I think but am not sure the current process >for nginx is to delete only when the log files become too big=2E A more >suitable policy must be implemented and the users must be told about >it, I think=2E See =2E > >In general I think it is better to have an incomplete policy than to >have none=2E > >Comments? > >Regards, >Florian ------313ODKVVAFIHC11CFAPKZL9TOW38IB Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Looks nice, but:

The GDPR is not the only l= egislation that applies to us=2E For services hosted in France for instance= , there is a legal obligation to keep logs for at least one year (not sure = exactly who that applies to)=2E There could be something similar in Germany= where berlin is located=2E

I think some of the wording is vague=2E = Does "can be used to identify" mean we will use the IP to identify the pers= on (is it the reason we process this data?) Or is it something that we coul= d technically do, but refuse to do?

Le 4 = octobre 2020 11:34:19 GMT-04:00, "pelzflorian (Florian Pelz)" <pelzflori= an@pelzflorian=2Ede> a =C3=A9crit :
IANAL but I think Guix needs a privacy policy for bo=
th its website and
the Guix software in general=2E

Attached is a =
patch for the website that also documents data use by
Guix and Guix Syst=
em=2E  Maybe I=E2=80=99ve overdone some parts and probably
something imp=
ortant is missing=2E

In particular, the GDPR requires IP addresses t=
o be deleted from logs
after a reasonable time=2E  I think but am not su=
re the current process
for nginx is to delete only when the log files be=
come too big=2E  A more
suitable policy must be implemented and the user=
s must be told about
it, I think=2E  See <https://gdpr-info=2Eeu/art-13-gdpr/>=2E

=
In general I think it is better to have an incomplete policy than to
hav=
e none=2E

Comments?

Regards,
Florian
------313ODKVVAFIHC11CFAPKZL9TOW38IB--