From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id iLZ7Ingb+2X1TQAAqHPOHw:P1 (envelope-from ) for ; Wed, 20 Mar 2024 18:23:04 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id iLZ7Ingb+2X1TQAAqHPOHw (envelope-from ) for ; Wed, 20 Mar 2024 18:23:04 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1710955384; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=5WLXm1B7RWul9bHqGlVV9DNsCpGBReDhQui/C2kFqnQ=; b=iIBteFqbI4iXwBvzELogREdN8LHvn/5b5Zzi9FOXDHOKEvplBqbEbD91HJz3eV6LV3juq6 TGPwdo4Z+AKWTjfp+CzYRczSXW/k2onUJa3rGWvng1YpTegLDZH37/LmrFkqmQyAAaw/oC 3aRJnEt2sYTCJW9mwU0klKyrgmiHWse+ymwoehthv+aTqLtq0ItatvIbWncaMMYz4GrTRH dr2KQ3xpaLdWvHseIU3t4Z+PNqNIpeDb+1il84dRJzLIq7tIXkXiBf9aBlyV+OwspzBKEy BYvMrh+j8HoF2FJr9TJFIMod0kIzCJhTgW3OPuLdkO0r62x2+FJGWHpObiV5QQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1710955384; a=rsa-sha256; cv=none; b=Ri5TTjo3NVpQkZNxmZROGUkRGg0Q5+8XY/BsE1zutOfkWN/8ztHMgDo6P4H5vUOZB3xAmP BiDkKZKdIoHYiWw4cOZ3luzLFTQOe1ZeRZg70NA4lGNR8EFWzDb7zJFgQQU3YZ0hJ7Qm+M Z30OBwUdi54ykan5+eY/rJm5Dtb7e5pilUzgN/J74I1ww92yny/2nvbaeDoN2Oa3BDwxJw r6q97IW/xrVBDPApJ+e8FCtsZdABGUfnAdl+ZSGlSaUl1AQHXzzAOmQlwHvQ15RgdB7Q5T Nzvlv8nEk+V9Tt2fHUvzuVYBtGgbONccW2YLfg94IRc4NyU13zJWB8VfhmlfBA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 56B9A18427 for ; Wed, 20 Mar 2024 18:23:04 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rmze7-0000b4-4g; Wed, 20 Mar 2024 13:22:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rmze5-0000ao-Gu for guix-devel@gnu.org; Wed, 20 Mar 2024 13:22:33 -0400 Received: from ns13.heimat.it ([46.4.214.66]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rmze3-0007QM-1P; Wed, 20 Mar 2024 13:22:33 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 8EB5230080B; Wed, 20 Mar 2024 17:22:28 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JEmDnnuXzV0q; Wed, 20 Mar 2024 17:22:25 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 6458030022F; Wed, 20 Mar 2024 17:22:25 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 029262FE8B2B; Wed, 20 Mar 2024 18:22:24 +0100 (CET) Received: (nullmailer pid 32738 invoked by uid 1000); Wed, 20 Mar 2024 17:22:24 -0000 From: Giovanni Biscuolo To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel Subject: the right to rewrite history to rectify the past (was Re: Concerns/questions around Software Heritage Archive) In-Reply-To: <8734sobv2j.fsf@gnu.org> Organization: Xelera.eu References: <87il1mupco.fsf@meson> <8734sobv2j.fsf@gnu.org> Date: Wed, 20 Mar 2024 18:22:16 +0100 Message-ID: <87edc4rf7b.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -8.42 X-Spam-Score: -8.42 X-Migadu-Queue-Id: 56B9A18427 X-Migadu-Scanner: mx12.migadu.com X-TUID: ghThZehku62x --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Ludovic and Guix devel community! Disclaimer: I've still not read all the relevant threads [3] [4], so please forgive me if I repeat some information already provided. What rights are we talking about? As a *free software* user do I have the right to redistribute /old/ copies of the source code and documentation I got in the past from the copyright holder, in any form (e.g. print)?... or to use old sources or documentation to develop derived work, with _attribution_, without asking for consent from the original authors and/or contact the original authors to ask them what is their current name? If yes, I would like to exercise all my rights without being harassed. Also, SHW and other organizations (re)distributing free software have their rights and should excercise them without being harassed. Ludovic Court=C3=A8s writes: [...] >> I was also distressed to see how poorly they treated a developer who >> wished to update their name: [1] https://cohost.org/arborelia/post/4968198-the-software-heritag [2] https://cohost.org/arborelia/post/5052044-the-software-heritag > That=E2=80=99s another concern, with append-only storage in general, star= ting > with Git. We should look for solutions that work for both contributors > who change names and for users. This has happened several times in Guix > and what people did was search/replace their name and adjust > =E2=80=98.mailmap=E2=80=99. This is a good solution but unfortunately this is not what the author of the blog posts above [1] [2] and some people in this and other threads [3] [4] are asking SWH - and Guix and potentially all other people distributing copies of copyrighted works (e.g. documentation) - to do. They are asking to "rewrite history" [1] (of git... why not of other archives?): =2D-8<---------------cut here---------------start------------->8--- I already fixed my name in my code. I updated the README and the copyright notice, and I ran git-filter-repo to rewrite the git history so it had always said my correct name, including in commits. This is a thing you can do. =2D-8<---------------cut here---------------end--------------->8--- The author explicitely invokes the "right to rectification" (of the GDPR) [2]: =2D-8<---------------cut here---------------start------------->8--- I give zero shits about the integrity of their data structures. I had already sent them a second email invoking the Right to Rectification, which it seemed like they ignored again, so it was time to get more formal. [...] En application de l=E2=80=99article 21.1 du R=C3=A8glement g=C3=A9n= =C3=A9ral sur la protection des donn=C3=A9es (RGPD), je m=E2=80=99oppose au traitement de me= s donn=C3=A9es =C3=A0 caract=C3=A8re personnel par votre organisme, l=E2=80=99archive Soft= ware H=C3=A9ritage. [...] D=C3=A8s lors, vous voudrez bien :=20 * supprimer mes donn=C3=A9es de vos fichiers et notifier ma demande aux organismes auxquels vous les auriez communiqu=C3=A9es (articles 17.1.c. et 19 du RGPD) ; * si vous en avez l=E2=80=99obligation l=C3=A9gale, m=E2=80=99indiquer la d= ur=C3=A9e de conservation de mes donn=C3=A9es dans vos bases archives ; * m'informer de ces =C3=A9l=C3=A9ments dans les meilleurs d=C3=A9lais et au= plus tard dans un d=C3=A9lai d=E2=80=99un mois =C3=A0 compter de la r=C3=A9ception d= e ce courrier (article 12.3 du RGPD). =2D-8<---------------cut here---------------end--------------->8--- People asking to rectify informaiton /they/ _published_ on their own are obviously misinterpreting the relevant section of the GDPR (more on this later)... and in fact, the SHW DPO reply is [2]: =2D-8<---------------cut here---------------start------------->8--- Unfortunately, the deletion or modification of the software repositories you requested cannot be performed, for several reasons: * On the one hand, these developments involve several authors and are made available under open source licenses, which explicitly allow copying and redistribution * On the other hand, the mission of Software Heritage archive is to guarantee the availability of all versions of all publicly available source codes, and to ensure the integrity of these codes We understand the concern about the display of outdated identities, and for this reason a mechanism has been put in place to display a preferred identity across all the Software Heritage archive. =2D-8<---------------cut here---------------end--------------->8--- But the authos is still not satisfied with the solution proposed by SHW (and used by Guix for it's contributors): =2D-8<---------------cut here---------------start------------->8--- * I was not asking them to develop such a mechanism. I don't just want them to cosmetically change what they display, I want them to change the data. I can't trust the organization that contains the transphobe who had written their previous content policy to hold on to a substitution rule involving my deadname forever. =2D-8<---------------cut here---------------end--------------->8--- =C2=ABI want them to change the data=C2=BB, that is: rewrite history (of /a= ll/ the copies of the repository archived by SWH, **fork** included?) The CNIL (the french data regulator) has been involved, but the author do not trust CNIL: =2D-8<---------------cut here---------------start------------->8--- The explanation I can come up with is that CNIL and Inria are friends, and CNIL will never take action against Inria. =2D-8<---------------cut here---------------end--------------->8--- Last but NOT least: what is this "right to rectification"? ...simple: =2D-8<---------------cut here---------------start------------->8--- Art. 16 GDPR Right to rectification 1The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. =2D-8<---------------cut here---------------end--------------->8--- (https://gdpr-info.eu/art-16-gdpr/) Simple... really?!? First question is: is the "deadname" of the author "inaccurate personal data concerning him or her" or it is "just" the /accurate/ name the person had before he or she changed it? ...but the most interesting part is the "suitable recital" n. 65: =2D-8<---------------cut here---------------start------------->8--- 1 A data subject should have the right to have personal data concerning him or her rectified and a =E2=80=98right to be forgotten=E2=80=99 where th= e retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. [...] 5 However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. =2D-8<---------------cut here---------------end--------------->8--- (https://gdpr-info.eu/recitals/no-65/) Is SHW (and Guix, and... *me*) exercising it's rights of /archiving/ and /scientific or (and!) historical research/? I say yes. Last question: do SHW (and Guix, and *me*) have the right to archive and redistribute free software for historical purposes. But also: is the retention of the "deadname" even necessary to exercise or defense legal claims about _copyright_ issues? And also: is my right to retain the integrity of data structures I obtained by copyright holders or I have to throw it away if one of the copyright holder asks me to retroactively rewrite all occurrences of his or her name for his or her asserted "right to rectification". All in all: what rights are we talking about, please?!? Loving, Giovanni [3] https://yhetil.org/guix/iytrYuvr9BcPdWG17PDP5SXyjrZzwBGx1sbh0BVcDZ8PAifSIMd= PXPbuhhDu-2woPlaWmEWnSt09h4OravmRRBrMB5uDlXYtKtI0egEQX_k=3D@lendvai.name/#r [4] https://yhetil.org/guix/86d01304cc8957a2508e1d1732421b5e0f9ceeb5.camel@plan= ete-kraus.eu/ P.S.: I am DPO and copyright advisor at my tiny company, but IANAL :-D =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmX7G0gMHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSPBgQAN3F4sVFvE/yfInmzSBk3YH1iDNfTnTN7PkUk7Ar sS3xYbBZMcO7v7A6kZjLG1v3Dya2YhEX+UCxwaOPghJeN4wqOD7dpBSzHBSV+nZG u9LCz1smrTrUml9qwvTB90pkXepsX9kh7t6oH2Hq62BQ68+QcWgA30LBsvFT8/x3 Zt2Wlv73nApiRI8dH1XgZr77f/pLW9otbV9ugbNov1fV1kEUY0XSTgLPvcp38MLm G/Ppmka7u3g+BAVbsboQrenAy/94L+T6ecgdPAMWRp5651/KjWbvMz3hY74hp8Lt sTXwZA1tJzWaqzmoxmObPsuJwnrlvnhCxUx1nDOVo3pUo27y43j4V9yx8PO3D/sf lJTSFBShsrs6vzlmjemeBbYSXeTuabN0TKesHJ4zzkMjGFH0ZMyhTMKoGvhVR9fW +3vFBifXZuXG5FwsNSXY6uAtc+hSB81m5OZULfsknCi2lWmACZWbt/d0kOVkx2J0 bcNfo+seqTMM3l0xbzxmZNiBg3rKFQGtKRDttTaWf4gek+7gaIE3eHOL9YwX1HUN DzZCZXatKxO+LxeixFDuc1c5hYzIq7WrTb2Zy2wT7uZnS5C88VeuWgjrl6DvD2ad HvSBFJk+79q0sSrx+saGfKYtKsKRzXrDlLo+boRTbidxgMzMhzzb2slKkDh88yZm Fxu5 =LHqy -----END PGP SIGNATURE----- --=-=-=--