[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: A note from GitHub about your repository
- To: Kurt Seifried <kurt@seifried.org>
- Subject: Re: A note from GitHub about your repository
- From: Mark J Cox <mjc@redhat.com>
- Date: Thu, 11 Oct 2018 08:28:51 +0100
- Authentication-results: spf=fail (sender IP is 192.52.194.235) smtp.mailfrom=redhat.com; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=fail action=none header.from=redhat.com;
- Cc: Lisa Olson <elolson@microsoft.com>, CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
- Delivery-date: Thu Oct 11 07:48:02 2018
- In-reply-to: <CABqVa3_BQDZPcVCbF0TYQ=QAma_nMtCjdDjK=WD-pu78mtz_0g@mail.gmail.com>
- References: <discussions/2f1b8ac0c56511e894cb05b41a397422/comments/5400971@github.com> <CABqVa3_n8gjtLYCQCnv=xw_bXGu842=8=oD+mWF+NFDN0J3g=A@mail.gmail.com> <CABqVa3-3Fiy+XJoTf+X14-Br6j0ebWAsqjpJqRQupe0MjwXObw@mail.gmail.com> <discussions/2f1b8ac0c56511e894cb05b41a397422/comments/5431634@github.com> <CABqVa3-YrMWNcYo2-MyRhh-US7KJDLode1C+1f-1US=OofWZ1A@mail.gmail.com> <MW2PR2101MB1051392FEC7B29269585E374B9E00@MW2PR2101MB1051.namprd21.prod.outlook.com> <CABqVa3_BQDZPcVCbF0TYQ=QAma_nMtCjdDjK=WD-pu78mtz_0g@mail.gmail.com>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
The artifact in question is their agreement with the CVE terms of use:
https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use/lpu%40protonmail.ch
My intepretation of their request differs to yours -- if they are invoking
GDPR to have that entry removed then remove that entry[*], there doesn't
seem to be any reason why their acceptance of terms email needs to be
public as long as DWF have a copy. Them asking for removal of their
personal data from the public doesn't mean they've revoked their
acceptance of those terms or you should alter any CVE they've filed.
This wouldn't in my mind trigger any of the clauses for why you'd be able
to reject the "right to forget".
What happens if I withdraw my consent for
cve-assign@distributedweaknessfiling.org?
Well, that wouldn't be defined as personal information under GDPR (and
you're not an EU citizen).
This is a major problem that we need to actually solve in some way.
Part of
it will be finding providers that are "Safe".
Dealing with GDPR requests will be the same no matter where you store DWF.
Some providers might just not have figured out their process for handling
them yet.
Mark
[* "remove" has some interesting side effects in Git, depending on if
Github want you to rewrite history so it never happened (bleh!) or just
commit a removal (so it's actually still in the history)]