On 4/7/21 7:55 PM, Neal Gompa wrote:
On Wed, Apr 7, 2021 at 1:11 AM Simon Lees <sflees@suse.de> wrote:
On 4/7/21 12:35 PM, Neal Gompa wrote:
On Tue, Apr 6, 2021 at 8:24 PM Simon Lees <sflees@suse.de> wrote:
If the openSUSE Chairman was going to veto us trying to fix this mess, then I would be pretty cheesed off, personally.
At the end of the day under current law SUSE is Legally responsible for all openSUSE's data under GDPR as such whenever the Heroes add a new service that stores any form of data SUSE should be comfortable with it and so id be expecting the Heroes to be running these things by the relevant people at SUSE prior to working on them so we don't end up in an awkward situation where SUSE has to tell the Heroes that you shouldn't be running that or no you can't do that. Mind you under the same reasoning I'm really supprised that SUSE hasn't invested the time and effort to migrate us away from connect because I suspect its a serious GDPR liability having it still running and at the end of the day thats there issue not openSUSE's (atleast from a GDPR perspective).
Nothing we're planning or doing adds to the data we're already collecting, so I think we're fine there.
It's not just about the data we collect though, almost more important then that is the compliance officer feeling comfortable that they can locate and remove any users data should they receive a request to do so. If I was the data projection officer i'd be hesitant to leave this to a couple of people in the community becaues who knows if and where they'll be in 10 years things change after all. But on the other hand if there is a well documented process to handle this and the officer has access or knows they can contact someone with access (possibly an employee because they have the right to tell another employee you need to do this today, where as they don't for a community member) i'd start to see this as a non issue. Please don't get me wrong i'm not trying to single out the new login system here, this is something we should be doing for any new infra we add that stores any form of user data. Not just for SUSE now but for the board of a future foundation to feel comfortable should we decide to transfer some of openSUSE's data to its ownership sometime in the future. Cheers -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B