[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A note from GitHub about your repository

On Thu, Oct 11, 2018 at 1:28 AM Mark J Cox <mjc@redhat.com> wrote:
> The artifact in question is their agreement with the CVE terms of use:
> https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use/lpu%40protonmail.ch

My intepretation of their request differs to yours -- if they are invoking
GDPR to have that entry removed then remove that entry[*], there doesn't
seem to be any reason why their acceptance of terms email needs to be
public as long as DWF have a copy.  Them asking for removal of their
personal data from the public doesn't mean they've revoked their
acceptance of those terms or you should alter any CVE they've filed.
This wouldn't in my mind trigger any of the clauses for why you'd be able
to reject the "right to forget".

My workflow doesn't support long term private data, in that I do not host private secret infrastructure. Also their email is placed in the CVE assignment that I send to MITRE, it was decided a long time ago that CVE requestors should stand behind their CVE entries as it were, for classic vendor CNA's that means security@theirvendor.com or whatever, but for DWF these requests are directly coming in from random third parties, and I feel it is important to make it clear that by requesting this CVE you are also expected to stand behind it, otherwise people contact me with questions about a CVE and I cannot do anything. This is why having the original requestor email in the request and the terms of use is so important. 

> What happens if I withdraw my consent for
> cve-assign@distributedweaknessfiling.org?

Well, that wouldn't be defined as personal information under GDPR (and
you're not an EU citizen).

So how do we know this protonmail email address is PII? How do we know that person is in Europe?

> This is a major problem that we need to actually solve in some way. Part of
> it will be finding providers that are "Safe".

Dealing with GDPR requests will be the same no matter where you store DWF.
Some providers might just not have figured out their process for handling
them yet.
The problem is GitHub appears to have an overly broad interpretation of GDPR which puts our data and project at risk. 


[* "remove" has some interesting side effects in Git, depending on if
Github want you to rewrite history so it never happened (bleh!) or just
commit a removal (so it's actually still in the history)]

Kurt Seifried

Page Last Updated or Reviewed: October 12, 2018