[arch-general] [arch-dev-public] AUR ToS (aka making AUR user names public)

Tue Mar 7 03:46:14 UTC 2017

On 03/06/2017 10:08 PM, YANG Ling via arch-general wrote:
> Hi all,
> Shall we focus on Lukas's questions?

Yes, let's.

[skipped - pointlessly quoted and then repeated questions]

> My opinions:
> 
> 1. The first question: Are we fine with sharing the user names?
>    I am fine. But I think some agreements should be made before sharing
>    the data.

There is no need to be fine or not, the user names are *already* public
(with the exception of people who have never uploaded a package, left a
comment, filed a package request, or indeed visibly interacted with the
AUR in any way).

> 2. The second question: Would it make sense to even make this data
>    publicly available?
>    No, it is not OK. Please check this wiki [1]. Login name or nickname
>    is Personally identifiable information (PII).

Okay... firstly, thanks for the strange Wikipedia proxy....

Stating a tautology does not advance this discussion. No one thought for
a moment that usernames weren't somehow "personally identifying
information".
Lukas elaborated upon this question, by providing actual arguments for
and against. By ignoring 90% of what he said, you are stripping the
discussion of most meaningful context, and replacing it with some vague
buzzwords.

> 3. The third question: Shall we add some ToS that users need to agree
>    upon when registering?
>    Yes, it is better to have ToS.

This wasn't even the question. Lukas said we should have a ToS, and he
*asked* if anyone was willing to draft one.

...

I really don't understand why people seem to have a paranoia issue with
other people having an efficient interface to data that is already
there. Researchers and Peeping Toms can already find out all this
information by hitting the AUR server a lot and scraping HTML responses,
offering the *same* data with less overhead can only serve to ease
server congestion (on "our" end) and *time expended* reinventing the
username list (on "their" end).

Do we wish to penalize all researchers for the evil habit of extracting
personally identifiable information, by making them slog through the
process of compiling their information? Knowing full well that it won't
actually stop them (for good or for ill)?

Do we even owe anything to the relevant users? Since there is no ToS, an
argument could be made that we all agreed to share whatever information
we have in fact shared, without asking for qualifications about what the
Arch Linux project intended to *do* with our usernames etc.
(The usual IANAL applies.)

tl;dr
Let us emulate the forums, and provide a username list only accessible
to logged-in AUR users.

-- 
Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170306/cdad8de2/attachment.asc>