On Mon, Dec 04, 2023 at 03:30:03PM +0100, Pavel Hrdina wrote:
On Mon, Dec 04, 2023 at 01:03:07PM +0100, Wolfgang Rohdewald wrote:
> Since I do not know in which country
libvirt.org legally lives (it does not say
that),
> I do not know what regulations apply. But meanwhile all major US companies follow
> EU regulations - in general even worldwide. So maybe this is all irrelevant
> for you - but maybe not.
>
> Am Montag, dem 04.12.2023 um 11:32 +0000 schrieb Daniel P. Berrangé:
> > Aside from the search, our is just static content, so I'm not sure
> > how it can be said to be massively violating privacy.
>
> Please re-read. It is not about the content.
> The website defines no privacy policy which is against EU regulations.
Please provide any source for this requirement that applies to
libvirt.org. That site has only static pages, it doesn't collect any
personal data and based on my quick search the requirement for privacy
policy is when you do collect personal data which is not our case.
I think the problem is really rather fuzzy.
The first issue is that there is no legal notion of "libvirt" as an
entity, which it turn makes it harder to say whom has responsibility
for any parts the GDPR.
The project exists only in so much as a selection of contributors being
members of the gitlab group.
The services used by a project come from a variety of sources. The
main project infra is all run by GitLab. The mailing lists are
run by Red Hat. The web server is on a personal server belonging to
the project's founder.
I think the responsibility (probably) likely lies with the various
providers of infrastructure.
WRT
libvirt.org, if there are web server logs, the IP addr within
can be considerered PII. It could be claimed that collecting web
servers logs is a neccessary function for running websites (eg to
identify hostile traffic) and thus not require consent. If you're
mining the data logs and correlating with other info though, it
probably would require consent. For avoidance of doubt: we're
not doing the latter.
In the end it probably doesn't hurt to have a simple privacy page
that says we're not doing anything untoward with server logs, etc.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|