Privacy policy for contributions

I want to know which module it is so it can be handled in public ASAP.

I'm definitely +1 to a policy. Even though we can only make policy for code hosted on drupal.org, I think anything in our repo should be clear of spyware.

Michelle

Ok I know which module it is and I'm not really surprised to learn its a repeat offender.

Spyware should need no policy - it is just unacceptable no matter what

Dave -- spyware needs a written down policy and process that we can link to / notify around, rather than having whatever d.o. admins act as they see fit in a case by case basis.

I don't think the privacy policy applies, this is about CVS Usage policy. Handbook page, so go ahead and edit directly. I've done a first cut by adding another do not at the bottom, feel free to edit directly.

If a module includes hidden iframes I don't need a policy to unpublish it. This is at least an invasion of privacy and might be even illegal.

I don't want to edit the page directly until I see if there's some consensus, but I don't think the statement on spyware should just be another bullet at the bottom of a list saying that it "can be grounds for CVS account suspension" (emphasis added).

IMO it needs to be stated first, very obviously, and say something more like "Any discovered spyware, malware, or undisclosed tracking code of any kind will result in the immediate suspension of your CVS account, unpublishing of the affected modules releases, and a warning on the project page." It probably should be mentioned on the cvs application page as well. It's that important.

afaic this is just as serious as security issues and should be handled similarly-- 0 tolerance. Any developer doing that knows exactly what they're doing-- there's no need for coddling them with 24 hour notice and such.

just my $0.02 worth.

I am against written policies where common sense would do. It only serves as loopholes "but it's not in the policy, we did nothing wrong". Spammers and other scum are cunning and come up with new tricks too often. I do not want to chase them.

I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it

I agree with you chx, but this is why: http://drupal.org/node/847952#comment-3177032

It helps to have something to which we can point these rocket scientists.

I understand the reason for creating such policy, but I also understand the point given by chx. Having a policy would allow the same rocket scientists to say that what they didn't is not expressly forbidden from the policy, in the same way they are now saying there is not a policy that forbids to do what they did.

A policy that describes what is not allowed in detail would not be useful because users could always say what they did is not expressly forbidden; a policy that describe what is not allowed in a too generic way is not useful too, as users could give their own interpretation.

The truth is that Drupal.org is a community; if 3 webmasters / site maintainers decided that what a user done is not allowed, then it's not allowed.

Even if there would be a policy, there should always be somebody who needs to give the correct interpretation of what reported in the policy, in the same way a judge give the right interpretation of written laws.

My vote is to keep it simple. Add a general rule that spyware is unacceptable so people can't say they didn't know. Don't go into details that can have loop holes. Make it clear in the document that interpretation is up to maintainers / admins. Set an action list something like this:

1) If an issue is found, webmaster makes a webmaster issue and notifies the maintainer.
2) Issue should be +1'd by N maintainers.
3) After N days, release is unpublished until issue is resolved.

Michelle

The admins still ultimately have control. Ultimately the policy is a suggestion. Writing it down in the policy just tells other people what's going through the minds of the admins. as long as you say "we reserve the right to revoke your cvs account at any time for any reason" you should be fine.

I think there is already a page that reports we can revoke a CVS account for any reasons; I have to find where that page is, and to check if it has been changed.

In the TERMS.txt file is clearly reported that:

TERMINATION

A user's account may be terminated without warning for reasons that include,
but are not limited to:
1.) violation of these TOS;
2.) abuse of site resources or attempt to gain unauthorized entry to the site
or site resources;
3.) use of service in a manner inconsistent with the purpose;
4.) a user's request for such termination;
5.) requirement of applicable law, regulation, court or governing agency order.

IMO, creating a module that is spyware is against the point #3.
Users are warned that we can terminate a CVS account for any reason, without to give a warning.

I think that point #3 catches all the cases of spyware, malware, etc; the purpose of allowing users to access the CVS repository is not to allow them to grab information from any web site running their module.

If that would not be enough, the first part substantially says that a CVS account can be revoked without warning for any reason.

Marking this fixed. Feel free to continue to edit CVS Usage Policy handbook page.