Steps to Reproduce:
Yes and yes.
I'm afraid we won't get to a definitive one easily/fast, so keeping it a draft, while still discussing/improving it is a good work plan - it doesn't make it less effective, especially if we keep on publishing transparently what is actually done.
About the plan of what to do with the data, we ought to be clear about what we would like to do, and what we won't do. One of the goal of the project is "improve our understanding of computers and electronics devices users" that goes through proper usage metrics analytics (among other things).
So making clear what is the goal, what is the data and how it is used is crucial here.
How can we move forward here? open the topic on -discuss with a work plan and gather ideas first (with a deadline)?
As for making it easier to find, we can put it in the global footer (not set yet). Both the About section and the general Website design (influencing global footer) are in the works (pending a direction doc sent earlier to web & marcom teams) but didn't go far at this time. Milestone for this is beta1 release.
And we must declare this to CNIL (http://www.cnil.fr/ ) too.
I think we are exempted from the CNIL, at least according to my understanding of the law and exception :
But maybe we are not talking of the same "this", or maybe I misunderstood the law.
So far, we have :
- a ldap database with email, surname, first name
- various mailling list ( technically at zarb.org but well that's the same )
- various database derivated from the ldap database
- log of connexions
So I guess we can count this as 1 database of personnal information ( ldap + databases such as bugzilla, forums ), since I think the apache log do not count as such ( there is no personal information AFAIK ).
The database is used for :
- managing member of the association
- managing member of the community
- sending non commercial announce
So to me, it is ok, but I can send a email to cnil asking for clarification.
And looking at the declaration, there is nothing that correspond to what we do ( and the whole process is a little bit complex, so I would not start it if not needed )
Ok. Indeed for CNIL, it looks like we are exempted, for LDAP + public community web apps usage (as you said, bugzilla, forums, mls, code repos, buildsystem).
However, can we consider a public user/group directory (with maps) fall into the same category?
I think I will reformat the current policy document and tag it for public discussion and review on the list for a first limited time (like, 1 month).
Not a draft anymore.