[arch-dev-public] AUR ToS (aka making AUR user names public)

Lukas Fleischer lfleischer at archlinux.org
Tue Mar 7 08:05:28 UTC 2017 

On Sun, 05 Mar 2017 at 22:54:07, Gaetan Bisson wrote:
> [2017-03-05 14:35:05 +0100] Lukas Fleischer:
> > My original questions was: Are we fine with sharing the list of AUR
> > accounts names (only user names, no real names or email addresses) with
> > a researcher that seems trustworthy and agrees to not share the data in
> > any form other than the resulting anonymized statistics?
> 
> I am strongly against this because it seems to me it would put us in a
> very weak legal position (though as always IANAL).
> 
> The simple argument is that when users sign up for an AUR account they
> have no expectation that any data they submit (including their username)
> might be shared with a third-party.
> 
> Now as you've noticed with other Internet services, sharing data with
> third-parties is kind of a big deal. To the point that many services can
> only be used after you've agreed to some kind of EULA where you consent
> to your data being shared. For us it's even worse, there's no EULA, just
> what users might expect us to do with their data. So please let's err on
> the safe side here.
> [...]

I gave this a second thought and I still do not see how publishing the
list of user names would lead to a very weak legal position, especially
if you consider our legal position relative to the current situation.

If we *really* think that we need to keep user names secret, I think we
should take down the whole AUR website because we already share this
information everywhere without explicitly telling our users we do so. Or
at least censor the user names on every single page they appear on which
would be a lot of work.

Maybe we should do what Phil suggested in the email I just forwarded to
the list (forgot to fix the In-Reply-To and References headers, sorry).
Write ToS as soon as possible, make users accept them when logging in
and send notifications to all users. Then delete all remaining accounts
after a grace period. A nice side benefit of this is that we would make
sure all passwords are migrated from MD5 to bcrypt, see [1, 2].
Opinions?

Regards,
Lukas

[1] https://lists.archlinux.org/pipermail/aur-dev/2017-February/004291.html
[2] https://git.archlinux.org/aurweb.git/commit/?id=29a4870

More information about the arch-dev-public mailing list