- Case Number: a20090427.2
- Status: closed
- Claimants: Gregory Stark
- Respondents: CAcert
- Case Manager: Alexander Prinsier
- former Case Manager: Alejandro Mery
Arbitrator: UlrichSchroeter
- former Arbitrator: Sebastian Kueppers
- Date of arbitration start: 2009-05-17
- Date of ruling: 2010-08-29
- Case closed: 2010-08-29
- Complaint: Adhoc SQL query requested
The need for location data from the production database for the purpose of developing Ad hoc SQL queries that are geo-specific to CAcert members for internal business operations. Specifically the country, region, and location tables of the database. The extraction of this data contains no member sensitive information. Please consider this request as an Arbitration, according to Security Policy 3.3 [5]. The SQL queries would be: To determine the size/# records in each table: ---- SELECT count(*) FROM countries; SELECT count(*) FROM regions; SELECT count(*) FROM locations; ---- Of concern might be the size of location table, which could be broken down into manageable chunks using "BETWEEN" (see below.) To export the data to simple tab delimited files: ---- SELECT * INTO OUTFILE '/tmp/countries.txt' FIELDS TERMINATED BY '\t' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' FROM countries; SELECT * INTO OUTFILE '/tmp/regions.txt' FIELDS TERMINATED BY '\t' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' FROM regions; SELECT * INTO OUTFILE '/tmp/locations.txt' FIELDS TERMINATED BY '\t' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' FROM locations; The chunk version: SELECT * INTO OUTFILE '/tmp/locations.txt' FIELDS TERMINATED BY '\t' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' FROM locations WHERE id BETWEEN 0 AND 50000; ----
- Relief: execute sql queries
Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: Greg Stark (C), Case: a20090427.2
History Log
- 2009-05-17 (Support): Sebastian Kuppers granted Arbitrator for the case
2009-12-25 (UlrichSchroeter): arbitrator released this case as of a20091118.4
- 2009-12-25 (A): I'll take care about this case
- 2009-12-25 (A): requesting informations regarding this case from (C) and former (A)
- 2009-12-29 (C): I am still interested in having all my cases processed
2009-12-29 (AlexanderPrinsier): I'll take care about this case as (CM)
- 2010-01-03 (A): sent some queries to (C) and Critical Sysadmin Teamleader
- 2010-01-03 (A): sent some interview questions to probably mainteners of the locations database
- 2010-01-03 (A): rcvd answers from PD's interview
- 2010-01-03 (A): rcvd answers from Iang's interview
- 2010-01-03 (A): rcvd answers from PG's interview
- 2010-01-03 (A): rcvd answer from Critical Sysadmin Teamleader
- 2010-01-05 (A): rcvd answer (to req 2010-01-03) from (C)
- 2010-01-07 (CM): wrote php script that executes the queries and puts the output in a file, sent to (A)
- 2010-01-09 (A): deployment and testing of alternate php script (similiar to the events mailing script) that simulates an OUTFILE output
- 2010-01-09 (A): request to (CM) + Sysadmin teamleader about hints to the results of the deployed script and the test runs
- 2010-01-09 (A): rcvd answer from Sysadmin teamleader from req 20100109
- 2010-01-10 (A): req. to PG about his 2nd answer from 20100103 interview to clarify his statement "I was told that some of the data we have is for CAcert only, and we are not allowed to hand it out to anyone else."
- 2010-01-11 (A): rcvd answer by PG. answer to be declared private under seal by (A)
- 2010-01-13 (A): from PGs offer for a qemu image as a workaround, sent req. to (C) about a statement
- 2010-01-13 (A): contacting SVN admin with questions a) is add permissions for user procedure with notification to PG installable ? b) exists any resource limitations ? bandwith? diskspace ? for the optional qemu image solution (filesize: about 735 Mb) ?
- 2010-01-13 (A): rcvd answer from SVN-admin
- 2010-01-15 (C): sending answer to queries from 2010-01-13
- 2010-01-25 (A): req. for infos about a locations database contributor
- 2010-01-25 (A): rcvd answer with infos about contributor
- 2010-01-25 (A): sent req. to one of the contributors of locations database
- 2010-01-27 (A): rcvd first answer from one contributor of locations database
- 2010-01-28 (A): sent further questions to one contributor of locations database
- 2010-02-28 (A): Progress report to (C), (CM) that ruling will still retard caused by complexity of this case
- 2010-06-18 (CM): requesting progress report from A
- 2010-07-01 (A): current state: writing down rationale
2010-07-01 (A): questions to Software-Assessment team and Software-Assessment project team about testserver images
- 2010-07-01 (PG): answered (see below)
- 2010-07-01 (A): Dirk, you've downloaded the testserver image from PG. Does this image includes the locations database?
- 2010-07-03 (A): forwarded req to Dirk to Dirks private mail addr
- 2010-07-03 (Dirk): i just verified, that in the image, which we got from PG the tables contain the data for the location database. i made some quickchecks with german coordinates i know (Velbert, Frankfurt, Leverkusen) and detected them as valid.
2010-07-06 (Andreas): the current state of the testserver image is located here <...>, see also Testserver Images
- 2010-07-06 (A): interview dirk within the Software-Assessment-projects telco: does the current testserver image from Andreas as described above contains the locations database ? dirk's answer is: No
- 2010-07-08 (A): published discussion to arbitration participients (CM), (C), (R), Software-Assessment-Team, Infrastructure-teamleader, Critical sysadmin teamleader and participients in this case who gave answers to some of the questions for comments
- 2010-07-29 (A): Discussion - Recomendation "Solution I" sent to (C), Critical Sysadmin team, Software-Assessors, Software-Assessment Project team, developers mailing list, board mailing list, (CM) for comments
- 2010-07-29 (C): respond to "Solution I": Yes, this work for me.
- 2010-07-29 (IanG): respond to "Solution I": some doubts
- 2010-07-29 (PG): respond to "Solution I": one doubt
- 2010-07-29 (Wytze): respond to "Solution I": problem with the "limitation", ok with the rest
- 2010-07-29 (Mario): respond to "Solution I": proposal for locations database migration
- 2010-08-03 (A): infos about IPR transfer to CAcert Inc requested. Email sent to Board, (C), (CM) under seal
- 2010-08-24 (Wytze): info about locations database
- 2010-08-25 (A): sending req. for info to one of the contributors of locations database and (PG)
- 2010-08-25 (PG): answered req from (A)
- 2010-08-27 (A): discussion with Ian about IPR and CAcert on IRC, notification of a possible CoI
- 2010-08-28 (A): req to (Software-Assessment team), (Critical Team): is there a log on community contributions on locations-database-set available ? Req. for recommendations on a locations-database-set migration plan ?
Discovery
- Has the export been executed in the meanwhile ?
- If the answer is no. Do (C) maintain his claim ? Answer is Yes.
- Countries, List of Countries
Field
Type
Comment
id
int(3)
Primary Key
name
varchar(50)
country name
acount
integer
how many assurers in this country?
- Locations, List of Cities
Field
Type
Comment
id
int(7)
Primary Key
regid
int(4)
city relates to this region
ccid
int(3)
city relates to this country
name
varchar(50)
city name
lat
double(6,3)
latitude of the city
long
double(6,3)
longitude of the city
acount
integer
how many assurers in this city?
- Regions, List of Regions
Field
Type
Comment
id
int(5)
Primary Key
ccid
int(3)
region relates to this country
name
varchar(50)
region name
acount
integer
how many assurers in this region?
- Countries, List of Countries
Each table includes an account field with live data from the system - how many users are in each area. Is this needed for the export?
- alternate: select id,name,0 from countries resets all account values to 0
- (A): from PG i've got a testserver image in 2009 with countries, locations, regions filled.
- recorded values from a test export:
db
records count
size [bytes]
countries
248
4583 (4 Kb)
regions
4579
103101 (103 Kb)
locations
2200456
101137195 (101 Mb)
- DRAFT p20090327:
- 3.3. Application [3] - Requests to systems administration for ad hoc queries over the database for business or similar purposes must be approved by the Arbitrator.
- WIP 20091213:
- 7.6. [2] Handover Production - Requests to Application Engineers for ad hoc queries over the database for business or similar purposes must be approved by the Arbitrator.
- DRAFT p20090327:
- (A) mail request dated 2010-01-03 to (C) / Critical Sysadmin Teamleader
I have a few questions. First of all some background infos. I've got a testserver image from PG back in 2009 with tables data filled for countries, regions, locations. I've did a test export with the query proposed by Greg: ------ SELECT * INTO OUTFILE '/tmp/countries.txt' FIELDS TERMINATED BY '\t' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' FROM countries; ------ The proposed table sizes are: db reccount size [bytes] size countries 248 4583 4 Kb regions 4579 103101 103 Kb locations 2200456 101137195 101 Mb QUESTION 1 ========== @(C): All tables includes an account field with the count of users for each area (city, region, country) Is this needed in the export ? or can the export reset these values to 0 ? QUESTION 2 ========== @Sysadmin Teamleader: About the OUTFILE option: the testserver image i've got from PG includes a MySQL 5 db As I know, the live system has a MySQL 4 database. Is this correct? I've did a test export on a MySQL 4 database. And the OUTFILE parameter works also. ------------------------------------------------------------------------ drive-path>mysql --user=root --host=localhost --password=xxxxxx Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 375004 to server version: 4.0.20a-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> select * into outfile '/forument.txt' -> fields terminated by '\t' -> optionally enclosed by '"' -> lines terminated by '\n' -> from bbs.forum_entries; Query OK, 11 rows affected (0.02 sec) ------------------------------------------------------------------------ This is a similiar test query against a MySQL 4 database and i've got no error executing above query. So where is the problem using the OUTFILE option ? QUESTION 3 ========== @Sysadmin Teamleader: If the export is made, where can the export be placed for download? Is it possible to transfer the export to the svn server? I'll propose to create a subdirectory https://svn.cacert.org/CAcert/testsystem with a subdirectory locationsdb to place the exports into this directory. as SP states in 3. LOGICAL SECURITY, 3.1.1.1. External connectivity and 3.1.1.2. Internal connectivity restricted access This is no execution request and no ruling. This is only to investigate the environment and possible solutions for this arbitration request. Actualy I found no exceptions to not allow the export of the locations data (except the count users column). All other data informations can be compiled from several databases around the world. The cities geo locations informations doesn't fall under personal related data. There is no link to a user account in these requested tables. So further investigations to find a solution for doing the export is still open. What I didn't yet considered is the license model under which the locations informations are handled. This needs some further investigations ...
- License model under which the exported data falls:
- CCA 1.3 Your Contributions
You agree to a non-exclusive non-restrictive non-revokable transfer of Licence to CAcert for your contributions. That is, if you post an idea or comment on a CAcert forum, or email it to other Members, your work can be used freely by the Community for CAcert purposes, including placing under CAcert's licences for wider publication. You retain authorship rights, and the rights to also transfer non-exclusive rights to other parties. That is, you can still use your ideas and contributions outside the Community. Note that the following exceptions override this clause: 1. Contributions to controlled documents are subject to Policy on Policy ("PoP" => COD1) 2. Source code is subject to an open source licence regime.
- Exported data is no contribution to a controlled document
- Exported data may fall under the source code subject to an open source licence regime.
- Answers from an email interview by PD:
- 1. Where does the data of the locations, regions, countries tables comes from ?
- The community
- 2. Are they subject to a special license model?
- I believe not
As I know, addtl. entries to the locations database are contributions from community members (i.e. city not in the locations database -> insert new record by having the locadmin flag in the useraccount data set) CCA 1.3 Your Contributions. But the question here: 3. is this an exception to the default license model as stated under exceptions: 2. Source code is subject to an open source licence regime. ?
- I think that this is not part of the source-code, and therefore an open-source license is not mandated. However I believe we should provide this information freely. But this is part of the decision you have to make.
- 4. As the locations table is part of the critical system, SP 9.4. Outsourcing
- I think this has nothing to do with outsourcing, but again, that is what you have to decide.
- Your hints? Thoughts?
- My thought is that the data at issue here has no privacy implications as no part of it is personally identifiable. So it would be non-critical in my eyes. Therefore it should be shared freely with the community. So my strong hint would be to do the export and publish freely for download even though for historic reasons that data is currently housed in the core systems under auspices of the Critical Systems Team. My core statement would be that: Just because data is currently part of the critical systems, that does not automatically mean it is critical data. There is data in there that has no need to be kept private. And such data can be released via the arbitration system.
- 1. Where does the data of the locations, regions, countries tables comes from ?
- Answers from an email interview by Iang:
- 1. Where does the data of the locations, regions, countries tables comes from ?
- The data can be added by members who had the special Location admin bit set. This is set by Support Engineer. There is currently no control over this other than being asked. As I understand it, the data was added by (and the bit was given to) members who grumbled that their town was not on there.
- 2. Are they subject to a special license model?
- It was this sort of thing that CCA 1.3 was meant to cover/include. Whether it succeeds or not is a decision to be made... The Locations data isn't / shouldn't be really under the regime of Security Policy.
- ... but the question here: 3. is this an exception to the default license model as stated under exceptions: 2. Source code is subject to an open source licence regime. ?
- No, this isn't source code, this is data. IMHO.
- 4. As the locations table is part of the critical system, SP 9.4. Outsourcing
- Right, in that the board is generally the executive for deciding whether a component is inside critical or not. As it happens, two cases are being discussed by the Board now: DNS+OCSP and also the domain cacert.org. The former will likely become critical-team (vote to be confirmed tonight), the latter is still uncertain.
- If we were to interpret Location data as being a question under SP9.4 then one thing might be to simply request the board to examine it and determine if it can be outsourced.
- As it happens, this was discussed at Innsbruck, and Birdshack team already decided to outsource it (well, maybe that's a bit too aggressive, there were some spirited defences of keeping it internal).
- If the current position is that the data is inside critical sphere, then the data is under SP, so it needs to be dealt with as such. This is somewhat confirmed by the need to run an ad hoc SQL query through Arbitration.
Right. A question for the future; it is clear that we are now making text changes without proper controls ... one could argue that this is ok, as it is the historical path. I'm not sure what a future auditor would make of the fact that we are installing text on the system in a language we can't read For my view, it's something to worry about in the future, we need to get the basics right.
- Your hints? Thoughts?
- Yes, this seems more complicated.
- An "ad hoc" query releases limited data for limited purposes. This isn't the same thing as permanent publication of a font of data. One would think that the "ad hoc" query releases the data to a member who will then be expected to look after it; including not further publishing it. Although not written down, that is the implication I draw today.
- A decision to take a portion of the data base in order to do further ad hoc queries is another step further; the way I read the Arbitration filing, it isn't asking for an ad hoc request, it's asking for a slice of the database in order to do further ad hoc requests. This is more or less the thing that we didn't want to do: hand over extracts of our database to researchers, marketeers, etc, so they could construct the ad hoc requests without further reference to ourselves.
- Then, a decision to publish on a regular basis, however it is done, is more of an over-arching architectural decision. Which should be before the architect, the software assessment team, and at the end of the day, before the board as ultimate responsible agent.
- So according to the reading of the request, it may be something that Arbitration should reject, and instead refer to Board?
- Perhaps the thing is to use this good work in analysis done so far, in order to write the motion for the board to vote on?
- 1. Where does the data of the locations, regions, countries tables comes from ?
- Answers from an email interview by PG:
- 1. Where does the data of the locations, regions, countries tables comes from ?
- We used various data sources that were freely or non-freely available. Additionally, CAcert users that are location-admins can add/modify/delete entries.
- 2. Are they subject to a special license model?
- I was told that some of the data we have is for CAcert only, and we are not allowed to hand it out to anyone else.
As I know, addtl. entries to the locations database are contributions from community members (i.e. city not in the locations database -> insert new record by having the locadmin flag in the useraccount data set) CCA 1.3 Your Contributions. But the question here: 3. is this an exception to the default license model as stated under exceptions: 2. Source code is subject to an open source licence regime. ?
- This is data, not sourcecode. It is not part of the sourcecode we ship.
- 4. As the locations table is part of the critical system, SP 9.4. Outsourcing
- ./.
- Your hints? Thoughts?
- I would suggest a different option:
- We do have full copies of those tables on some of our test-systems. I would suggest to give the people that need access either location-admin access through the web-interface, or access to test1.cacert.at which contains the tables.
- Handing out the tables as downloads results in a lot of traffic, and should be avoided, if easily possible.
- 1. Where does the data of the locations, regions, countries tables comes from ?
- answer from Critical Sysadmin Teamleader
> @Sysadmin: > About the OUTFILE option: > the testserver image i've got from PG includes a MySQL 5 db > As I know, the live system has a MySQL 4 database. Is this correct? No, the live system also runs with MySQL 5, more specifically: mysql-server-5 5.0.32-7etch11 (debian package name/version) > I've did a test export on a MySQL 4 database. And the > OUTFILE parameter works also. As I reported on May 5, 2009 to (C): > I've had a quick look at the queries. Is the formatting "SELECT * INTO > OUTFILE" etc. required for you, or would a formatted table dump do > just as well? Issue with the SELECT INTO OUTFILE is that you need the > mysql FILE privilege to do so, and user cacert does not have that > (nor should it). So this is not an issue with the MySQL version, it is just that user cacert (the one we use to access the database) does not have the required privilege. Here is the error message from the live system: mysql> SELECT * INTO OUTFILE '/tmp/countries.txt' -> FIELDS TERMINATED BY '\t' -> OPTIONALLY ENCLOSED BY '"' -> LINES TERMINATED BY '\n' -> FROM countries; ERROR 1045 (28000): Access denied for user 'cacert'@'localhost' (using password: YES) My MySQL knowledge is very limited; I've only noticed that dropping the "INTO OUTFILE '/tmp/something'" part from the query is not valid syntax anymore according to the mysql utility: mysql> SELECT * -> FIELDS TERMINATED BY '\t' -> OPTIONALLY ENCLOSED BY '"' -> LINES TERMINATED BY '\n' -> FROM countries; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FIELDS TERMINATED BY '\t' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' at line 2 > ... > So where is the problem using the OUTFILE option ? I think I've just explained that adequately above here. > QUESTION 3 > ========== > > @Sysadmin: > If the export is made, where can the export be placed for > download? > Is it possible to transfer the export to the svn server? Are you talking about a regular export (say daily or weekly)? That would have to be automatic, and it's not so easy to do; the webdb server has (on purpose) no possibility to routinely copy files to the outside. If it is just for a one-time export, it's no problem, that can be done manually of course. > I'll propose to create a subdirectory > https://svn.cacert.org/CAcert/testsystem > with a subdirectory locationsdb > to place the exports into this directory. > as SP states in 3. LOGICAL SECURITY, 3.1.1.1. External connectivity > and 3.1.1.2. Internal connectivity restricted access Ah, I see what you mean, you are looking for an "internal" channel from webdb server to svn server. There really aren't such channels in my opinion, expecially as the CAcert infrastructure services (including svn) are likely to be housed elsewhere soon, at a completely different physical location than the critical services. However, given the essential public nature of the data in case, I can well imagine two other solutions: (a) a reverse solution: maintain the master version of these tables on some CAcert infrastructure system (eg svn), and have the webdb server pull in this data on a regular basis to update its mysql copy. Some scripts would need to be written for that, but it would fit in with the current access restrictions setup; (b) a simple download solution: the webdb server could make the data available via its web interface (over http or https), and thus allow some script on the svn server to pull in new versions on a regular basis. If the data is not considered to be fully public, it probably shouldn't go into svn either, should it? But for data protection (b) above could be enhanced to allow the retrieval only by a specific IP or certificate. [...] The remarks from PG and Iang which I read on the wiki page for this arbitration all seem to make a lot of sense. The only thing that raised an eyebrow with me was PG's remark that some users may have contributed data to this database with an express intent that it would only be used for CAcert and for nothing else. That would be hard to reconcile with publishing the data, but I guess you'll have to ask for explicit evidence of this situation, it could be obsolete hearsay, I have no idea ...
- answer from (C)
Question #1 The count of users for each area (city, region, country) is not necessary. Question #2 & #3 OUTFILE on the production system is not an option due to the nature of the configuration. No way to get the file once it is created. A formatted screen dump would suffice. The locations file was going to be the problem.
- CM / A alternate php script (similiar to the events mailing script) that simulates an OUTFILE output
<? /* Copyright (C) 2010 CAcert Inc. */ error_reporting(E_ALL); require_once("../includes/mysql.php"); $output1 = "/tmp/a2009042702.countries.txt"; $output2 = "/tmp/a2009042702.regions.txt"; $output3 = "/tmp/a2009042702.locations.txt"; if(!($fp1 = fopen($output1,'w'))) return; if(!($fp2 = fopen($output2,'w'))) return; if(!($fp3 = fopen($output3,'w'))) return; // id,name,account (-> 0) $query1 = "SELECT * FROM countries"; // id,ccid,name,account (-> 0) $query2 = "SELECT * FROM regions"; // id,regid,ccid,name,lat,long,account (-> 0) $query3 = "SELECT * FROM locations"; // QUERY 1 function dump_table($query, $fp, $fclmn) { $res = mysql_query($query); $nbFields = mysql_num_fields($res); while ($row = mysql_fetch_array($res, MYSQL_NUM)) { for($i=0; $i < $nbFields; $i++) { // fwrite($fp,$row[$i]); if($i != $nbFields-1) { if ($i == $fclmn) { fwrite($fp,'"'.$row[$i].'"'); } else { fwrite($fp,$row[$i]); } fwrite($fp,"\t"); } else { fwrite($fp,"0"); fwrite($fp,"\n"); } } } mysql_free_result($res); } dump_table($query1, $fp1, 1); dump_table($query2, $fp2, 2); dump_table($query3, $fp3, 3); fclose($fp1); fclose($fp2); fclose($fp3); ?> around 14 min. (!) runtime on testserver results in output: /tmp/a2009042702.countries.txt 1 "Afghanistan" 1 /tmp/a2009042702.regions.txt 1 7 "Barbuda" 0 /tmp/a2009042702.locations.txt 1 2527 169 "A" 62.983 9.750 0
- Sysadmins teamleader answer 20090109
> attached version c of the script. > The output goes to directory /tmp > 'cause this is writable. Actually any directory that is writable for the id executing the script will do fine. But /tmp is guaranteed to be fine :-) > I've modified the script this way, that > it simulates the output of the "OUTFILE" > parameter from the proposal. > > This version is tested on my local testserver > system. > The runtime of the script was around 14 min. (!) > on my testserver and results in output rows: > ... > @Sysadmins teamleader: > > This is not a ruling, only a proposal and > a question to you: > > what is your suggestion about the script runtime > of about 14-15 min ? It's long but quite feasible, certainly for a one-off. I expect it to run a little faster than 15 minutes on the production system. > Is it ok, to start this script on the life system ? Yes, no problem. > or would you suggest, that this runtime > is a burden on the production system ? No, only if we would be running this very frequently, but I understand that that is not the case. > My intention for the ruling is, to let the > script running once, not on a recuring schedule. Fine. > So your thoughts how a regular transfer can be > implemented is oversized for this solution. > A onetime transfer to a storageplace that > can be secured for requestors will fit > like the src directory on SVN Please make sure to point out in your ruling whether the results may be published to a generally visible place somewhere in the CAcert infrastructure or that they should be kept private to arbitrator and any others you see fit to receive the data.
We actual have one SVN admin and requests have to go to svn-admin@c.o
- answer from SVN-admin 2009-01-13
> Means, if a user requests access to this > image and has no permissions to > this directory, the SVN admin has > to add the new users account to the > SVN and have to forward a notification > to PG. > > 1. Is this a procedure that can be > established ? Yes it could be established. I think a special issue category in the bug tracker for such requests could be a good idea though. > 2. the file size of about 735 Mb > can this handled thru the SVN ? > or exists any resource limitations > i.e. bandwith, disk space ? SVN is no ideal for storing binary files but could be used for it. We have 30G of available disk space on the svn machine. So one revision with the bz2-file should be no problem. If it changes from time to time you should be aware that SVN does not handle binaries (especially files with lots of changes) very efficiently. If there are no plans to change the file very often I think it would be better to create a download area served by Apache and protected by certificate or password authentication.
- (C)'s statement on request from 2009-01-13, at 2010-01-15
Ulrich, I am very pleased that you are making this effort and I appreciate it. To answer your questions: Yes, it meets the need to have access to such data. As a request to perform an Ad hoc SQL query; No. Say that I develop a query to extract monthly numbers on usage and demographics for COMA, the Board, for the marketing and events group, or an AGM report. Whose queries are trusted? How does the query get validated so the sysadmins feel comfortable and willing to run it? How is the data going to get off the production system? Here is the fuzzy area of this Arbitration. Around the time I requested this arbitration, we were trying to get an email sent to assurers whose ability to assure had arbitrarily been turned off by Philipp Guehring when he installed the CATS patch without notice to anyone. Hence later, you got your "Event Announcement Email script". So be careful about the decision in this arbitration. I feel the ruling needs to be, "Ok, run the these queries". This supports the security policy and our CAcert management's ability to extract useful metrics about the project, and to send email to users and assurers. To say no is to set the precedence to avoid running any kind of query. **That you identify the steps of how this happens is also of great importance so that future Ad hoc SQL query requests can be run, and do not have to wait a year. Everyone has looked these queries over, and agrees they do not extract personal data that puts CAcert in jeopardy by the Belgium DPA. That this data comes via a console session saved to file, is fine. It may take time, it won't crash the system. It can also be run at a low use time. You need to dispel the fear of doing this kind of thing. Regards, Greg
Info about Locations Database used within the CAcert's website
- 2010-07-01 (PG): answer
> 1. Does the testserver image, that is under your > control include a copy of the locations database ? > I think so, but I don't fully remember at the moment. > 2. Is there a Download link available, that someone > can download the testserver image? > please add also the link > Direct download: <link anonymized> BitTorrent download (I am not sure whether that one still works): <link anonymized> > 3. Is there a download restriction set and if yes, > what access restrictions exists for this link? > account? password? client cert? or only > knowledge of the link ? > Only the knowledge of the link.
Discussion
The questions that araises in this Ad hoc query request are multiple folded. 1. Questions about the locations data: a) Is the query results data critical or non-critical data ? b) Are the results of the query under a CAcert license model ? c) Are there any reasons why data cannot be published ? d) Does this data relates to SP 9.4. Outsourcing From further investigations, I received the answers from the critical sysadmin team, statements from Board members, from developers and from the Software Assessment team. This araises addtl. questions: 2. Ad hoc vs. recuring queries. a) What does this mean ? b) Is there a difference ? c) How does recuring queries effects critical sysadmin team ? d) How does recuring queries effects Software Assessment team ? e) How does recuring queries effects the CAcert board ? 3. Statistical data: a) What does this mean ? b) How is this effected by SP / SM and other policies ? c) How can the results be transfered to the recipients ? 4. Publishing of Ad hoc query results a) Is there a simple answer to a complicate qustion possible ? b) can some data be published freely ? c) or needs all Ad hoc query results to be private ? 5. Usage of Locations Data === Question 1.a) === From the requested tables, the tables content has no privacy implications and no part of it is personally identifiable. So it can be declared as non-critical data. Even though for historic reasons that data is currently housed in the core systems under auspices of the Critical Systems Team. My core statement would be that: Just because data is currently part of the critical systems, that does not automatically mean it is critical data. There is data in there that has no need to be kept private. The Locations data isn't be really under the regime of Security Policy. And such data can be released. === Question 1.b) === - Existing CAcert license models doesn't cover the locations database data. - Exported data is no contribution to a controlled document. - Exported data doesn't fall under the source code subject to an open source licence regime. I see the CCA 1.3 "Your Contributions" as the license model, that comes in place, if no other license model relates to the case in question as a fallback. If no contributor can be identified, so the contributor has to be set to CAcert. One additional question is under a historical view: What is with contributions before CCA comes into effect ? Here I come to the conclusion, that they also covered under CCA 1.3 "Your Contributions" license with two exception. Exception 1: One, that is handled by another arbitration (a20090913.1): named "privacy info" The contributors "privacy info" has to be anonymized on request as long as its not covered by the Privacy Policy. Exception 2: The 2nd exception is a case with a named contributor with a restricted license form, that isn't covered by the CCA 1.3 license schema. If one have made contributions before CCA comes into effect, the license may be limited if a named contributor did so. === Question 1.c) === PG makes a claim, that on contributor with some of the data we have is for CAcert only, and we are not allowed to hand it out to anyone else. As the data cannot be extracted, this claim relates to all or nothing of the data set. No chance to extract or split it in any way to become a set of non-transferable and a set of transferable data. By a review of the used license model for this contribution, this contradicts with the license model that is published by the CCA 1.3 "Your Contribution" model, but falls under exception 2 - contribution was made before CCA comes into effect. The name of the contributor is known to the arbitrator. See also https://wiki.cacert.org/Software/Database/LocationDatabase === Question 1.d) === The answer that were found in 1.a), that the locations data isn't really under the regime of Security Policy means, that also SP 9.4 hasn't been covered and the release of the data needs to be handled by an arbitrators ruling. === Question 2) === An "ad hoc" query releases limited data for limited purposes. This isn't the same thing as permanent publication of a font of data. One would think that the "ad hoc" query releases the data to a member who will then be expected to look after it; including not further publishing it: 2.1 a20090810.3 User requests a list of people who have more than 150 points a20090902.1 request list of OA Other samples includes the publishing of data for i.e. work on a new policy work 2.2 a20091221.1 Adhoc SQL-query about U18 cases An "Ad hoc" script that falls under the recuring schema is the Events team leader request: 2.3 a20090525.1 Event officer request recurrent notification to assurers near the location of the following ATEs Here there is no publishing of data. Its a automated mailing to recipients, that are unknown to the Events team leader and also to the sysadmins. The only result of the script is the count of recipients, that can be seen as a statistical data. The difference between the "Ad hoc" queries listed under 2.1 and the scripted mailing under 2.3 is, that the scripts under 2.3 is a subset of a query, that has a limited purpose, that has a defined input of a few variable, but known parameters: - central location - max distance to the location - subject text for the mailing - text that is used in the mailing and a defined output. This has been reviewed by an arbitrator and has been ruled. Each of the "Ad hoc" queries listed under 2.1 has also been reviewed by an arbitrator and the execution has been ruled by the arbitrator. The exception of 2.2 query was, that the result needs to be published. This was also handled by an individual arbitration case and was ruled by an arbitrator. Conclusion: Each "Ad hoc" query, also each recuring query needs a definition of a query, the expected result, the recipient(s) of the result set, and if this result set can be published or not. If there is a need of a recuring execution, this can be defined by request (yet arbitrated Ad hoc query) or in the initial request. This only needs one arbitration (see Events mailing case) so futher executions can relate to the one handled case. As a result of this. This arbitration can rule for the request for the location data. But this arbitration cannot rule for the results of future developed queries, that are not known yet. If i.e. the marketing team needs recuring statistical data about user growths in locations worldwide over a timeframe, they have to define their query with a request, to start this script on a recuring schedule. If this data can be published or not, depends on the query that has been requested and needs to be ruled by an addtl. arbitration case. === Question 3) === The nature of Statistical data is, that many of them can be published freely - see www.cacert.org + About CAcert.org + CAcert Statistics http://www.cacert.org/stats.php This covers the count of users, assurers, and more detailed data like count of assurer candidates, count of assurers with test and so on. Also the growth over the past 12 months and the past years can be displayed freely. Other statistical data cannot be accessed so easily like the "hidden" stats page: https://secure.cacert.org/wot.php?id=1 that lists the count of assurers by county, by region, or by city This "hidden stats" page relates to the "find an assurer" database, and has restricted access permissions to the loggedin users, means community members. The difference between both statistical data relates to the Privacy Policy: 8. Privacy of user data CAcert Assurers can see the name, birthday and the number of points by looking up the correct email address. No other person related data is published by CAcert. As the "find an assurer" results page displays names of assurers in a form of half anonymized names, to all community members, this is an addtl. not yet covered set of data from within the Privacy Policy. The "find an assurer" results page lists: givenname, 1st char lastname, the count of points an assurer can give and a free text field, the assurer can fill in. So therefor the "hidden stats" page cannot be published freely. Collecting statistical data, how many assurers are listed in each country, region, city without further link to the assurers list contains no privacy related data and therefor can be published in a way, that data can be used CAcert internaly for develop seeding programs for CAcert deserts. But this isn't covered by this arbitration and needs a review in another Ad hoc query request decision. === Question 4) === The Publishing of Ad hoc query results a. Is there a simple answer to a complicate qustion possible ? Yes. Each query result needs to be checked against privacy issues and SP thru an arbitration. Sample 1: the current query request to export locations data is a resultset with non-privacy data. So therefor, this result can be published (by default), but needs to be reviewed by an Arbitrator, if a result set doesn't realy doesn't contain any privacy data (i.e. misused fields in data set) Someone can add his Email address and postal address in the description field of "Find an Assurer" dataset. Sample 2: A query request of potential assurers for an ATE, to transfer the Email addresses to the Event Officer will probably contain personal data (the Names and Email addresses). So therefor thus needs to be arbitrated (see [[Arbitrations/a20090525.1|a20090525.1]] [[Arbitrations/a20090525.1|Event officer request recurrent notification to assurers near the location of the following ATEs]]) The workaround to prevent transfering the result set was, that the scripted mailing doesn't transfer the complete result set to the Events Officer, instead the mailing was triggered by the critical sysadmin team an the Events Officer only receives the count of mails sent to potential Assurers. So there is no publishing of sensitive data. b) can some data be published freely ? Statistical data can be published within CAcert by default if the statistical data doesn't contain privacy data. I.e. in the prepare phase of the Policy on Junior Assurers / Members the question araises, how many members started membership underaged. The count of users was something unexpected so the real need for this subpolicy was emphasized by the result. By default, results w/o privacy data can be published within CAcert w/o problems. Someone can argue, that a query about Delete Account requests may harm CAcert, so freely publishing shouldn't be allowed. So thats why a precedence ruling cannot be taken. Each query needs an individual arbitration. c) or needs all Ad hoc query results to be private ? Privacy is a limitation. Also may other questions better be for CAcert internal usage only. But a general limitation, that query results needs to be private cannot be set. Again, each query needs a review by an Arbitrator, who have to decide, if the query can be executed as expected and how the result set can be used. === Question 5) === The usage of Locations Data was limited by the contributor for CAcert usage only. Thus means, there is an unclear state, if the locations database can be used on another CAcert service (i.e. new Software, other infrastructure server). It can be used for CAcert developers in testserver images. But the usage is limited to CAcert internal usage only, to write and test patches or new features for the current webdb system. From all the informations received, parts of the locations database maybe OpenSource. But as long there is no defined state here, and the data is mixed with probably limited data, the overall state is "limited". How to transfer the locations database result set? The locations database is about 100-120 Mbytes in size. Thats half of the size of the complete webdb system. It comes to my knowledge that testserver images flying around with hidden links (PG has a testserver image, the new Software-Assessment project has a testserver image). On further investigation, the result is, that the testserver image by PG has the locations database included. The new testserver image built by Wytze within the Software-Assessment-project doesn't contain the locations database by default. So one question that araises: is there a need to export the locations database from the live system? or is it sufficient to use the existing testserver image from PG with the locations database included? With this limitations set, its difficult to handle this in practice. How can it be archived, that only CAcert developers get a testserver image with the locations database included? How can we prevent developers to use the locations data in another non-CAcert project? These questions can only answered with: limit the access to the testserver image or locations database export result set. Find a place, where the image / export can be stored. Give access permissions only to users by request - Next question: Who can give access? * Support ? * Critical Sysadmins ? * Infrastructure-admins ? * or Software-Assessors ? Also an option: access with client cert only. Inform the requestors about the limitations that are set to the locations database. Restrictions / Limitations found so far: * there is a restriction / limitation set on the locations database dataset * recuring exports aren't preferable, as each execution needs a lot of work from sysadmins to transfer the result set onto another system where it can be downloaded * svn isn't the preferable target for a testserver image with the locations database included or the locations database export * download area for the locations database dataset should be under CAcert control * the method of control is open to system requirements and by one of the CAcert group members * this can be: ACL permissions, Group permissions, Client Certs to the download area or a hidden link * dependend of the download area system, access permission can be given by Critical Sysadmins, Infrastructure Admins and/or the Software-Assessment team
- 2010-07-29 Recomendation Solution I by (A)
Recomendation: To move the authority over the locations database set to the Software-Assessment team and turn the distribution order from live system to the outside to Software-Assessors to live system a) Updates onto the Locations database can be tested thru the Software-Assessment team b) Export requests can be handled by Software-Assessors authority Advantages: * Requests from CAcert developers can be easily handled without first building a framework to handle this request * Updates to the locations database are under Software-Assessments Team authority and can follow the Software-Assessment procedures for updates * Updates can be send easily to connected CAcert developers update receivers * recuring updates are no longer needed to be transfered from the critical system, as the main repository is under authority of the Software-Assessment team. Updates will be sent from Software-Assessment team to the critical system * Software-Assessment team is also under control of CAcert so the locations database set is under control CAcert developers can send a simple request to the Software-Assessment team to get the locations database for development purposes. Also other teams of CAcert (Board, Arbitration, Infrastructure) can request a copy of the locations database set for CAcert usage. The Software-Assessment team have to give notification to the requestor, that the database set can only be used for CAcert purposes. No transfer to other projects, allowed. The transfer format of the locations database set is not limited to a special format. It can be transfered within an CAcert developers image, as sql-dump or whatever else format. The only limitation is, that the download links aren't publicy available and access is secured, so that a requester needs download infos from the Software-Assessment team by either Account/Password combination and/or a hashkey URL and/or an ACL secured access point and/or a client cert limited access point thru one or more possible and applicable services (i.e. ftp, http, or other services) An initial complete export from the critical system to the Software-Assessment team is allowed to receive the current state of the locations database set. Critical team and Software-Assessment team have to deploy a transfer concept for the initial transfer.
- 2010-07-29 (IanG): respond to "Solution I"
> To your information: > There is a limitation set over the locations database set > "for CAcert usage only" *Property* As far as I know, this is a claim that has been verbally stated by someone, so I would question whether we have a reliable understanding of that. I'm also uncertain as to whether we should accept on face value any such claim, as it has quite important ramifications. Some questions... to establish any facts: Has the Arbitrator managed to clarify the nature of the intellectual property claim and the nature of the licence that we have (verbal or implied or otherwise) ? If NO to the above, is the Ruling likely to include a statement that clarifies the licence for us? By dictat, as it were? Those are questions to establish facts, here are my thoughts: This Community has always preferred open source. It's not always possible to arrange this, but there is a sense that it should be the case for all the critical domain software. Indeed, audit criteria establish strong control provisions over our critical assets, which tends towards us needing either full ownership or control established under a strong licence (aka, agreed open source licence). The current location database doesn't seem to fit that ... even though we can recognise that when it was first given to us, the nature of its usage and provision might have been a good thing, and we're grateful for any help. Things have moved on from then, I suspect. In practice, we have google earth and other open alternatives. Also, BirdShack team advanced the theory that the location database did not need to be in the critical domain at all. Sure, it was there for convenience of coding when Duane had one website and that was it. But we are a bit bigger now; we have a lot of separated platforms, and we want a tight CA. We have a track record in Client Certs and we'll push that more.... So, BirdShack decided that the best thing to do would be to kick the location database out of the critical domain, and suggest some sort of infra or community tool. Leave that up to the others. > == Discussion == > > Recomendation: > > To move the authority over the locations database set > to the Software-Assessment team and turn the distribution > order from live system to the outside to > Software-Assessors to live system In this sense, giving the Software Assessors some sort of control over the location database strikes me as perhaps going in the other direction. In the past, SEs just added anyone as location administrator after doing some informal due diligence. (Correct me if I'm wrong here, I haven't looked up how it is done.) Now it is to be controlled as if software? - I would speculate that the location database is really a database, not a source code file, so it complicates the distribution goes. (Same commment has been made about policies! :) - Are the database fields part of the main database? Does this mean that a software distro from the Software Team is now going to include data components? - There is the practical issue that software changes are generally a long cycle, compared to SE changes which are short. OK, both could be quicker, but at least simple SE changes like this can be done within a week. > a) Updates onto the Locations database can be tested > thru the Software-Assessment team What is there to test? Either some town is in the right place, or not? Is this really a critical issue? > b) Export requests can be handled by Software-Assessors > authority (I'm happy with that authority being handled by any of the critical teams, the Board/officers, or the Arbitrator. But I also think it could be handled by anyone who's an Assurer and has a manual on how to do it... e.g., a year ago, we stopped the Board from approving any maillists or email addresses, it's just too much bureaucracy.) > Advantages: > * Requests from CAcert developers can be easily handled > without first building a framework to handle this request > * Updates to the locations database are under Software-Assessments Team > authority and can follow the Software-Assessment procedures for updates > * Updates can be send easily to connected CAcert developers update > receivers I'm unclear to me why this would be an advantage. As a programmer, the last thing I'd want to do is deal with ... data updates. But perhaps I'm missing something? > * recuring updates are no longer needed to be transfered from the > critical system, as the main repository is under authority of the > Software-Assessment team. Updates will be sent from Software-Assessment > team to the critical system > * Software-Assessment team is also under control of CAcert so the > locations > database set is under control > > CAcert developers can send a simple request to the Software-Assessment > team > to get the locations database for development purposes. Also other teams > of CAcert (Board, Arbitration, Infrastructure) can request a copy of the > locations database set for CAcert usage. The Software-Assessment team have > to > give notification to the requestor, that the database set can only be used > for CAcert purposes. No transfer to other projects, allowed. OK. > The transfer format of the locations database set is not limited to > a special format. It can be transfered within an CAcert developers image, > as sql-dump or whatever else format. > The only limitation is, that the download links aren't publicy available > and access is secured, so that a requester needs download infos from > the Software-Assessment team by either Account/Password combination and/or > a hashkey URL and/or an ACL secured access point and/or a client cert > limited > access point thru one or more possible and applicable services (i.e. ftp, > http, > or other services) > An initial complete export from the critical system to the > Software-Assessment team is allowed to receive the current state of > the locations database set. Critical team and Software-Assessment team > have to deploy a transfer concept for the initial transfer. > > ---- > > please comment on the recomendation, if this is a usable > and acceptable solution > > I want to get answers from: > 1. Claimant > and the following teams: > 2. Software-Assessors > 3. Software-Assessment Project > 4. Critical Sysadmins > > and probably others to comment on > 5. board Speaking from pov of Board, but not as board: I am keen to establish just exactly what this licence is (implied or otherwise). The natural party to the licence is the Board as representative of CAcert Inc. Although we might vary that, convention pushes us in that direction. Also, I and others have worked hard to get out of these particular difficulties created by "special contracts". E.g., CCA 1.3, PoP 6.2, past decisions from Duane to transfer the IPR to CAcert Inc, audit argument over old CPS as owned by another party. So I would be hoping for any decision that takes us further along that path. As a principle, we want control of our own location database if it is part of the critical system, *OR* we move it out of the critical domain.
- 2010-07-29 (PG): respond to "Solution I"
I am not sure, whether this is a good idea, since the location database is primarily maintained by the CAcert users through the web-interface.
- 2010-07-29 (Wytze): respond to "Solution I"
> There is a limitation set over the locations database set > "for CAcert usage only" Not speaking as critical admin but as CAcert user and open source advocate here: this statement about "limitation" seems at odds with CAcert's general policies, so it would really be nice if this claim is substantiated with clear facts - a license, sources of non-public information, amount of it, etc. ... > ... > Recomendation: > > To move the authority over the locations database set > to the Software-Assessment team and turn the distribution > order from live system to the outside to > Software-Assessors to live system Strong support from critical-admin@cacert.org for this -- this data is not critical and should not be managed by critical sysadmins. > ... > An initial complete export from the critical system to the > Software-Assessment team is allowed to receive the current state of > the locations database set. Critical team and Software-Assessment team > have to deploy a transfer concept for the initial transfer. The initial complete export can simply be dealt with by a mysqldump of the countries, regions and location tables, which will be scp'ed to a Software-Assessment designated location. In return we'd expect updates to the live data to be supplied to us by signed e-mail from the Software-Assesment team with mysql update scripts for the above mentioned tables.
- 2010-07-29 (Mario): respond to "Solution I"
> This Community has always preferred open source. It's not always > possible to arrange this, but there is a sense that it should be the > case for all the critical domain software. Indeed, audit criteria > establish strong control provisions over our critical assets, which > tends towards us needing either full ownership or control established > under a strong licence (aka, agreed open source licence). looking at CAcert principles it would be appreciated to migrate the database to an open database. http://sourceforge.net/projects/opengeodb/ might be one possibility. But migration would not be that easy I guess. >> * Updates can be send easily to connected CAcert developers update >> receivers > > I'm unclear to me why this would be an advantage. As a programmer, the > last thing I'd want to do is deal with ... data updates. But perhaps > I'm missing something? For development purposes imho a snapshot should suffice. Maybe even some open database can be imported for testing purposes (depends on the data format).
- 2010-08-24 (Wytze): info about locations database
With an empty Locations database in a recovered system there is impossible to a user with LocAdmin flag set to enter locations data into the locations database
at least country and regions table have to be filled, before an LocAdmin flag enabled user can add locations data into the database
- "As far as I am aware, there are no licensing restrictions on the data in the countries and regions tables."
- 2010-08-25 (PG): I think the countries table is definitely public, and I am not fully sure about the regions table, but I would say that it can be thought of being public, as well.
Discovery
- From the Software-Assessment-Project the recovery of a system was tested w/o the locations database set.
the missing locations database, that consists of 3 tables: Countries, Regions, Locations, results that no user with LocAdmin flag enabled can enter new locations data into the database
- there is a need to import at least the countries and regions table data to get the system running as idintical as possible in relation to the production system
- a possible solution for better handling can be, to split the locations database set into 2 different sets of data
- country and regions tables (with no restrictions set)
- locations table (with restrictions set)
- Research on country / regions databases
started in http://drupal.org/node/19983 from CAcert wiki Location Database
Source: earth-info.nga.mil
Country files with citys under Country files
Geopolitical Codes (Formerly FIPS PUB 10-4)
FIPS 10-4 Countries, Dependencies, Areas of Special Sovereignty, and Their Principal Administrative Divisions official listing (April 1995)
- Geopolitical Entities and Codes (formerly FIPS PUB 10-4)
Independent States (September 2009)
Dependencies and Areas of Special Sovereignty (September 2009)
- Full lists (April 2010)
Q: What is the License model ?
- A: There is no problem in making the geographic names data freely available. A suitable citation note is: Toponymic information is based on the Geographic Names Data Base, containing official standard names approved by the United States Board on Geographic Names and maintained by the National Geospatial-Intelligence Agency. More information is available at the Maps and Geodata link at www.nga.mil. The National Geospatial-Intelligence Agency name, initials, and seal are protected by 10 United States Code Section §445.
Source: www.geonames.org
License: "The GeoNames geographical database is available for download free of charge under a creative commons attribution license."
Source: www.maxmind.com
- variant 1
- Products: GeoIP® Geolocation Products
- offered with site license and with Updates
Subcountries code is available thru MaxMind fips10_4 Subcountries
- Q: What is the license model on this ?
- A: The subcountries list referres to GeoIP database that has restrictions:
- Q: What is the license model on this ?
- Comment: this license sounds like CAcert's usage of their locations database
- Products: GeoIP® Geolocation Products
- variant 2
http://www.maxmind.com/app/ip-location
- defined: Free / Open Source
GeoLite Country is similar to the GeoIP Country database, but is slightly less accurate. Should you require greater accuracy, GeoIP Country is a drop-in replacement for GeoLite Country.
- Q: What is the license model on this ?
A: Under the license agreement, all advertising materials and documentation mentioning features or use of this database must display the following acknowledgment: "This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/."
- Redistribution: Free, subject to GPL/LGPL for APIs and database license. Commercial redistribution licenses are available.
- defined: Free / Open Source
- variant 1
Source: www.geodatasource.com (Free Edition)
- needs registering for download full list
- list includes only countries and cities, no long, lat and regions (that is starting in Gold Edition, Pay Edition)
- Q: What is the license model on this ?
- ???
Source: Yahoo! GeoPlanet™ Data
- includes no LONG, LAT and Regions, only Cities and WOEID's
- Q: What is the license model on this ?
- A: Creative Commons Attribution license
- Q: What is the license model on this ?
Source: IPInfoDB
- Available information in the database : ISO country code, country name, FIPS region code, region name, city, zipcode, latitude, longitude and timezone
- The data is compiled from the free Maxmind CSV database (Geolite City) and rearranged with many scripts. We use other sources such as Geonames, TZ data, FIPS for regions name and IANA for IP assignement.
- Q: What is the license model on this ?
- A: The SQL database behind IPInfoDB is offered for free
Source: - to be continued -
- The CPS story on Open Audit
Board Review Actions between 2004-08-20 and 2007-05-25
Transfer of Source Code Proposed Duane Groth 2004.09.01 to transfer my copyright to CAcert with the exception that I'm allowed to retain any/all copies of my own work and have no restrictions on what I do with the code etc. To make it legal under Australian law there will need to be money given to me, even if this is only $1. Aye: NR, WH, ML, CM (DG). Minuted 2004.09.15 as $1 transferred.
The David E. Ross Criteria (DRC)
A.3.j
23, 35
The CPS describes which aspects of the CA's operations involve protected intellectual property and what protections and licenses are involved. The property status of the following shall be addressed:
* CP, CPS, privacy policy, configuration-control specification, and declarations of risks and liability
* Root and intermediate certificates
* CA-generated subscriber certificates
* Lists of current and revoked certificates
* Software tools used in the CA's operations
* CRLs, OCSP data, or the equivalent (see §B.2.k)
* The CA's Web siteA.3.k
6, 42
The CPS describes how the CA handles its subscribers' intellectual property.
CPS 9.5. Intellectual property rights
- 9.5.1. Ownership and Licence
- 9.5.2. Brand
- 9.5.3. Documents
- 9.5.4. Code
An Open Database License (ODbL) and Database Contents License (DbCL)
- "Where neither “DB” rights or a contracts exists no license will be enforceable. If this is of concern to you your only real alternative is to not make the database available."
Principles of the CAcert Community
x. Openness and Transparency We strive to open up as many of our processes as possible. We strive to present our decisions, products and services as transparent. We do not do secret deals.
Ruling
I have gathered and reviewed evidence concerning the origins of the locations data to the extent reasonable and plausible. The evidence does not reveal the original source of the data, and no obvious nor easy stones remain to be unturned. Therefore I conclude this information has been lost to us.
The alleged claim of external claims over the locations data fall outside the CCA contributions clause, which came later, and outside the IPR transfer by Duane dated 2004. They cannot therefore be verified by this Arbitration.
A claim was made that one contributor provided some of the data on the basis that it is for CAcert only, and there is no licence to share it with anyone else.
The licences of typical geodata companies examined in the course of this Arbitration did match the general sense of an individual licence, and not an open licence. However, as the evidence pointed at no particular company, none of those licences is more than illustrative of what might have been.
I conclude however that the central claim has merit, and CAcert must respect that claim. Further, the claim cannot be converted into something that is not contrary to CAcert's principles and conventional position in the open source world.
But it further implicates that CAcert should prevent further usage of this locations-database-set.
i. So therefor, to prevent CAcert Inc. and CAcert community from any harm in the future that may cause by the undefined source of data, I rule hereby to stop the usage of the locations-database-set asap.
ii. The BirdShack project team made the decision to not use the locations database within the new project. I confirm that decision.
iii. The Community shall start a project ASAP to migrate the location function that is currently implemented in the critical system, with the objective of replacing the locations database completely, by means of either
- a) with a completely new fresh freely available open source of locations data
or
- b) any alternate solution to the location function that does not need a local store of locations data within the critical system
iv. For the intermediate time, until a migration has been completed, the Migration team is allowed to get a copy of the locations database set for analyzing and tests of a migration plan. The Migration team should be under control of the Software-Assessment team.
The Software-Assessment team that is under control of CAcert Inc. is allowed to use a copy of the locations-database-set for the time of the migration phase on their staging system to get software updates passed to the critical system. The staging system has to be under full control of the Software-Assessment team.
v. The original request of a general export of the locations database set is rejected caused by the undefined state of the locations database set and the found restrictions set. But a limited export, that is under control of the Critical Sysadmin team and Software-Assessment team is allowed.
vi. To prevent the same mistake for the future, an undocumented, an undefined state of a database set, the source of a new locations database set must be named and documented.
vii. I further rule that, once the locations database set has been replaced in accordance with the other elements of the ruling, the remaining locations data is no longer to be treated as critical nor privacy related data. This includes the tables country, regions and locations, but not the users record link to the location tables.
From the requested tables, the tables content has no privacy implications and no part of it is personally identifiable. So it can be declared as non-critical data, even though for historic reasons that locations data is currently housed in the core systems under auspices of the Critical Systems Team.
My core statement would be that:
- Just because data is currently part of the critical systems, that does not automatically mean it is critical data. There is data in there that has no need to be kept private. The locations data has no proper purpose under the regime of Security Policy, and may be considered outside its control as soon as is convenient.
My recommendation to the Community is:
- To find a solution that allows the usage of a locations service that is moved out of the critical box like in the birdshack concept. A location service that is serviced by the Community on a non-critical infrastructure system or elsewhere.
Frankfurt/Main, 2010-08-29
Execution
- 2010-08-29 (A): Ruling sent to: (C), (Board), (Critical Team), (Software-Assessment Team), Community, (CM)
- 2010-08-29 (A): no further actions needed, case closed.
Similiar Cases