Git for Windows Privacy Policy?

[James Keightley]

Hello,

 

We are carrying out internal application assessments for the purposes of information security on behalf of Hitachi Energy.

One of the applications we have been asked to assess is your "Git for Windows”.

Could you please confirm for us whether your application has any sort of privacy policy or GDPR statement associated with it?

 

If you have any questions, feel free to reach out.

Kind regards,

James Keightley Information Security - TSA Exit and IT-Buildup E-mail: james.keightley@hitachienergy.com www.hitachienergy.com

 

 

[Johannes Schindelin]

Hi James,

On Wed, 17 Nov 2021, 'James Keightley' via git-for-windows wrote:

> We are carrying out internal application assessments for the purposes of
> information security on behalf of Hitachi Energy.
>
> One of the applications we have been asked to assess is your "Git for Windows".
>
> Could you please confirm for us whether your application has any sort of
> privacy policy or GDPR statement associated with it?

As Git for Windows does not collect any telemetry, there is no privacy
policy. If you feel there should be one, feel free to draft one and we
will discuss whether/how to adopt it.

Ciao,
Johannes

[Konstantin Khomoutov]

On Thu, Nov 18, 2021 at 02:22:02PM +0100, Johannes Schindelin wrote:

>> We are carrying out internal application assessments for the purposes of
>> information security on behalf of Hitachi Energy.
>>
>> One of the applications we have been asked to assess is your "Git for Windows".
>>
>> Could you please confirm for us whether your application has any sort of
>> privacy policy or GDPR statement associated with it?
>
> As Git for Windows does not collect any telemetry, there is no privacy
> policy. If you feel there should be one, feel free to draft one and we
> will discuss whether/how to adopt it.

I would also add that GfW does not only collect any telemetry data but also no
user-provided data is ever stored somewhere on "GfW servers" - for whatever
that could stand because there are no such servers.

To undestand that, please consider that GfW is an ongoing (and the de-facto
standard) port of Git [1] to the Windows platform. Git is a distributed
version control system (DVCS, [2]), and hence the only data Git ever sends out
is whatever a user of Git explicitly told it to send. Such data is part of a
project which is maintained using Git. The server to receive such data is also
either explicitly specified by the user or configured by a specifically
designated person (such as by an IT staff member of an enterprise said user
works at).

Git can be used to send data (again, explicitly) to servers managed by
commercial third-parties - such as Github (Microsoft), Bitbucket (Atlassian)
and so on, and usage of _those_ severs is subject to license agreements
between those parties and the users, and it's where privacy policies and stuff
like GDPR come into play. Git itself, in this picture, is just a tool which
can be used to interact with such services, which it in no case does by
itself; any data exchange made by Git requires explicit actions of its user.

1. https://en.wikipedia.org/wiki/Git
2. https://en.wikipedia.org/wiki/Distributed_version_control

[Philip Oakley]

From a different perspective:
Git for Windows is a port of 'Git' to the windows platform. Git is an
open source project (e.g.
https://github.com/git/git/blob/master/CODE_OF_CONDUCT.md), with links
to the Software Freedom Conservancy https://sfconservancy.org/
(g...@sfconservancy.org).

I assume that the application assessment is part of some corporate
policy (*) at Hitachi, so it would be worthwhile identifying the
particular concerns that surround the privacy / GDPR clarification
request. This would help the community produce a 'policy' that would
meet these types of corporate concerns, which would otherwise be a
non-issue for Git.

Philip Oakley

(*) often these 'due process' steps end up at the 'something must be
done, this is something, do it' level, perhaps as requested here.

[James Keightley]

Hi all,

The response I received satisfied our requirements, but thanks for your help and guidance.

Do note that this was just a quick check that needed to be done, and not anything urgent or alarming.

Thanks again,
James Keightley

-----Original Message-----
From: Philip Oakley <philip...@iee.email>
Sent: 18 November 2021 17:58
To: Konstantin Khomoutov <kos...@bswap.ru>; James Keightley <james.k...@hitachienergy.com>
Cc: git-for...@googlegroups.com; Infosec Application Assessment Team <infosec-app...@hitachienergy.com>
Subject: Re: [git-for-windows] Git for Windows Privacy Policy?

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

[Johannes Schindelin]

Hi James,

On Fri, 19 Nov 2021, 'James Keightley' via git-for-windows wrote:

> The response I received satisfied our requirements, but thanks for your
> help and guidance.

Good.

> Do note that this was just a quick check that needed to be done, and not
> anything urgent or alarming.

We do understand that it is neither urgent nor alarming. After all, we (as
in: the Git for Windows project) are under no obligation to fulfill _any_
of your requirements. It is not like you have a contract with us.

Also, please note that for the same reason, our answer is not legally
binding. None of the people who replied to you are lawyers, and even if
one of us were, that person would most likely have charged a good amount
of money for any legally binding statement.

Nevertheless, since you are satisfied that your requirements are met,
everything seems to be in good order.

Ciao,
Johannes