Re: Maintaining the Security&Privacy Questionnaire from Pete Snyder on 2024-11-19 (public-privacy@w3.org from October to December 2024)

From: Pete Snyder <psnyder@brave.com>
Date: Tue, 19 Nov 2024 21:03:58 +0800
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: public-privacy <public-privacy@w3.org>
Message-ID: <CABVK1nDFUeo4ipgdAV5A_13yQ_mxTB6Sgf7WRR90nwFrXHn8Wg@mail.gmail.com>

(apologies for the delay in following up, im out-of-office until the 26th)

Do we need approval by both the Privacy WG and the TAG to change the
Security&Privacy
> Questionnaire <https://github.com/w3ctag/security-questionnaire>, or is
> just TAG approval enough?
>

This has been the practice we've been following so far. I don't think any
changes have been made, since I became an editor, without Tess and I both
agreeing first.

My 2c is that we should continue this practice, and require the both
editors (from the TAG and PrivacyWG) to agree to changes. Speaking for
myself, I _don't_ think we have in the past, or should going forward,
require the agreement of the entire TAG or PING/PrivacyWG to make a change
in the document, but I think that it's important that each group approves
of their respective editor.

For my 2c, I also think that the above is fine to have as established
practice, and not necessarily a written process, since the document has
been pretty uncontroversial (at least so far).


> If the Privacy WG wants to approve, we need to ensure we have an active
> editor from this WG, and we need the WG's approval to auto-publish changes
> to TR space (https://github.com/w3ctag/security-questionnaire/pull/171).
>

This sounds good. I am the currently-active editor from PrivacyWG. Not
attempting to speak for any other PrivacyWG chairs, but personally I think
it'd be fine for the PrivacyWG chairs to make sure there was always an
active PrivacyWG member as an editor of the questionnaire.

I think the auto-publish change looks great though, thank you for putting
that together Jeffrey. If no one beats me to it, im happy to review it when
I'm back on the 26th too.


> The questionnaire's readme says it's "a joint product of the TAG and
> PING", which seems to imply needing two approvals. The PING's charter
> <https://www.w3.org/2019/09/privacy-ig-charter.html> agreed with that,
> saying "In conjunction with W3C's Technical Architecture Group (TAG) PING
> maintains a Self-Review Questionnaire for Security and Privacy."
>
> However, the new WG's charter
> <https://www.w3.org/2024/10/wg-privacy-charter.html#ig-other-deliverables> only
> says that "The Working Group will contribute to privacy-focused documents
> maintained by the W3C TAG: Self-Review Questionnaire: Security and
> Privacy". If it's maintained by the TAG, TAG approval seems sufficient.
>

At least from the conversations with the other PrivacyWG chairs I can
remember, I don't remember anyone intending to change the group's
relationship with the questionnaire when we moved from PING to PrivacyWG.
So my best guess is that this is an unintended/unexpected change (it
definitely is for me). Unless others disagree, I think itd be good (but
definitely not critical) to adjust the charter accordingly. I dont think it
requires or warrants a change itself, but since we've discussed some other
changes (inc adding additional work items) we could roll a change in there

Pete

>

Received on Tuesday, 19 November 2024 13:04:15 UTC