Open jLouzado opened 7 years ago
Hello there, is there any update on this? It seems the docker image does not contain such feature, I wonder if the master head does?
@lifehome
No, this does not exists yet.
Using Gravatar is not compliant to EU GDPR regulation.
Any updates on the GDPR status of Gravatar @xet7 ?
@zewa666
Yes. Using Gravatar is not compliant with GDPR. Gravatar support will not be implemented in Wekan.
Similar issue here: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/thread/H5I7MO7Z5FN3LLEVGU4EUW6K7FNWJ2DT/
thanks for the link 👍
May I know why opt-in for Gravatar is not even considered? I am surely aware the GDPR but not everyone lives in the EU, nor all instances being regulated by the laws of EU.
@lifehome
GDPR affects also all other companies that do business with EU, like companies at USA. If at some other country there is not such strong privacy protections, most likely govenment can hijack those connections to gravatar, potentially inserting something malicious. So having Gravatar support is security bug.
Gravatar does not work in private intranets where is no direct internet connection, or where is some kind of proxy. For those environments, Gravatar would not work, and even possibility of that option would make usage non-GDPR compliant. Same is with Sandstorm, Wekan is inside secure sandbox, with no access from Sandstorm sandbox to outside to Internet, if no Sandstorm-compatible way is implemented.
Wekan does not load any external resources from internet, like fonts, CSS, etc. That means Wekan is currently safe to use in company intranet use, in healthcare, etc. It's a strong guarantee, I do not want to break that.
@lifehome
I would only accept General Avatar feature, with settings configured in environment variables, like URL that can be at gravatar or local intranet server, like http://192.168.1.200/avatars/username.png, with username text replaced with Wekan username.
There should be no UI in Admin Panel, all should be configured in environment variables of standalone/docker/snap version.
This would be coded and submitted as pull request to Wekan devel branch by somebody that really wants this feature.
For implementing this, see Developer Documentation and Excellent example how pull requests are improved and integrated, and not needed commits removed
There is no private data transmitted to Gravatar. The service use a hash (MD5 of email address (not bijective so you can't retrieve email adress from the hash)) : https://fr.gravatar.com/site/implement/profiles/ So Wekan does not transmit any private data in requesting if there is an avatar for this hash.
In this logic, Wekan is not responsible for data present in Gravatar Website, it just request it. I'm not an lawer but i don't see the problem around GDPR because the only data transmitted doas not contain any private information.
In addition, you can make it optional so admins are free to enable / disable it.
Right now you have to manually add an avatar when added to a board, this could be simplified by just querying for a gravatar image (if available) or defaulting to the use of Initials.