No Confidentiality governance clause

[hyandell]

A related note to #13 is that Security and the confidentiality note are at odds. I think the intent of the confidentiality section of the Charter is to remind everyone that there is no expectation of confidentiality within the project by default.

However, confidentiality relationships may happily exist between participants in the project, and the project itself is expected to have information that the project creates confidentiality expectations around - for example a non-public/embargoed security issue.

[royaljust]

Agree - the point for the confidentiality note is that the project has no legal obligation to keep any communication secret. If we add a security note, I think we should be clear about the relationship between the that and confidentiality.

[hyandell]

It feels like a tricky one to fix with the current language. The first issue is that two project members discussing the Organization's activities under private NDA outside of the Organization's communication paths are not covered by this statement (i.e. membership is not creating carveouts to NDAs between entities). I think this is fixable, with the charter needing to scope the non-confidentiality to the Organization's forms of communication.

The second issue is that security issues are one example of an issue that has to be marked as confidential. Another (forgive my poor non-legal wordings) would be active litigation - I imagine there are aspects that would be considered confidential. For example confidential advice from the organization's legal counsel, or receiving a code of conduct complaint. This is a harder one and feels like it's arguing that it's going against the intent of the No Confidentiality section.

Stepping back; I think the charter should be saying:

Unless explicitly stated by decision of the Steering Committee, information disclosed privately within the Project in connection with any of the Organization's activities, including but not limited to meetings, contributions, and submissions, is not confidential.

I dropped your final text of "regardless ... markings" in favour of the comittee deciding; and I added a "privately within" to communicate that notion of scope. I also lower-c'd contributions there as I didn't see it as a defined term.

I kinda want to make that opening an "explicitly stated in advance" to show my lean that the committee needs to organize itself instead of trying to retcon.

[bradlitterell]

suggest maybe something like this:

Information disclosed in connection with any Project activity, except security
sensitive bug reports, including but not limited to meetings, contributions, and
submissions, is not confidential, regardless of any markings or statements to
the contrary.

?