If you've ever done an international wire, you know there's the form question "What intermediate bank to use". So at least the same if not less middlemen apply.
Everyone saying "muh GDPR" has no clue none of it applies to financial transactions.
To get a PSD2 "Open Banking" license one needs to KYC every user and keep every transaction that passes through the system, for 5 years, including the KYC data.
Being PSD2 licensed doesn't even make you a bank. Just imagine what an actual bank has to keep around...
Also every business has to keep invoices and transaction data around for tax audits, usually 7 years. So you can GDPR delete request all you want, but the shop where you bought that thing still has to legally know you've bought it.
I think I've asked this in many prior threads, but maybe I'll repeat it here.
Europeans often explain that they see the need for strong privacy laws because of their experience with totalitarianism (Nazi and Communist regimes). But most of those laws regulate private-sector databases and private-sector data collection, not law enforcement or intelligence; and many of them actually contain explicit exemptions for governments.
Clearly, governments have made lots of use of private-sector databases, so it's not as though they're not a risk if you're concerned about totalitarianism. But wouldn't it make sense to focus more on the state than on the private sector?
I know Europeans (especially in the 2000s) have been quicker than people elsewhere to endorse the idea that all state activities (including those of security agencies) need a legal basis and should comply with necessity and proportionality. So that's cool. But I still don't see how the intuition works like "the SD / Stasi / KGB were spying on everyone and that was awful, so we obviously see it's important to restrict ... private-sector databases! but not (as much¹) state access to financial, travel, location, and communications data".
¹ clearly there are some regulations, and they get fought over in constitutional and European courts, but there's also a ton of "we have to make sure the state can monitor people" initiatives all over Europe!
"GDPR delete request" is only allowed for treatments based on consent, which is only one of the 6 legal basis in the regulation. So you won't never be able to delete a credit card transaction.
What GDPR gives you, is to know which data is kept, for how long and with access to whom.
It also forbids for a bank to give your these information to Google or Facebook, for example.
If I'm a guest, visting NYC and looking for the next place to stay, I would be logged in and Airbnb would know very well I'm from out of town (payment details etc.)
It's astonishing that he fails to even mention Nix (and various other distributions like Bedrock) in the section on existing solutions and his previous post on reproducible software and rollbacks. It's almost like, he hasn't heard of it from inside the Red Hat bubble - or perhaps because it's not "Certified cgroup container systemd trending cloud Enterprise Linux (TM)", he isn't interested.
The way he presents this post is almost like he thinks he has discovered some problems nobody else has encountered before too. Nix solves the majority of the problems he mentions, and it still has plenty of room for improvement to fill the gaps where it doesn't. It should really send flags waving about the mentality behind this project and what their intentions really are. They probably want an "integrated solution" (read: tightly coupled to Red Hat components), so that they continue to be in the driving seat.
> We want our images to be trustable (i.e. signed).
Signing images does not make anything trustworthy at all - you still need to trust the signer. It's shocking to hear him mention "post-Snowden" world, yet completely fail to recognize that on should absolutely consider Red Hat to be the potential malicious party in this - especially considering their dubious customer base and large contracts with US government bodies.
On the other hand, Nix, Guix and Debian are trying to create an actual solution to the trust problem - by developing a system where one can perform bit-identical reproductions from the same source code, such that several independent parties can build the same software and you can opt-in to trust a consensus of parties, rather than a single one (and if you don't trust that, you can rebuild packages yourself from source). This is how to create trust in the post-Snowden world - you decentralize it.
> We want ...
We want a lot of things; but Mr Poettering, you have not told us why you want to NIH solutions to every problem you identify, rather than developing upon the existing solutions to (mostly) the same problems. How about some justification as to why Nix should not be considered as the framework to build on, or why say, Bedrock is inadequate for running packages from different distributions on the same OS. Must we really throw away 7 years of effort by the Nix community to support your next toy?
How does this help me from "Desktop app for tracking stars" or "Video game" application developer perspective that I want to build once, publish once and non-technical users will be able to install simply on(Debian, Ubuntu, Fedora, CentOS, NixOS.....) and not depend on distros packagers?
