[Foundation-l] should not web server logs (of requests) be published?

[Anthony]

On Mon, Nov 29, 2010 at 4:41 AM, Andre Engels <andreengels at gmail.com> wrote:
> On Mon, Nov 29, 2010 at 6:26 AM,  <WJhonson at aol.com> wrote:
>> I know quite a lot about operational requirements, and I know that policies
>> should state clearly what IS being done, not what may be done.
>> It's quite practical to be more explicit.  For example, the policy could
>> state clearly what exactly is being done.  That would be more explicit.
>
> Yes, that would be more explicit. It would also mean that every minute
> change of procedure would entail a policy change. Policies are not
> meant to be descriptions of what we do and how we do it, they are
> meant to be the rules that we put on ourselves about what we do and
> what we do not do. There are things that we promise to do and there
> are things that we promise not to do. But there are also things that
> we want to keep a leeway of doing, not doing or doing in a different
> way without needing a formal board resolution each time something
> changes.

Surely there are ways to publish policies which don't require a formal
board resolution every time something changes.  Also, any emergency
exceptions could always be documented later, after the emergency has
been resolved.

But I'm not sure how practical it would be.  Maybe there are times
when you want to be able to analyze people's page views without
tipping them off to the fact that you're doing so.