I lost track of your reasoning. Let us start again. From the standpont of the
GDPR, there is you, me, and someone in between who is responsible for our
personal data. Infact, if you send to users@spamassassin.apache.org, I receive
a copy of it *because* apache.org used our addresses. Ok we both subscribed to
the list, but the GDPR gives us the right to be forgotten, for example. Now
suppose you unsubscribe. You find out that your e-mails are archived on various
sites other than SA. You send an e-mail to SA's or Apache's postmaster exerting
your rights and demanding your shit to be deleted. According to the GDPR,
Apache *must* comply *and* it must forward the demand to all of the third party
archives. And it must do so quietly, that is, not publishing your demand on the
internet. A lawyers matter? Well, the law is on the table, and one must execute
it. Now, what I said is, to prevent this mess, the mailing list could clean up
before itself by simply (relatively) obfuscating the addresses and removing any
banner signature that hold personal data (full address and such). Am I making
sense now?
