We're not talking code changes here, but purely a data request. For code changes the trail is more obvious and it being noticed is easier to explain - but you are still in a situation that anything that can be read as you publishing it in an indirect way (e.g. by giving details to a connected organization which you know won't keep it private) will be taken as such and get you in trouble. I think it'd be quite hard construct that in a truly "safe" way.
> We're not talking code changes here, but purely a data request
You are right. My comment was a bit offroad, I could have made that clearer (about how to deal with "data" (code, ...) in international context)
> I think it'd be quite hard construct that in a truly "safe" way.
For open source code it is easy - everyone sees teh chnages and why they've been promoted.
For closed source, having your source at a third party (or synchronized), build from only the identical code (between the two repositories), and enforce a two-eyes kind of code promotion (merge) will make it so that any change in the code that is not vetted by both parties (or multiple parties) will not get built.
I gave the example of Truecrypt that was unfortunately US-only and they had to revert to allusions in order to inform that it was tempered with.
