launchpad-dev team mailing list archive
-
launchpad-dev team
-
Mailing list archive
-
Message #00002
[Bug 376734] Re: api allows mail address harvesting
I agree with Stuart. The API does nothing but expose what can already be
done though the UI.
The biggest leak of email address from Launchpad is the ubuntu list
server -- teams are subscribed to bugs via a list address, and the
server shows email addresses that launchpad hides. But this is a
separate issue.
When we talk about limits or responsibilities like this, we are often
talking around the issue of trust. We have two mechanisms to convey
trust, the codeofconduct and standing. I would consider using one or
both as reason to give users the privilege of seeing semi-private
information on the website and the API.
** Changed in: launchpad
Importance: Undecided => Low
** Changed in: launchpad
Status: New => Triaged
** Project changed: launchpad => launchpad-foundations
--
api allows mail address harvesting
https://bugs.launchpad.net/bugs/376734
You received this bug notification because you are a member of Launchpad
Community Development Team, which is a direct subscriber.
Status in Launchpad Foundations: Triaged
Bug description:
So, u1 found an interesting point: you can get anyones mail address via the lp web api. This is rather different to having to gather data from web pages.
I'm worried spammers may do:
1) sign up
2) use api to suck down brazillions of email addresses
Even though sign up isn't automated, the volume of emails available via the api is substantial
Perhaps we need to limit this somehow - e.g. to require a common team member ship or something?