launchpad-dev team mailing list archive

Thread
Date

[Bug 376734] Re: api allows mail address harvesting

To: launchpad-dev@xxxxxxxxxxxxxxxxxxx
From: Curtis Hovey <sinzui.is@xxxxxxxxxxx>
Date: Fri, 15 May 2009 14:07:06 -0000
Reply-to: Bug 376734 <376734@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I agree with Stuart. The API does nothing but expose what can already be
done though the UI.

The biggest leak of email address from Launchpad is the ubuntu list
server -- teams are subscribed to bugs via a list address, and the
server shows email addresses that launchpad hides. But this is a
separate issue.

When we talk about limits or responsibilities like this, we are often
talking around the issue of trust. We have two mechanisms to convey
trust, the codeofconduct and standing. I would consider using one or
both as reason to give users the privilege of seeing semi-private
information on the website and the API.

** Changed in: launchpad
Importance: Undecided => Low

** Changed in: launchpad
Status: New => Triaged

** Project changed: launchpad => launchpad-foundations

--
api allows mail address harvesting
https://bugs.launchpad.net/bugs/376734
You received this bug notification because you are a member of Launchpad
Community Development Team, which is a direct subscriber.

Status in Launchpad Foundations: Triaged

Bug description:
So, u1 found an interesting point: you can get anyones mail address via the lp web api. This is rather different to having to gather data from web pages.

I'm worried spammers may do:
1) sign up
2) use api to suck down brazillions of email addresses

Even though sign up isn't automated, the volume of emails available via the api is substantial

Perhaps we need to limit this somehow - e.g. to require a common team member ship or something?