← Back to team overview

launchpad-dev team mailing list archive

Re: [Ubuntuone-users] Somewhat urgent privacy concern

 

Arand Nash wrote:
Somewhat urgent privacy concern:

Currently approximately 60 users (or more), who have recently reported crashes in Ubuntu One, have the file & foldenames of their entire Ubuntu One contents listed publicly in text attachments.

This comes about since U1's crash reports contains a list of all the U1 files and folders of the reporting user (LP: 419895), AND that those attachements are not removed when the bug is marked as a duplicate and made public by the apport retracing service (LP: 419929). One concerned bug report is (LP: 419488), which seemed to affect a lot of Karmic+U1 testers.

My urgent-quickfix suggestion would be to either immidiately mark all these bugs as private OR remove the concerned attachment from all of them, and continue doing so with all new incoming ones.

In the "long" term either U1 has to stop attaching this data to their crash reports OR the retracer has to be fixed to keep bugs private when dupe-marked or to remove *all* attachments from private bugs gone public.

I'm hoping for now that this hasn't and will not cause any hurt to the concerned users, and hopefully it can be taken care of quickly, since it puts both Ubuntu One and Launchpad in a somewhat bad light.


Saw this recently on OmniGroup's blog about gibberish-izing crash reports:


<http://blog.omnigroup.com/2009/08/25/sending-confidential-documents-to-omni-and-the-gibberish-izer/>

Wonder if it's interesting to us to implement something similar, presuming we even want to know number of files our users have.

Zac



References