launchpad-dev team mailing list archive

Thread
Date

Launchpad Privacy (issue 5)

To: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
From: Curtis Hovey <curtis.hovey@xxxxxxxxxxxxx>
Date: Wed, 22 Sep 2010 12:23:35 -0400
Organization: Canonical Ltd.
Reply-to: curtis.hovey@xxxxxxxxxxxxx

A Brief Primer on Launchpad Privacy (issue 5)
=============================================

Artefacts and Primary Context
-----------------------------

Subscribing a user to a private artefact grants the user partial access to
a structure. The user may know the names of the private items that relate
to the private artefact. Since privacy is determined by the primary context,
admins do not need to enable private bugs, private branches, or private
archive. All the project or distro's items are private, they cannot be public.


Retargeting Private Project or Distro Artefacts
...............................................

Private artefacts can never be retargeted to other projects and distros
because the comments and history may contain private information. Users
who reply via email under the assumption that their message is private
would in fact be leaking information. This means that bugs, questions,
and blueprints will always remain with the project or distro they were
created in.

Public bug, questions, and blueprints cannot be targeted to private
projects and distros because the artefacts subscribers and the former
and current context subscribers are all notified of the change. This act
will reveal the existence of the private project or distro, and possibly
leak information about who is involved in it.


Bug Reports and Bug Links
.........................

Bug reports do not belong to projects or people, there are currently no
controls about who can subscribe whom, or who can reveal a bug by adding
a project or distro that it affects. This rule will change when a private
project or distribution is involved. Users can still make bug reports
for public projects and distros private to protect users and security
vulnerabilities.

Bugs affecting private projects or distributions can only affect one primary
context. A private bug affects only one structure; the bug cannot have multiple
bug tasks showing the status in many places. Any user with permission to
access the project or distro can see the bug. Only the project owner can
subscribe users or restricted teams to the bug. Maybe this privilege should
be extended to project drivers too.

Bug links will be introduced for all bugs, allowing users to say "this
bug is related to that bug". Users can see the links when he or she can see both
bugs. Thus a user in a team that owns several private projects can see the
linked bugs and know what project or distro that link is to, but the user
under an NDA that is subscribed to the private bug cannot see the other bugs.

Bug links will behave like local bug watches. Users who can see both the links
will know the status and location of the other bug. Bug links could have a
relationship type like dependency, or similar, but this has not been
discussed.

The affect project/distribution link on the bug page will start a process
to clone the bug's information to create a separate bug for the other
context. The user can edit the bug information to redact information that
cannot be revealed. Bug comments will not be copied. The two bugs are
automatically linked so that the user can see. The clone bug process might be
valuable  for public projects, such as splitting a bug report into separate
issues.


Code Branches
.............

Branches for private projects and distros (source packages) are private, they
cannot be public. Any user with access to the private project or distro can
access the branch. The project primary context owner can subscribe a user
or restricted team to the branch. Public projects can still have private
branches to solve security vulnerabilities or for commercial development.


Package Archives
................

Private teams will have private archives. Team owners and admin can subscribe
users to the archives so that users can download from the archive. The
subscribers can see the archive page and its publishing history, but not see
other team pages. The subscriber will know the team's name (this is the
rule of partial disclosure).

Public projects may have private archives if a commercial admin enables them
for commercial distribution.

-- 
__Curtis C. Hovey_________
http://launchpad.net/

Attachment: signature.asc
Description: This is a digitally signed message part

Follow ups

Re: Launchpad Privacy (issue 5)
From: Francis J. Lacoste, 2010-09-30
Re: Launchpad Privacy (issue 5)
From: Curtis Hovey, 2010-09-22