launchpad-dev team mailing list archive

[Gary Poster <gary.poster@xxxxxxxxxxxxx>]

In CHR yesterday, I had a person contact us because they got a merge request they did not initiate.  In the email we send them, we have this snippet

>> If you didn't ask to merge these accounts, please
>> either ignore this email or report it to the
>> Launchpad team: feedback@xxxxxxxxxxxxx

We invite them to contact us...but the email to feedback was not actionable, as far as I could tell.  I asked Robert if he had any thoughts on it.  Here's the meat of Rob's reply:

> So the question is; do we expect to follow up on these and ask
> jkoch-contact if they were really trying to phish the other persons
> account, or if they made a typo.
> 
> I think this is a team-wide discussion, but here is my take:
> - I suspect we wouldn't generally follow up each case (manpower,
> marginal utility)
> - we probably could do some automated handling to look for one user
> requesting multiple merges
> - or users from one particular domain
> - or users in one particular group
> 
> But we can do that server side if we choose to. So
> - Perhaps we should have a FAQ about how these things can go wrong,
> put that in the email
> - and say in the FAQ 'if you wish to discuss this erroneous merge
> request - if you think it was malicious - please contact us @
> feedback.'

I pretty much agree with him, but I think that we should do even less than a FAQ.  I think we should change the email to say something like this: "If you didn't ask to merge these accounts, please ignore this email.  If you have reason to believe that this merge request was malicious and not a mistake, please report it to the Launchpad team: feedback@xxxxxxxxxxxxx."  I think that would be a sufficient next step.

Thoughts?

Thanks

Gary