launchpad-dev team mailing list archive

Thread
Date

Describing access policies in bug and branch UI

To: Launchpad Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
From: curtis Hovey <curtis.hovey@xxxxxxxxxxxxx>
Date: Wed, 23 Nov 2011 13:12:22 -0500
Organization: Canonical Ltd.
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

During a review of a branch that pertained to the disclosure feature,
William and I discovered that we really do not know what an all powerful
user like an admin would see when viewing a private apport bug. We also
did not know how the admin could change the bugs policy. Part of the
issue is that we had decided not to change the UI where possible, but I
think we really do want to change the UI for managing the disclosure of
bugs and branches.

We currently have two checkboxes, Private and Security that create 4
combined states:
    Public
    Public Security
    Private Security
    Private *something else*

Note that security is like a tag (as William says) because it classifies
the primary content of the bug. We often forget this when designing who
people will manage the disclosure pages. The security policy in the new
access mechanism honours the current behaviour...we actually mean
security data that is *also* private.

We official offer the first 3 states to all projects. The
Private-something-else case is pertinent to about 300 projects in
Launchpad because we mean "proprietary". Private bugs and branches are
offered to all projects with a commercial subscription for a
*proprietary* license. The license type is not a requirement, it
illustrates the primary use case for private bugs. Proprietary
information is only private, once it is public, it has ceased to be
proprietary

We know that Ubuntu took advantage of defects in Launchpad's current
behaviour to have created an apport privacy policy. Will will continue
to support it, but it is not in described by the UI currently. We could
replace the two checkboxes with a selection overlay that describes the
choices that we intend to support:

    Public
      Everyone can see this bug
    Public Security
      Everyone can see this security related bug
    Private Security
      Only users in the project's security policy can see this bug
    Proprietary
      Only users in the project's proprietary policy can see this bug
    Apport
      Only users in the project's apport policy can see this bug

The privacy ribbon would clearly state that bug is private because it is
a security concern, proprietary, or being processed by apport.

We do not need to show all of these in the UI to everyone, but I expect
admins to see all of these when looking at an Ubuntu bug. Launchpad
provides the first three states to all projects. The Proprietary could
be shown only to projects we have enabled it for. Apport can only be
used by Ubuntu, though we can imaging many projects wanting a reporter
process that sanitises user bugs before they can be seen by a larger group.

We know there are hundreds of private-non-security bugs in
non-proprietary projects. We tolerate this because users make bugs
private to *protect* other users. The privacy state is also used to mean
the bug contains personal information, spam, or abuse. We will not stop
users from doing the right thing without offering a replacement feature
for this issue. We will introduce additional confusion about these
private bugs if we remove the confusion about *why* a bug is private.
This is really a separate issue, see
https://lists.launchpad.net/launchpad-dev/msg08404.html

-- 
Curtis Hovey
http://launchpad.net/~sinzui

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Describing access policies in bug and branch UI
From: Martin Pool, 2011-11-30
Re: Describing access policies in bug and branch UI
From: Francis J. Lacoste, 2011-11-29