launchpad-dev team mailing list archive

[Matthew Revell <matthew.revell@xxxxxxxxxxxxx>]

Attempt 2!

= Better Privacy checkpoint 2011-12-14 =

== Summary ==

 * Social private teams are go! Purple have made a breakthrough. This
no longer needs a separate project.
 * The new name for "Disclosure" is "Sharing".
 * We've made progress on +manage-disclosure (+manage-sharing soon!)
despite the additional work on social private teams.

== Harden bugs and teams ==

 * Purple have been thinking about how to modify the footgun feature
flag to preserve multi-tenancy for security bugs.
 * Once they have a good solution, they'll enable the footgun feature
flag to reduce the growing number of private bugs that have bug tasks
from several projects.
 * Purple have also been considering how to present embargoed issues in the UI.
 * William is concerned about how we handle bugs that are flagged as
both security and privacy issues. Curtis says only one bug in LP's
history has been marked both a security and private issue. The
decision is not to prevent people from marking a bug as both
security-related and private because people will naturally not want to
do that.
 * The privacy ribbon wording is vague, especially in light of how
we're now offering more security and privacy options. Dan will provide
new wording.

=== Actions ===

 * [purple] Modify the footgun feature flag to keep multi-tenancy for
security bugs.
 * [purple] Enable footgun feature flag to reduce growing the number
of private bugs with multiple projects
 * [mrevell]: Agree on the terminology and mutual exclusivity
behaviour of security/propietary bugs. Respond to Curtis' email on the
list.

== Manage disclosure ==

When a private team takes a role in a public project, such as owner or
driver, we are going to display that team's name in the usual places.
This will reveal the existence of the team and its name. Jon is adding
warnings to the pickers so that when people do this they are fully
aware of the consequences.

=== Actions ===

  * [purple] Implement tweaked +manage-disclosure clickable mock-up
  * [danhg] User-test the tweaked clickable +managing-disclosure mock-ups
  * [purple] Populating and maintaining the access policy data
  * [huwshimi]: speak to sinzui about how to present embargoed
security bugs in the UI
  * [danhg]: speak to sinzui to then rewrite the privacy ribbon
messages to take account of the new situations it must handle
  * [EVERYONE!]: we will refer to "Sharing" rather than "Disclosure"
  * [purple]: replace references to "disclosure" with "sharing"

== Social private teams ==

The surprise of the checkpoint was that the Purple squad, following
discussions with Rob, have cracked many of the issues around social
private teams! So, rather than having to consider this as a separate
project we can now expect it to be near complete at the next
checkpoint!

=== Actions ===

 * [purple]: PPA subscribers should have access to only the archive itself
 * [purple]: Subscribers to a private team's branch should be
permitted to see the branch and its merge proposals
 * [purple]: priv teams can be package maintainers
 * [purple]: priv teams can subscribe to blueprints
 * [purple]: priv teams can subscribe to bugs
 * [purple]: we will fix the situation where you can lose access to
your private team
 * [purple]: warn in the picker when you're about to expose the name
of a private team
 * [huwshimi]: speak to jcsackett about the design of the warning
 * [danhg]: test the warnings
 * [mrevell]: seek agreement from stakeholders on how adding a private
team to a private team should work
 * [danhg]: what should someone who is not a member of a private team
see when they visit that private team's overview page? Dan to gather
data. (bug 904293)


--
Matthew Revell
Launchpad Product Manager
Canonical

https://launchpad.net/~matthew.revell