launchpad-dev team mailing list archive

Thread
Date

Re: Changing privacy terminology

To: Launchpad Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
From: curtis Hovey <curtis.hovey@xxxxxxxxxxxxx>
Date: Mon, 30 Jan 2012 09:47:30 -0500
In-reply-to: <CAA9uavAEwJdbYOD2krVrwvaEUOGv6TCFa_4RZ++x7FzjacSBaA@mail.gmail.com>
Organization: Canonical Ltd.
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120127 Thunderbird/10.0

On 01/30/2012 02:49 AM, Martin Pool wrote:
> This all sounds much clearer.  I guess you're going to blog about it?
> 
> On 27 January 2012 07:17, curtis Hovey <curtis.hovey@xxxxxxxxxxxxx> wrote:
>> I expect to see something like this
>> when I open the visibility picker for a bug:
>>
>>    Public
>>      Everyone can see this bug
>>    Unembargoed Security
>>      Everyone can see this resolved security related bug
>>    Embargoed Security
>>      Only users in the project's security policy can see this bug
>>    User data
>>      Only users in the project's user data policy can see this bug
>>    Proprietary
>>      Only users in the project's proprietary policy can see this bug
> 
> Is there an ordering or relation between these?  What if it's a
> security bug that also happens to contain private user data?  Probably
> it should never become public, but if the ordering is not clear in the
> ui people might get it wrong.

We rely on ourselves to determine security and user-data issues
contained in a bug. If user-data cannot be removed from the bug, common
practice it to report a separate bug to track the security issue. This
is the same practice that proprietary projects do now when
partners/customers report bugs that pertain to a security issue because
the relationship with the partner is confidential.


-- 
Curtis Hovey
http://launchpad.net/~sinzui

Attachment: signature.asc
Description: OpenPGP digital signature

References

Changing privacy terminology
From: curtis Hovey, 2012-01-26
Re: Changing privacy terminology
From: Martin Pool, 2012-01-30