launchpad-dev team mailing list archive

Thread
Date

Next steps for Better Privacy

To: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
From: William Grant <william.grant@xxxxxxxxxxxxx>
Date: Tue, 08 May 2012 15:38:33 +1000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1

On today's Purple call I outlined my plan for Better Privacy's next
steps, and everybody seemed to agree it sounded roughly sensible. The
milestone at the end is simple: +sharing will be editable on production.


The story so far
----------------

The new sharing model has been designed, implemented, vetoed,
redesigned, reimplemented, tested, deployed, populated, revised,
repopulated, and is now finally roughly done. +sharing displays bug
information, and bug searches use the new schema.

But +sharing on production is read-only at present, as the data it deals
with is managed by triggers which mirror the legacy sharing schema
(BugSubscription) into the new one (AccessArtifactGrant and co.).
Unsharing through +sharing isn't effective, as the next change to the
bug or branch will cause the mirroring trigger to recreate it.

Now that the new schema is finally pretty much implemented and respected
we can -- and need to -- push the sharing rules out of the DB, allowing
pages like +sharing to edit data directly.


No end to complication
----------------------

While the rules for direct maintenance of sharing data are clear, its
interactions with subscriptions, and particularly the UI, are less well
defined. By the end of the sharing rework, subscriptions will be
decoupled from sharing, but they will not be free of interactions: it
doesn't make much sense to have a subscription to a bug that's not
shared with you, and conversely the existing UI has no way to indicate
people to whom the bug is shared but who are not subscribed.

A rule has been defined to eliminate the first case: a person cannot be
subscribed to a bug that is not shared with them. It doesn't have to be
an explicit artifact share; a team-based policy share is fine too, for
example. From this rule come a few consequences: subscribing someone
must perform an access check, potentially prompting to share the bug;
unsharing a bug or policy with a user or team must remove illegal
subscriptions from the relevant scope; and revoking a team membership
must remove illegal subscriptions from across the entire database.

The second case is harder. We could require that artifact shares have a
corresponding subscription, but that would still leave us without a way
to display policy shares on the bug page. There appears to be no way out
of this without UI changes. So we probably need a new portlet, or
possibly an extension of the existing privacy portlet, but either would
duplicate information from the subscription list.

It's also not clear whether unsubscribing should immediately revoke any
explicit grant they may have. That's what happens in the old model.


A way forward
--------------

Because the UI changes require design, testing, bikeshedding, and
discussion, but we need to continue pushing the underlying model
infrastructure forward, a transitional compromise is likely to be best.
We can largely retain the legacy behaviour but port it to use the new
native sharing model. The new UI can then easily be implemented
alongside once it is devised.

Important changes are:

 - Subscribing someone to a bug will automatically share it with them if
   it's not already (again, access via a team and/or policy share is
   sufficient), without prompting or regard for permissions.

   The final implementation will likely both warn about disclosure risks
   and require that the requester have permission to grant access to the
   project.

 - Unsubscribing someone from a bug will remove the corresponding
   artifact share, if any; it won't be possible to have an artifact
   grant without a subscription. This simplifies the UI, and may
   actually be what we do in the end anyway.

The implementation will go something like this. Each top-level item is
roughly a sequence point.

 - Port the few remaining search queries to the new schema
   + Design and implement BugSummary v2 [wgrant]
   + Replace miscellaneous bits around the codebase [wgrant]
 - Introduce facilities for reconciliation of illegal subscriptions
   + Add job to remove illegal subscriptions on unsharing [wallyworld]
   + Add job to remove illegal subscriptions on membership revocation
   + Add daily cron (garbo?) job to detect missed illegal subscriptions
 - Teach Bug to maintain AccessArtifactGrant
   + Extend Bug.subscribe() to share if necessary
   + Extend Bug.unsubscribe() to unshare if there's an artifact grant
     for the subscriber
   + Arrange for illegal subscription removal on information type or
     pillar transitions. Might need a prompt.
 - Display a list of policy sharees on bug pages
 - Disable DB-side mirroring to AccessArtifactGrant
 - Enable +sharing writability on production


Thoughts, criticism, support, fatal flaws?

William

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Next steps for Better Privacy
From: curtis Hovey, 2012-05-10
Re: Next steps for Better Privacy ()
From: curtis Hovey, 2012-05-10
Re: Next steps for Better Privacy
From: Aaron Bentley, 2012-05-08