launchpad-dev team mailing list archive

Thread
Date

Re: InformationType 404 vs 403

To: Curtis Hovey <curtis.hovey@xxxxxxxxxxxxx>
From: Robert Collins <robert@xxxxxxxxxxxxx>
Date: Wed, 19 Sep 2012 09:48:51 +1200
Cc: Launchpad Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <5058ACA0.9080809@canonical.com>
Sender: robertc@xxxxxxxxxxxxxxxxx

On Wed, Sep 19, 2012 at 5:17 AM, Curtis Hovey
<curtis.hovey@xxxxxxxxxxxxx> wrote:
> This is a splinter discussion from project information type.
>
> We current have a rule that private data will return a 404 if it is not
> shared with you. In the past Lp returned a 403. I want to return to the
> 403 rule in some cases.
>
> The 404 rule was created before we conceived of Proprietary and
> Embargoed. Following the work of private teams, we wanted anything that
> an organisation does not want to disclose to 404. teams use
> PersonVisiblity.PRIVATE.
>
> We now know that most Private (user) and Private Security things such as
> bugs belong to Ubuntu. It will never be a proprietary-like organisation.
> Most of Ubuntu's confidential data is created by the community. They do
> know the bugs exist, but they need to teach novice users that Lp is
> lying when it says the bug cannot be founf.
>
> I want 403 to be returned for Private (user) bugs and maybe Private
> Security.

FWIW, I'm ok with this. I think it does provide a better user
experience, and where we don't claim to provide unknowability its
better not to try.

-Rob

References

InformationType 404 vs 403
From: Curtis Hovey, 2012-09-18