launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] lp:~mbp/launchpad/798412-plusone into lp:launchpad

To: Martin Pool <mbp@xxxxxxxxxxxxx>
From: Martin Pool <mbp@xxxxxxxxxxxxx>
Date: Sun, 27 Nov 2011 21:59:23 -0000
In-reply-to: <20111125215624.11726.43506.launchpad@ackee.canonical.com>
Reply-to: mp+83449@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Hi,

I agree we need to get privacy (both data and people) right.

The benefit from all of this, hopefully, is 
- more positive feedback for good work people do on Launchpad-hosted projects 
- more visibility for Launchpad and projects in Launchpad on the web and on g+
- better search results about Launchpad

The biggest concern I have is not that Google will deploy malicious Javascript, but rather that people will accidentally click to share something that is meant to be private.  So I want to hide the buttons on private pages -- and in fact I do, but it is not kept up to date after an ajax privacy change, but that can be done.  We actually have belt-and-braces protection against that in that Google pings the page after you +1 it and it will refuse the plusone if the page is not accessible, which our private objects will be.

Showing the buttons in the page where we have control over them arguably makes it less likely people will accidentally click an external share button for a private object.  It is more under our control.

My intention here is to provide, through the view.is_private check, a one-stop protection to make sure that these buttons are not rendered and the script is not loaded on views of private objects, without counting on people getting it right on each individual page.  I think that means the current code will work ok even on bmps ... and I just tested, and in fact it does.

I ought to add tests that this is and stays correctly hooked up.

Personal data is hairy, arguably even including people's names, in which case every page of Launchpad is affected.  What I'm trying to do here is to make it no worse than the current case combination of robots walking Launchpad public/anonymous pages, plus people sharing links through other means.  The most relevant thing here is probably non-public email addresses.  In a separate prior landing I add a meta description with the email addresses stripped out, so people shouldn't be accidentally sharing this.  I'm also not putting this on any pages that are primarily about people, so the biggest risk is when personal information occurs within eg a public bug or mp description or comment.

To sum up the privacy requirements I am aiming for are:
 * do not share any private objects
 * do not encourage people to accidentally share things they shouldn't
 * the framework should be safe by default for new development
 * don't put email addresses into the shared content
 * don't run 3rd party javascript on pages containing private content (any more than we currently do)
-- 
https://code.launchpad.net/~mbp/launchpad/798412-plusone/+merge/83449
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~mbp/launchpad/798412-plusone into lp:launchpad.

References

[Merge] lp:~mbp/launchpad/798412-plusone into lp:launchpad
From: Martin Pool, 2011-11-25