launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] lp:~wallyworld/launchpad/bug-security-warning-1033893 into lp:launchpad

To: Ian Booth <ian.booth@xxxxxxxxxxxxx>
From: Curtis Hovey <curtis.hovey@xxxxxxxxxxxxx>
Date: Thu, 23 Aug 2012 13:01:38 -0000
In-reply-to: <20120823062026.30016.29836.launchpad@ackee.canonical.com>
Reply-to: mp+120916@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Review: Needs Information code

I am still not convinced we want to fix this bug. I don't think these changes would be welcomed my 99% of projects and be reviled by Canonical staff that must work with private bugs. We favour letting users undo their change. We only want users to prompt users to confirm the action when the the user cannot easily change the bug back to public.

This bug is about an Ubuntu problem, not a Launchpad problem. Launchpad ensures all information types are shared with the project maintainer. The Maintainer can share information with other people. Ubuntu chooses not to share USERDATA, and PRIVATE_SECURITY is shared with a small group.

In the Ubuntu Security bug case, I think your confirmation helps. Other projects do not want to tell people they may not want to mark the bug as a security issue...sharing ensures someone can see it. Ubuntu's security team is focused on patches for a massive project, not triaging bugs. That is why marking a bug will be neglected.

I think we do want to ask users to confirm they want to hide a bug when Lp knows the information type in not shared with anyone. The message you have suggested does not help in this case. The user must subscribe someone else to the bug to ensure someone else can see the bug. In Ubuntu's case, users subscribe ubuntu-bugcontrol to bugs. Remember that apport is reporting bugs *before* processing is complete for other people. That is why USERDATA is not shared with anyone. When processing is complete apport subscribes ubuntu-bugcontrol to give them access. Ubuntu may want ubuntu-bugcontrol subscribed to bugs USERDATA bugs when non-privileged users make a bug private. I am not sure who privileged users are though. Maybe the privileged users are maintainers, drivers, bug supervisors, plus anyone that is shared with.

I think the UI (not API) needs rules to ensure confirmations are shown only to non-privileged users when Lp is certain there is an issue.
--
https://code.launchpad.net/~wallyworld/launchpad/bug-security-warning-1033893/+merge/120916
Your team Launchpad code reviewers is subscribed to branch lp:launchpad.

References

[Merge] lp:~wallyworld/launchpad/bug-security-warning-1033893 into lp:launchpad
From: Ian Booth, 2012-08-23