Launchpad itself

Cannot file a non-security proprietary bug in Launchpad

Bug #136937 reported by Jonathan Lange
30
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
Steve Kowalik

Bug Description

Currently, if you are filing a bug in the web user interface, there's no way to indicate that the bug is private.

Both the simple and complicated forms let you mark a bug as being a security vulnerability, but that's not the same thing.

See original description
Revision history for this message
Mark Shuttleworth (sabdfl) wrote : Re: Cannot file a private bug in Launchpad

Launchpad is a public service for collaboration between free software projects. We support cases where bugs have a security implication by allowing those bugs to be kept private (but disclosed to the project security team). We may also in future allow commercial users of Lp to annotate bugs with private comments that are not shared, but don't do that at this stage.

description: updated
Changed in malone:
status: New → Won't Fix
Revision history for this message
Martin Pool (mbp) wrote :

The workaround at the moment is to file a bug as security-related, then edit its status to make it private. afaik anyone can do this.

Canonical internally commonly uses private non-security bugs for customer issues. It would help if this was directly accommodated.

Changed in malone:
status: Won't Fix → Confirmed
Revision history for this message
Andrea Corbellini (andrea.corbellini) wrote :

Also some non-security bugs may contain sensible data from the user. To respect his/her privacy everyone should be able to mark a bug as private. This is also one of the Ubuntu Bugs team guidelines.

Revision history for this message
Martin Albisetti (beuno) wrote :

Does this bug still apply?
You can now have private bugs by default for paying projects.

Revision history for this message
Jonathan Lange (jml) wrote :

It still applies. When you file a bug on a project such as malone, you cannot mark it as private, only as a security issue.

Deryck Hodge (deryck)
Changed in malone:
status: Confirmed → Triaged
importance: Undecided → Low
tags: added: privacy
Revision history for this message
Martin Pool (mbp) wrote :

I think the bottom line here is:

Only selected people (commercial, canonical-support, etc) should be able to file private non-security bugs. However, people who are allowed to do this should be able to do it directly, without dancing around the security bit.

Robert Collins (lifeless)
summary: - Cannot file a private bug in Launchpad
+ Cannot file a non-security private bug in Launchpad
visibility: private → public
Curtis Hovey (sinzui)
tags: added: bug disclosure
Curtis Hovey (sinzui)
summary: - Cannot file a non-security private bug in Launchpad
+ Cannot file a non-security proprietary bug in Launchpad
Revision history for this message
Steve Kowalik (stevenk) wrote :

I have fixed this bug by changing Bug:+filebug to show the information_type rather than the security_related checkbox. I will mark this bug as In Progress and assign it to myself, and then mark it as Fix Commited when the feature flag is enabled on production.

Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Steve Kowalik (stevenk)
Curtis Hovey (sinzui)
tags: added: information-type
Steve Kowalik (stevenk)
Changed in launchpad:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.