email addresses in bug descriptions should be obfuscated

Actually bug 60195 isn't fully fixed, as is illustrated with comment 8:

https://bugs.edge.launchpad.net/malone/+bug/60195/comments/8

On Tue, 2007-09-18 at 04:28 +0000, Tim Penhey wrote:
> Actually bug 60195 isn't fully fixed, as is illustrated with comment 8:
>
> https://bugs.edge.launchpad.net/malone/+bug/60195/comments/8
>

Comment 8 looks right to me. When I'm logged in I can see my email
address, and then I'm not I see <email address hidden>.

Martin's quoting habits were a big incentive to me to get this
fixed. ;)

--

__C U R T I S C. H O V E Y_______
Guilty of stealing everything I am.

On 9/18/07, Tim Penhey <email address hidden> wrote:
> Actually bug 60195 isn't fully fixed, as is illustrated with comment 8:
>
> https://bugs.edge.launchpad.net/malone/+bug/60195/comments/8

At the moment it shows "<email address hidden>" (with anglebrackets,
without doublequotes). Personally I would have shown the username
component and hidden the domain, so that you can get some idea who it
is without encouraging spam. This is just my 2c though.

--
Martin

On Tue, 2007-09-18 at 05:30 +0000, Martin Pool wrote:
> On 9/18/07, Tim Penhey <email address hidden> wrote:
> > Actually bug 60195 isn't fully fixed, as is illustrated with comment 8:
> >
> > https://bugs.edge.launchpad.net/malone/+bug/60195/comments/8
>
> At the moment it shows "<email address hidden>" (with anglebrackets,
> without doublequotes). Personally I would have shown the username
> component and hidden the domain, so that you can get some idea who it
> is without encouraging spam. This is just my 2c though.

Me too. I changed it to <email address hidden> in review after several
comments.

--

__C U R T I S C. H O V E Y_______
Guilty of stealing everything I am.

The same problem must exist in launchpad answers. Unknowing users may type or paste program output with realizing the email address will be visible in the question's description. Since bugs will be convertible to questions, the need for hiding the email address will apply.

After discussing this issue with Steve and Francis, the correct solution is to move the email obfuscation feature below the presentation level to hide personal email addresses in the entire page. We are considering a solution that will make pages by anonymous users obfuscatable to provide a comprehensive solution to this problem.

Moving this back a release given that we want a comprehensive solution.

I think this issue is blocked. Email information maybe tainted by the with '<wbr></wbr>' sequences after the content is rendered. I cannot reliably identify an email address. I can move back to my original plan of adding fmt:obfucate-email to all the locations we use description that may have an email address. If I don't get any direction on this in the next few days, this issue will slip another release.

On Fri, Oct 26, 2007 at 04:00:52AM -0000, Curtis Hovey wrote:
> I think this issue is blocked. Email information maybe tainted by the
> with '<wbr></wbr>' sequences after the content is rendered. I cannot
> reliably identify an email address. I can move back to my original plan
> of adding fmt:obfucate-email to all the locations we use description
> that may have an email address. If I don't get any direction on this in
> the next few days, this issue will slip another release.

Adding fmt:obfuscate-email to the descriptions of questions and bugs
should be fairly quick fix, wouldn't it? I'd say, do that, and then file
another bug for doing this more general.

Well that was my original plan. About What do I say in my review? "I rejected my pre-implementation call to fix this as I thought was best." I'll send my notes regarding what I thought had to change and how I would do it.

Fixed in RF 5170.

Fix released in Launchpad 1.1.11.