"Sorry, you don't have permission to access this" bug report -- well, why not?

Exposing the subscriber list of a private bug does not seem like a crash hot idea. If I know what the subscribers generally work on, it will tell me a fair amount about the bug in question.

Bug, that was reported by me was decided by apport retracing service as a duplica. I got URL for original bug (200272), but I cannot access it, to decide whenever retracing service was right or not. I don't think it's correct.

i have the same problem as Tomasz Z. Napierala . It is very confusing to see ones bug report reported as a dup and then if you want to access the provided link you get just the " Sorry, you don't have permission to access this page. You are logged in as whatever-your-name-is." message without any further notice why this is happening. please change this behaviour and/or give more information.

In general, in security design, it is a bad idea to leak information about why access is denied. James already gave an example of why this can be bad, even though it is inconvenient if you're on the other end of it.

We could do better in how we handle crash reports in Ubuntu given slightly better support in Launchpad, though, and I suspect crash reports are the main place where people encounter this problem in practice. We mark crash reports private by default because they might easily contain sensitive information; for instance, a Firefox crash dump could contain your credit card number, or an Evolution crash dump could contain the last private e-mail you were writing to your girlfriend. Ubuntu developers often mark crash reports as public once they've determined that they aren't sensitive, but this doesn't always happen for one reason or another (for one thing, if you can see private bugs, it's all too easy to forget that not everyone can!).

Of course, a full crash report database as part of Launchpad would clearly let us be more flexible. Even without that, though, what about the facility to have a public bug but with private attachments? That way, people could see the description of the bug of which their bug was made a duplicate and the discussion on it, including whether it was fixed, but just wouldn't be able to get the core dump.

There are probably cases that this wouldn't cope with and where we'd have to mark the bug truly private, but I think it's quite rare for us to need to discuss sensitive contents of a core dump in a bug report. In most cases I think this workaround would do the job.

(Disclaimer: I'm not a Launchpad developer and this is merely a suggestion.)

That said, I agree that it would be harmless to explain that the page is a private bug report. You can tell that much from the URL and the fact that you can't read it ...

Have just experienced this problem when a bug I filed was automatically marked a duplicate of a private bug. I am pretty sure the private bug was not included in the crash report choice, hence why I filed a new bug. Now I can not even track the status of the fix let along contribute further information if required.

Would it not be better to use a public bug as the parent? IMHO, a public bug should never be made a duplicate of a private one.

Paul, see also bug 434733 and bug 334130.