Launchpad itself

Warn users that mailing list archives are public unless the team is actually private

Bug #297505 reported by William Grant
254
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
Unassigned
Launchpad itself 11.01

Bug Description

It is clear that some team administrators don't realise that mailing list archives are visible by everybody (not just members) even if the team is restricted. They're only private if the team is private.

This results in wonderful teams that exist for monitoring private bugs, but then conveniently archive all of that private bugmail publicly. I won't disclose such teams here, but ask if you want to fix it...

One should be warned about the lack of privacy before creating a mailing list.

Related branches

lp:~sinzui/launchpad/mailing-list-ui-0
Brad Crittenden (community): Approve (code)
Diff: 391 lines (+124/-128)
7 files modified
lib/lp/registry/browser/team.py (+1/-0)
lib/lp/registry/browser/tests/test_mailinglists.py (+88/-3)
lib/lp/registry/stories/mailinglists/lifecycle.txt (+1/-92)
lib/lp/registry/stories/mailinglists/subscriptions.txt (+3/-13)
lib/lp/registry/stories/mailinglists/welcome-message.txt (+5/-3)
lib/lp/registry/templates/team-mailinglist.pt (+22/-15)
lib/lp/registry/templates/team-portlet-mailinglist.pt (+4/-2)
Revision history for this message
Diogo Matsubara (matsubara) wrote :

Setting to high as we might be disclosing private information. Barry can you take a look at this?

Changed in launchpad:
importance: Undecided → High
Revision history for this message
Barry Warsaw (barry) wrote :

Okay, so clearly people don't read the help wiki, because it says there that all archives are public. Given that, Martin, do you have an opinion on how we should raise the awareness of the archives being public? Perhaps a big red blinking warning on Configure mailing list?

Revision history for this message
Curtis Hovey (sinzui) wrote :

This is not easily solved since messaging happens outside of launchpad. The only idea that comes to mind is to revised the labels to the archive to state "public" or "private". This would only address the corner case where the user looks at the label on the website, or in the footer or a message *before* sending a message.

Changed in launchpad-registry:
importance: High → Low
status: New → Triaged
Curtis Hovey (sinzui)
tags: added: disclosure
Curtis Hovey (sinzui)
tags: added: bugjam2010
Changed in launchpad-registry:
assignee: nobody → Curtis Hovey (sinzui)
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote : Bug fixed by a commit

Fixed in stable r12093 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/12093>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
tags: added: qa-ok
removed: qa-needstesting
Curtis Hovey (sinzui)
Changed in launchpad:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui)
Changed in launchpad:
milestone: none → 11.01
Curtis Hovey (sinzui)
tags: added: hardening privacy
Curtis Hovey (sinzui)
Changed in launchpad:
assignee: Curtis Hovey (sinzui) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.