private e-mail address gets stuffed into and published in changes file

Bug #523093 reported by Tormod Volden on 2010-02-17
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Unassigned

Bug Description

I sign all my Debian and Ubuntu packages with my debian.tormod@... address (for which I have a GPG key). Since I use this address for all public Debian work it is fully disclosed and I have to live with the spam coming in on it.

After a Debian package of mine got synced into Ubuntu, the changes file on http://launchpadlibrarian.net (which does not have e-mail addresses scrambled like on the launchpad package page) includes my *launchpad* mail account which is a different one. This e-mail address is one I do not want to publish and is supposed to be between launchpad and me (although there are other leaks like in bug 111147).

Why is my public e-mail address in the Debian package being replaced by my launchpad contact address?

For this example, see the https://launchpad.net/ubuntu/lucid/+source/radeontool/1.6.0-1 page and click on "View changes file".

EDIT: It seems that whoever files a sync request will get his private e-mail address disclosed in the resulting changes file. IMO, this should be changed to leave the Debian uploader address or the address of the Ubuntu guy who performs the sync.

Julian Edwards (julian-edwards) wrote :

Hi

The changes file gets auto-generated and your preferred contact address is used in the Changed-by. I guess we could obfuscate the email address in the changes file somehow.

Changed in soyuz:
status: New → Triaged
importance: Undecided → Low
tags: added: soyuz-core sync
Tormod Volden (tormodvolden) wrote :

Why does it use *my* preferred contact address? I did not sync it, I was just the original Debian uploader. IMO it should either keep the Debian uploader as-is without substituting e-mail addresses, or mangle in the guy who did the sync. Or is it because I filed the bug report, which would be kind of strange?

Tormod Volden (tormodvolden) wrote :

Reading your answer again, I would rather say it should not only obfuscate but totally remove my launchpad e-mail address. The launchpad e-mail address should only be a means for launchpad to send me messages, and not be used as any identification. So if an e-mail address is really needed for publication, it should not pick one on basis of any launchpad user, but use some address that has been used for gpg-signing, from the original Debian upload for instance.

The "preferred contact address" setting in launchpad is "for all Launchpad e-mail" and not for humans to discover and use.

I have of course checked "Hide my email addresses from other Launchpad users".

Tormod Volden (tormodvolden) wrote :

Looking around at other sync requests (which does not have the extra confusing element here of the Debian uploader being the bug reporter) I get confirmed that whoever files a sync request will get his private e-mail address published in the changes file. How logic is it that a bug reporter gets this "fame"?

description: updated
Julian Andres Klode (juliank) wrote :

The reporter of a sync request has gone through the process of building and testing the package and then requested the sync after he was sure that the package works (https://wiki.ubuntu.com/SyncRequestProcess). That's why the bug reporter is listed as the one doing the upload; because he has done the work. The person actually executing the sync just executes a script; and is not doing much manual stuff.

On Wednesday 17 February 2010 13:41:51 Tormod Volden wrote:
> Why does it use *my* preferred contact address? I did not sync it, I was
> just the original Debian uploader. IMO it should either keep the Debian
> uploader as-is without substituting e-mail addresses, or mangle in the
> guy who did the sync. Or is it because I filed the bug report, which
> would be kind of strange?
>

Yes, you get linked as the "requester" so you're attributed as the Changed-By.

This makes more sense than keeping the Debian uploader as they didn't change
anything on Ubuntu.

Tormod Volden (tormodvolden) wrote :

>The reporter of a sync request has gone through the process of building and testing the package and then requested the sync after he was sure that the package works (https://wiki.ubuntu.com/SyncRequestProcess).

Oh yes, I did all that :) Well, OK I can take the credit. But the changes file should have my launchpad ID then, and not any e-mail address, since I did not use any e-mail address to sign my work, but used the launchpad web interface.

Since I have one address registered in Launchpad which I also use publicly for signing source packages, I would not be worried if that one was picked, but what about those who file sync requests and do not have a public e-mail address?

If I understand it right, the sync process injects an e-mail address so that the result looks like a signed upload and hence can be attributed to a launchpad user using the same algorithm a signed upload would be. This is kind of a hack and IMO broken. Debian is e-mail address based and Ubuntu is launchpad ID based (except for archive uploads) but this sync process takes a bit from both and gets it wrong.

One solution is maybe to hide or throw away the changes files/information used for credit collection and then only publish ones where the e-mail address has been removed.

> This makes more sense than keeping the Debian uploader as they didn't change anything on Ubuntu.

OK, but then it is also a bit strange that I am not mentioned at all at the Ubuntu package page if I am the Debian uploader but not the maintainer, see for instance https://launchpad.net/ubuntu/+source/intel-gpu-tools/1.0.2-1 where I actually made the package. It looks like someone else made it, which borders to falsified attribution. Never mind that it is my work that made it possible to sync the package in the first place...

Julian Edwards (julian-edwards) wrote :

The way the Soyuz code works depends on email addresses in the changes files, just like Debian. This aspect would be quite hard to change so the only reasonable fix I can offer is to obfuscate the email from the stored changes, but that will almost certainly not be trivial either since it gets stored quite early before processing of it takes place.

As for the attribution problem, we know, and it sucks :( There's a few bugs filed about that, we need to repackage a bunch of change logs when we start doing native source syncs with Debian (which is imported into Launchpad). Again, not trivial unfortunately.

Colin Watson (cjwatson) wrote :

Mangling the changelog trailer line to represent the person who requested the sync (Changed-By) is Just Wrong. We shouldn't need to repackage changelog entries at all - we should stop mangling them instead and use the ones in the package! This is somewhat related to bug 55795.

(I acknowledge James' comment in bug 55795 that currently Launchpad constructs the changelog entry from .changes file fields, but it is still a bug that it makes it look like a full debian/changelog stanza, trailer line and all, when it isn't. A partial short-term fix might simply be to represent things differently, upon which it would no longer be necessary to do the e-mail address expansion.)

papukaija (papukaija) on 2012-04-30
tags: added: privacy
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers