revid contains email address and is displayed publicly

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/5/2010 2:57 PM, janisozaur wrote:
> *** This bug is a security vulnerability ***
>
> Private security bug reported:
>
> I'm a launchpad user and I have a project that I commit to. I use bzr as dvcs.
> Even though my privacy settings say that my email address is not disclosed to others, it may be viewed publicly when browsing my commits, as they start with my email address.
> A workaround is to set different email address, but this disables launchpad's ability to click on revision author to see his/her profile.
> Possible solutions that come to my mind at this time would be:
> * altering bzr revid format (at least hashing email address, though it is not as secure as it might seem at first glance - there is a website that displays user nickname and hash of his email. a simple check nickname@[gmail, yahoo, msn, ...].com is about 70-80% accurate. there was a link to a study on that once, but I can't find it)
> * introducing an option in launchpad to hide revids (at least from public viewing)
>
> ** Affects: bzr
> Importance: Undecided
> Status: New
>

While true, a user can also download your branch and see your email in
"bzr log". Even if the revision id wasn't included...

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyGZLgACgkQJdeBCYSNAAPjvwCcDOreiNkJ3HlNKGTo8KgmKCnM
V7sAoMqRuiGDwVFr4SGc2M9Qe7LHp/bG
=eXDs
-----END PGP SIGNATURE-----

Indeed. But as far as I know, web crawlers and spammers don't usually go to the extents of downloading public sources in order to search them for email address'.

On Sun, 2010-09-05 at 19:57 +0000, janisozaur wrote:
> *** This bug is a security vulnerability ***
>
> Private security bug reported:
>
> I'm a launchpad user and I have a project that I commit to. I use bzr as dvcs.
> Even though my privacy settings say that my email address is not disclosed to others, it may be viewed publicly when browsing my commits, as they start with my email address.
> A workaround is to set different email address, but this disables launchpad's ability to click on revision author to see his/her profile.
Launchpad's links to the authors launchpad page are not based on the
revision id but on the author email address in the committer/author
fields of the commit.

> Possible solutions that come to my mind at this time would be:
> * altering bzr revid format (at least hashing email address, though it is not as secure as it might seem at first glance - there is a website that displays user nickname and hash of his email. a simple check nickname@[gmail, yahoo, msn, ...].com is about 70-80% accurate. there was a link to a study on that once, but I can't find it)
We could have an option (or all commits?) to not include an email
address in any way in the revision id.

Cheers,

Jelmer

How would such an option differ from simply not setting an email address in your "bzr whoami" ?

launchpad will not pick up the commiter and provide a clickable link in project's code page (don't know about distributing karma, though).
See https://code.launchpad.net/~carto-team/cybercarto/carto, revision 45 and 46.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/7/2010 3:54 PM, Max Bowsher wrote:
> How would such an option differ from simply not setting an email address
> in your "bzr whoami" ?
>

He wants a valid 'whoami' because he wants his commits linked with his
Launchpad identity. He doesn't want that identity shown.

AFAIK, you must be logged in, in order to get real email addresses
anyway. So bots won't ever see them. (Note that this includes email
addresses in bug reports, etc.)

I don't know about revision-ids, if they are also bot sanitized.

Certainly it isn't required at all to have a revision id based on email
address. It is often quite useful, as it provides a more salient
user-focused string (I can give you a hex hash, how many chars can you
remember, but if I give you an email address, you'll remember it all.)

I would probably say that we should make sure the website sanitizes
email addresses in revision ids for bot scraping, etc. Beyond that, I'm
not 100% sure.

Note that you can write a simple plugin that monkey patches
'bzrlib.generate_ids.gen_revision_id' and generates something that does
whatever you want. (Hashing the supplied username, and using that would
be viable.)

For example, put this as ~/.bazaar/plugins/no_email_revid.py:

import hashlib

from bzrlib import generate_ids

_old_func = generate_ids.gen_revision_id

def gen_revision_id(username, timestamp=None):
    username = hashlib.md5(username).hexdigest()
    return _old_func(username, timestamp=timestamp)

generate_ids.gen_revision_id = gen_revision_id

The very nice thing about this, is that you can do it *today* and
everything should still work. The bad thing is that you would want to
remember to do it anywhere that you commit from, when you want to hide
your email from the revision-id.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyGqb8ACgkQJdeBCYSNAAO7hQCghRhdTvWmXWaKptE/P0KZv/tY
qRIAn1nUbvUK75Yeg9lKYvwPjvVy8pwb
=ykiK
-----END PGP SIGNATURE-----

On Tue, 2010-09-07 at 20:54 +0000, Max Bowsher wrote:
> How would such an option differ from simply not setting an email address
> in your "bzr whoami" ?
It would change how the revision id is generated, but not what
email/fullname ends up in the committer/author fields of a commit.

Cheers,

Jelmer

Jelmer Vernooij пишет:
>> Possible solutions that come to my mind at this time would be:
>> * altering bzr revid format (at least hashing email address, though it is not as secure as it might seem at first glance - there is a website that displays user nickname and hash of his email. a simple check nickname@[gmail, yahoo, msn, ...].com is about 70-80% accurate. there was a link to a study on that once, but I can't find it)
> We could have an option (or all commits?) to not include an email
> address in any way in the revision id.

+1

On 8 September 2010 07:37, Alexander Belchenko <email address hidden> wrote:
> Jelmer Vernooij пишет:
>>> Possible solutions that come to my mind at this time would be:
>>> * altering bzr revid format (at least hashing email address, though it is not as secure as it might seem at first glance - there is a website that displays user nickname and hash of his email. a simple check nickname@[gmail, yahoo, msn, ...].com is about 70-80% accurate. there was a link to a study on that once, but I can't find it)
>> We could have an option (or all commits?) to not include an email
>> address in any way in the revision id.
>
> +1

+1, indeed perhaps excluding the domain part would keep most of the
benefit of recognizability but avoid the privacy concern.

We could do something where people associate an id with their account
that is not an email address, or perhaps bzr could let people mark and
sign commits using an openid url. But that's getting a bit blueskyish
to treat as a bug.

--
Martin

This is privacy-related but I don't think it really needs to be secret, does it?

If the concern is that email addresses are visible on the web, then probably the solution is to hide the domain part everywhere in loggerhead's UI unless somebody enters a captcha.

Aaron and I talked about it, and we've both decided that it's sane for this to be the case. If you've published a bzr branch with your email address, it can be retrieved in many ways, including the revid, but also in the commit.

From the Launchpad/loggerhead side, yes we can hide the domain, or obfuscate in various ways except when users are logged in. And we have that knowledge. Its not (currently) a high priority.