Comment 1 for bug 631085
Revision history for this message
| John A Meinel (jameinel) wrote Re: [Bug 631085] [NEW] revid contains email address and is displayed publicly | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9/5/2010 2:57 PM, janisozaur wrote:
> *** This bug is a security vulnerability ***
>
> Private security bug reported:
>
> I'm a launchpad user and I have a project that I commit to. I use bzr as dvcs.
> Even though my privacy settings say that my email address is not disclosed to others, it may be viewed publicly when browsing my commits, as they start with my email address.
> A workaround is to set different email address, but this disables launchpad's ability to click on revision author to see his/her profile.
> Possible solutions that come to my mind at this time would be:
> * altering bzr revid format (at least hashing email address, though it is not as secure as it might seem at first glance - there is a website that displays user nickname and hash of his email. a simple check nickname@[gmail, yahoo, msn, ...].com is about 70-80% accurate. there was a link to a study on that once, but I can't find it)
> * introducing an option in launchpad to hide revids (at least from public viewing)
>
> ** Affects: bzr
> Importance: Undecided
> Status: New
>
While true, a user can also download your branch and see your email in
"bzr log". Even if the revision id wasn't included...
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://
iEYEARECAAYFAky
V7sAoMqRuiGDwVF
=eXDs
-----END PGP SIGNATURE-----