[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the DPL: DSA and buildds and DAM, oh my!

On 2/24/07, Mark Brown <broonie@sirena.org.uk> wrote:
On Fri, Feb 23, 2007 at 12:16:52PM -0300, Gustavo Franco wrote:

> That's up to the person behind the *my* you wrote, disclose $ADDRESS
> and $NUMBER. The same can't be said about our email address, so what's
> the point really? I don't think the DSA members will want to disclose
> this kind of information and if somebody does, they won't be forced to
> do so. Let me rewrite what would happen IRL, IMHO:

> "Please send the machine to my home address - I'll drive out to the DC
> and put the machine on-line ASAP. Give the sipping company my phone
> number. I'll send you *my personal details* privately."

You are assuming that the person sending the e-mail is aware that the
information they are sending is going to end up publically visible.
With a lot of tracking systems this may not be the case.  In the
particular case of RT the work flow appears to involve generating
e-mails to which anyone can reply, with replies causing information to
be added to the ticket.  This means that it's easy for someone to put
information in there without ever realising that there's a public

Well, based on what you wrote we don't need a new tracking system but
just a new feature into BTS. If a user send a report (or reply) to the
pseudo-package $FOO, it will return a message to him warning that if
replying to that auto-generated message will forward his message into
a public archive. That's up to him avoid reply the message and rewrite
it, if needed.

It won't cover the case where the private information goes through non
trusted pipes. It can't be easily solved with BTS nor RT though.

> I still disagree with a private tracking system for DSA. Almost all
> the information isn't sensible and can be there, the details can be
> passed privately and it's up to the message submitter and nobody else.
> It isn't like a person out of DSA can disclose sensible information
> that will put DSA stuff at risk.

I do agree that we should make an effort to make information available
but we need to be aware of the problems that could arise and take steps
to mitigate them.

The case with keyring-maint is even worse for this since people might
decide to do things like send scans of ID documents.

I agree, but the answer isn't a private (DSA or visible by DDs only)
tracking system even if it's RT or a new debbugs setup, IMHO.

-- stratus

Reply to: