[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PTS subscription exposure


 Like suggested by Lucas himself, I bring up this issue on the debian
project list. The context is that Lucas did put up a new "service" and
data collector in UDD that contains the PTS subscription. He announced
it in his blog: <http://www.lucas-nussbaum.net/blog/?p=453>

 To some degree I see this on a similar base as the issue with the
debian.net zone exposure that got removed fortunately again. People do
subscribe to the PTS under the impression that their subscription data
is kept private. With this interface (and the data in the UDD) this is
no longer the case. If one wants to know what things someone else is
interested in they just have to use the interface or hash the email
address and query the UDD data.

 This is IMNSHO a serious violation and breach of privacy. It doesn't
make it better that Lucas stated that "an earlier version exposed more
information", rather the contrary. Such changes to data that are known
and expected to be private have to get discussed *before* making them
public instead of afterwards claiming one can feel free to "raise the
topic on a mailing list". This is the wrong approach to sensitive
informations and definitely not what I would want Debian to be known
for, and I am quite confident that I'm not the only with that opinion.


Reply to: