Open Bug 270435 Opened 20 years ago Updated 10 years ago

restrict display of email addresses to users with editbugs privileges

Categories

(Bugzilla :: Bugzilla-General, defect, P4)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.19
Type:
defect

Tracking

()

People

(Reporter: myk, Unassigned)

References

Details

We need to do something about harvesting of email addresses from public Bugzilla
installations.  We currently grant "editbugs" privileges to the broad set of
users we basically trust to manipulate bug data.  We can generally trust these
users to use email addresses wisely, and they're the group of active users who
needs access to those addresses.  We should restrict the display of email
addresses to logged-in users with editbugs privileges.

This bug does more than bug 219021, which displays addresses for all logged-in
users.  That bug is a good first step, but getting an account on a public
Bugzilla installation is relatively easy, so it may not be sufficient to
eliminate spam.  Getting editbugs privileges on such installations also isn't
hard, but it's significantly harder than getting an account, since it requires
the user to first perform legitimate work.

This bug does less than bug 163551 and bug 215439, which require more
significant application changes and introduce greater code complexity.  Such
work and added complexity are unnecessary if we restrict the display of
addresses to those users we trust to use them appropriately.
so how does someone w/o editbugs find a key to cc someone? presume the someone's
name is "brian smith". for kicks his email address sorts past the 100 cutoff in
both lists (z10-brian-smith@example.com). (There really is at least one brian
smith in bugzilla.mozilla.org, i'm not going to search through the 180,000 users
to figure out if there's one that sorts below the 100 user limit, there very
easily could be, but just downloading the list took a really long time earlier
this week, and i deleted it already....)
Why not introduce a "handle" that could be used instead of the email address?
Maybe the easiest way to implement that would be to actually use the current
email field and have a new "real email address" field and when that is
non-empty that's where mail is sent. All current features, such as CC and the
Query page's "reported by" etc. probably would work without change?
A "handle" can be any unique string, "Mats Palmgren" for example.

Another concern I have on Bugzilla is that whenever I comment or change a bug
my email address is sent in clear text form to all CCs,Owner,Reporter,QA +
all their "watchers". Could you at least send the "real name" instead?
Since you always include a link to the bug it should be obvious where to
go to be able to reply, or explicitly spell that out in the bugmail since
I have received many email replies directly from inexperienced Bugzilla users
that didn't realize they should have made a comment on the bug.

Regarding the trustworthyness of "editbugs" users - sure, but can you really
rule out the possibility that at least one of them is infected with
email-harvesting spyware?

> so how does someone w/o editbugs find a key to cc someone?

Just like someone with editbugs: via user matching.  The only difference is that
we don't show email addresses, although we still search on them.  If the 100
user cutoff is a problem in that situation, it's a problem now, and a separate bug.


> Why not introduce a "handle" that could be used instead of the email address?

That's bug 218917 (and possibly another, although I can't find it now).


> Another concern I have on Bugzilla is that whenever I comment or change a bug
> my email address is sent in clear text form to all CCs,Owner,Reporter,QA +
> all their "watchers". Could you at least send the "real name" instead?

Perhaps, for non-privileged users.


> Regarding the trustworthyness of "editbugs" users - sure, but can you really
> rule out the possibility that at least one of them is infected with
> email-harvesting spyware?

No, but I'm not aiming for a 100% solution, I'm looking for a 99% solution much
easier to implement and maintain than the overcomplex 99.99% solutions proposed
to date.
Reassigning bugs that I'm not actively working on to the default component owner
in order to try to make some sanity out of my personal buglist.  This doesn't
mean the bug isn't being dealt with, just that I'm not the one doing it.  If you
are dealing with this bug, please assign it to yourself.
Assignee: justdave → general
QA Contact: mattyt-bugzilla → default-qa
Depends on: 219021
Priority: -- → P4
This is an old bug dating back some years and I'm not certain if I should create a new bug report.
I file Thunderbird bugs on bugzilla.
My email address is clearly visible to all who read any bug or comment I make.
REcently, some people were constantly adding derogatory chat to a bug due to their frustration.
After asking them to only post useful information, I received a personal email from one person to my email address, that was clearly designed to be annoying and offensive.

Please can email addresses not be exposed to non-developers.
You need to log in before you can comment on or make changes to this bug.