Somewhat urgent privacy concern

Arand Nash ienorand at gmail.com
Sat Aug 29 17:14:28 BST 2009


Somewhat urgent privacy concern:

Currently approximately 60 users (or more), who have recently reported 
crashes in Ubuntu One, have the file & foldenames of their entire Ubuntu 
One contents listed publicly in text attachments.

This comes about since U1's crash reports contains a list of all the U1 
files and folders of the reporting user (LP: 419895), AND that those 
attachements are not removed when the bug is marked as a duplicate and 
made public by the apport retracing service (LP: 419929).
One concerned bug report is (LP: 419488), which seemed to affect a lot 
of Karmic+U1 testers.

My urgent-quickfix suggestion would be to either immidiately mark all 
these bugs as private OR remove the concerned attachment from all of 
them, and continue doing so with all new incoming ones.

In the "long" term either U1 has to stop attaching this data to their 
crash reports OR the retracer has to be fixed to keep bugs private when 
dupe-marked or to remove *all* attachments from private bugs gone public.

I'm hoping for now that this hasn't and will not cause any hurt to the 
concerned users, and hopefully it can be taken care of quickly, since it 
puts both Ubuntu One and Launchpad in a somewhat bad light.

- Arand



More information about the ubuntu-devel mailing list