Page MenuHomePhabricator

Using Gerrit/git requires the email registered via wikitech and ends ups being voluntary disclosed (break of privacy?)
Closed, ResolvedPublic

Description

Original task description by @Billinghurst :

Subject: Remove visible email addresses from emails from gerrit.wikimedia.org
Why does Gerrit put all the email addresses into its posts? Either it should send out individual posts for notifying changes, or it should utilise the bcc field.
It does not seem necessary, and it seems at odds to our approach to respecting personal detail to advertise the email addresses of contributors, especially as there is no clear statement through phabricator that this is the default behaviour of the system.

Using Gerrit to send patches requires a wiki account created on https://wikitech.wikimedia.org/ and the same email address. A user registering an account on the wiki would expect the email address to be kept private as per Wikimedia Privacy policy:

Emails
You have the option of providing an email address at the time of registration or in later interactions with the Wikimedia Sites. If you do so, your email address is kept confidential, except as provided in this Policy. [...]

When sending a code patch to Gerrit, the patch must have an email address matching the user account used to connect to Gerrit. Hence the email ends up being voluntary disclosed public. People might have registered with a private address and get surprised when sending a patch by not realizing they end up making it public.

Also see comment by @hashar T151529#2820380

Random potential ideas:

*https://wikitech.wikimedia.org/wiki/Special:CreateAccount could highlight that if using Gerrit the email will be made public since it is required in the git patches.

Related Objects

Event Timeline

Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptNov 24 2016, 9:26 AM
Peachey88 edited projects, added Upstream; removed Phabricator.Nov 24 2016, 9:30 AM

The commit log will contain most of these email addresses, and LDAP probably has the rest. It's not really possible to prevent this stuff being published in a git-based system on an open source project.

hashar added a subscriber: hashar.Nov 24 2016, 9:53 AM

Gerrit is a code review system backed up by git. In git when you do a modification of code, you pack it in a commit which has metadata attached to it, namely the author of the code which is a name and an email address. To send a commit to Gerrit you have to be authenticated and your account has an email address attached to it, Gerrit verify that your account email matches the commit author email, else it rejects it. So in short, the email filled in Gerrit is already public since that is the same that is attached to the git commits!

The email notifications are sent to the owner of the Gerrit change as well as all reviewers. People are on CC so one can eventually reply to the notification email and communicate with all people involved outside of Gerrit. That is probably not so much used though. It also let you know who has seen the message or is currently receiving notifications.

The emails in Gerrit are not going to be hidden or made private at all. Though if that is a concern maybe we could get a large notice when an account is registered stating that the email addressed used for the account will be made publicly available. I think the account registration is done via https://wikitech.wikimedia.org/ so maybe add the message to the registration page as well as in the user preference pan. It might be doable by customizing mediawiki messages on the wiki.

Aklapper closed this task as Declined.Nov 24 2016, 10:09 AM

Declining the request to "remove visible email addresses from emails from gerrit" as per previous comments.

Then please remove me from the gerrit review system.

It may be difficult/impossible to do that without removing you from LDAP which can break all sorts of things, most obviously your labs access

Then tell me how we are complying with the Wikimedia privacy policy.

We are committed to:

  -     Describing how your information may be used or shared in this Privacy Policy.

  -     Using reasonable measures to keep your information secure.

  -     Never selling your information or sharing it with third parties for marketing purposes.

  -     Only sharing your information in limited circumstances, such as to improve the Wikimedia Sites, to comply with the law, or to protect you and others.
  -     Retaining your data for the shortest possible time that is consistent with maintaining, understanding, and improving the Wikimedia Sites, and our obligations under law.
hashar renamed this task from Remove visible email addresses from emails from gerrit.wikimedia.org to Using Gerrit/git requires the email registered via wikitech and ends ups being voluntary disclosed (break of privacy?).Nov 24 2016, 11:44 AM
hashar reopened this task as Open.
hashar triaged this task as Normal priority.
hashar updated the task description. (Show Details)

I quickly talked to @Aklapper about it and rephrased the whole task so that instead of being a technical solution (hide emails in Gerrit) it goes to the root cause: people not realizing sending a git patch ends up publishing their email address.

Probably we need to highlight that when users create an account or change their user email (in Special:Preferences).

Then, one can say by that sending a patch in git, they are voluntary disclosing their email address and hence it is not a breach of term of uses / Privacy policy. Then I am neither a lawyer nor an unexperimented user.

+ Privacy in case that pokes the right people to further talk about it. Maybe one can loop in Cloud-Services and WMF-Legal as well ?

@hashar It is not even making a patch. Someone simply adding you into review a patch does it.

demon raised the priority of this task from Normal to High.Nov 24 2016, 8:10 PM
demon added a subscriber: demon.

It may be difficult/impossible to do that without removing you from LDAP which can break all sorts of things, most obviously your labs access

This is not true.

Then please remove me from the gerrit review system.

I will do this. Sorry I hadn't seen this task yet.

demon claimed this task.Nov 24 2016, 8:11 PM
demon removed demon as the assignee of this task.EditedNov 24 2016, 8:52 PM

I've marked your account inactive (so you can't login) and pruned all of the comments you've ever made. There's a change with your name on it, but there's nothing that I can do there, it's git history and permanent (even there, I scrubbed what I could). For that, it's resolved and I'm resigning as owner of the task.

To circle back to the original summary: Yes, registering with Gerrit uses the same account as Wikitech/LDAP. Yes, by default this is the same e-mail address, but it doesn't have to be. Once an e-mail address is used in Git, that's public record forever. Maybe we need documentation improvements, maybe we need privacy policy adjustments, but it's absolutely the way things are and as long as we're using Git it won't ever change (so be prepared for Phabricator too, if you choose to commit).

I've marked your account inactive (so you can't login) and pruned all of the comments you've ever made. There's a change with your name on it, but there's nothing that I can do there, it's git history and permanent (even there, I scrubbed what I could).

That sounds like quite a bit of sysadmin work for one user, perhaps "difficult" was the wrong word though. I'm not happy with the idea of deleting comments, this could mess with context in historical discussions.

I've marked your account inactive (so you can't login) and pruned all of the comments you've ever made. There's a change with your name on it, but there's nothing that I can do there, it's git history and permanent (even there, I scrubbed what I could).

That sounds like quite a bit of sysadmin work for one user, perhaps "difficult" was the wrong word though. I'm not happy with the idea of deleting comments, this could mess with context in historical discussions.

It took me like 5-10 minutes tops, it wasn't hard. I wouldn't worry about it since you weren't the one having to do the work ;-)

There weren't enough comments on anything interesting to matter.

Peachey88 added a subscriber: Peachey88.
hashar removed a subscriber: hashar.Apr 3 2017, 10:08 AM
ZhouZ added a subscriber: ZhouZ.
Kaartic closed this task as Resolved.Jul 8 2018, 10:59 AM
Kaartic added a subscriber: Kaartic.

I do see a huge banner stating the email address would be public. Hence closing this.

TerraCodes reopened this task as Open.Jul 8 2018, 11:08 AM

That only shows up when creating an account.

Well that's when it becomes publicly available.

Aklapper closed this task as Resolved.Jul 8 2018, 2:13 PM

Unless you're saying there should also be a notice when you change your email, though I suspect the registration time one covers it

sbassett moved this task from Backlog to Done on the Privacy board.Oct 16 2019, 5:41 PM