Page MenuHomePhabricator
Create Task
Maniphest T151529

Using Gerrit/git requires the email registered via wikitech and ends ups being voluntary disclosed (break of privacy?)
Closed, ResolvedPublic
Actions

Description

Original task description by @Billinghurst :

Subject: Remove visible email addresses from emails from gerrit.wikimedia.org

Why does Gerrit put all the email addresses into its posts? Either it should send out individual posts for notifying changes, or it should utilise the bcc field.

It does not seem necessary, and it seems at odds to our approach to respecting personal detail to advertise the email addresses of contributors, especially as there is no clear statement through phabricator that this is the default behaviour of the system.

Using Gerrit to send patches requires a wiki account created on https://wikitech.wikimedia.org/ and the same email address. A user registering an account on the wiki would expect the email address to be kept private as per Wikimedia Privacy policy:

Emails
You have the option of providing an email address at the time of registration or in later interactions with the Wikimedia Sites. If you do so, your email address is kept confidential, except as provided in this Policy. [...]

When sending a code patch to Gerrit, the patch must have an email address matching the user account used to connect to Gerrit. Hence the email ends up being voluntary disclosed public. People might have registered with a private address and get surprised when sending a patch by not realizing they end up making it public.

Also see comment by @hashar T151529#2820380

Random potential ideas:

*https://wikitech.wikimedia.org/wiki/Special:CreateAccount could highlight that if using Gerrit the email will be made public since it is required in the git patches.

Related Objects

Event Timeline

Billinghurst created this task.Nov 24 2016, 9:26 AM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptNov 24 2016, 9:26 AM
Peachey88 edited projects, added Upstream; removed Phabricator.Nov 24 2016, 9:30 AM
Krenair subscribed.Nov 24 2016, 9:41 AM

The commit log will contain most of these email addresses, and LDAP probably has the rest. It's not really possible to prevent this stuff being published in a git-based system on an open source project.

hashar subscribed.Nov 24 2016, 9:53 AM

Gerrit is a code review system backed up by git. In git when you do a modification of code, you pack it in a commit which has metadata attached to it, namely the author of the code which is a name and an email address. To send a commit to Gerrit you have to be authenticated and your account has an email address attached to it, Gerrit verify that your account email matches the commit author email, else it rejects it. So in short, the email filled in Gerrit is already public since that is the same that is attached to the git commits!

The email notifications are sent to the owner of the Gerrit change as well as all reviewers. People are on CC so one can eventually reply to the notification email and communicate with all people involved outside of Gerrit. That is probably not so much used though. It also let you know who has seen the message or is currently receiving notifications.

The emails in Gerrit are not going to be hidden or made private at all. Though if that is a concern maybe we could get a large notice when an account is registered stating that the email addressed used for the account will be made publicly available. I think the account registration is done via https://wikitech.wikimedia.org/ so maybe add the message to the registration page as well as in the user preference pan. It might be doable by customizing mediawiki messages on the wiki.

Aklapper closed this task as Declined.Nov 24 2016, 10:09 AM

Declining the request to "remove visible email addresses from emails from gerrit" as per previous comments.

Billinghurst added a comment.Nov 24 2016, 10:25 AM

Then please remove me from the gerrit review system.

Krenair added a comment.Nov 24 2016, 10:29 AM

It may be difficult/impossible to do that without removing you from LDAP which can break all sorts of things, most obviously your labs access

Billinghurst added a comment.Nov 24 2016, 10:33 AM

Then tell me how we are complying with the Wikimedia privacy policy.

We are committed to:

  -     Describing how your information may be used or shared in this Privacy Policy.

  -     Using reasonable measures to keep your information secure.

  -     Never selling your information or sharing it with third parties for marketing purposes.

  -     Only sharing your information in limited circumstances, such as to improve the Wikimedia Sites, to comply with the law, or to protect you and others.
  -     Retaining your data for the shortest possible time that is consistent with maintaining, understanding, and improving the Wikimedia Sites, and our obligations under law.
hashar renamed this task from Remove visible email addresses from emails from gerrit.wikimedia.org to Using Gerrit/git requires the email registered via wikitech and ends ups being voluntary disclosed (break of privacy?).Nov 24 2016, 11:44 AM
hashar reopened this task as Open.
hashar triaged this task as Medium priority.
hashar updated the task description. (Show Details)
hashar added a project: Privacy.Nov 24 2016, 11:49 AM

I quickly talked to @Aklapper about it and rephrased the whole task so that instead of being a technical solution (hide emails in Gerrit) it goes to the root cause: people not realizing sending a git patch ends up publishing their email address.

Probably we need to highlight that when users create an account or change their user email (in Special:Preferences).

Then, one can say by that sending a patch in git, they are voluntary disclosing their email address and hence it is not a breach of term of uses / Privacy policy. Then I am neither a lawyer nor an unexperimented user.

+ Privacy in case that pokes the right people to further talk about it. Maybe one can loop in Cloud-Services and WMF-Legal as well ?

hashar removed a project: Upstream.Nov 24 2016, 11:49 AM
Billinghurst added a comment.Nov 24 2016, 1:28 PM

@hashar It is not even making a patch. Someone simply adding you into review a patch does it.

demon raised the priority of this task from Medium to High.Nov 24 2016, 8:10 PM
demon subscribed.
In T151529#2820495, @Krenair wrote:

It may be difficult/impossible to do that without removing you from LDAP which can break all sorts of things, most obviously your labs access

This is not true.

In T151529#2820481, @Billinghurst wrote:

Then please remove me from the gerrit review system.

I will do this. Sorry I hadn't seen this task yet.

demon claimed this task.Nov 24 2016, 8:11 PM
demon removed demon as the assignee of this task.EditedNov 24 2016, 8:52 PM

I've marked your account inactive (so you can't login) and pruned all of the comments you've ever made. There's a change with your name on it, but there's nothing that I can do there, it's git history and permanent (even there, I scrubbed what I could). For that, it's resolved and I'm resigning as owner of the task.

To circle back to the original summary: Yes, registering with Gerrit uses the same account as Wikitech/LDAP. Yes, by default this is the same e-mail address, but it doesn't have to be. Once an e-mail address is used in Git, that's public record forever. Maybe we need documentation improvements, maybe we need privacy policy adjustments, but it's absolutely the way things are and as long as we're using Git it won't ever change (so be prepared for Phabricator too, if you choose to commit).

Krenair added a comment.Nov 24 2016, 9:59 PM
In T151529#2822053, @demon wrote:

I've marked your account inactive (so you can't login) and pruned all of the comments you've ever made. There's a change with your name on it, but there's nothing that I can do there, it's git history and permanent (even there, I scrubbed what I could).

That sounds like quite a bit of sysadmin work for one user, perhaps "difficult" was the wrong word though. I'm not happy with the idea of deleting comments, this could mess with context in historical discussions.

demon added a comment.Nov 24 2016, 10:52 PM
In T151529#2822160, @Krenair wrote:
In T151529#2822053, @demon wrote:

I've marked your account inactive (so you can't login) and pruned all of the comments you've ever made. There's a change with your name on it, but there's nothing that I can do there, it's git history and permanent (even there, I scrubbed what I could).

That sounds like quite a bit of sysadmin work for one user, perhaps "difficult" was the wrong word though. I'm not happy with the idea of deleting comments, this could mess with context in historical discussions.

It took me like 5-10 minutes tops, it wasn't hard. I wouldn't worry about it since you weren't the one having to do the work ;-)

There weren't enough comments on anything interesting to matter.

demon moved this task from Bugs & stuff to Discussions & doc stuff on the Gerrit board.Jan 6 2017, 4:44 AM
Peachey88 added a project: WMF-Legal.Apr 3 2017, 5:36 AM
Peachey88 subscribed.
hashar unsubscribed.Apr 3 2017, 10:08 AM
ZhouZ added subscribers: hashar, APalmer_WMF.Aug 23 2017, 7:13 PM
ZhouZ subscribed.
Peachey88 mentioned this in T191183: Enable avatars in gerrit.Apr 2 2018, 10:40 AM
Kaartic closed this task as Resolved.Jul 8 2018, 10:59 AM
Kaartic subscribed.

I do see a huge banner stating the email address would be public. Hence closing this.

Screenshot from 2018-07-08 16-29-27.png (251×819 px, 43 KB)

TerraCodes reopened this task as Open.Jul 8 2018, 11:08 AM

That only shows up when creating an account.

Krenair added a comment.Jul 8 2018, 12:30 PM

Well that's when it becomes publicly available.

Aklapper closed this task as Resolved.Jul 8 2018, 2:13 PM
Krenair added a comment.Jul 8 2018, 3:13 PM

Unless you're saying there should also be a notice when you change your email, though I suspect the registration time one covers it

Framawiki subscribed.Oct 6 2018, 7:05 AM
sbassett moved this task from Intake to Done on the Privacy board.Oct 16 2019, 5:41 PM
hashar moved this task from Discussions & doc stuff to Bugs & stuff on the Gerrit board.Mar 1 2023, 10:55 AM
Aklapper mentioned this in T350124: Correct Gerrit Privacy Policy.Oct 31 2023, 10:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits