I recently created account with the Maemo Bugzilla and have noticed that the login user ID (email address) is shown to anybody who have logged in to the Bugzilla. I'm just wondering if that is the reason why during the last few weeks I have received a lot more spam emails than before... Because of this, I think Bugzilla is a goldmine for spambots to harvest working email addresses!!! :eek:

I was trying to see if there is a way to change the user ID to something else than email address but could not find it. :mad:

Anybody, any comments?

It's being addressed as we speak - email addresses will be hidden as a priority precisely because there have been verifiable cases of harvesting.

Currently I believe bugzilla is closed unless you have a valid account, ie. it's not currently open to anonymous access but such access will be permitted once patches have been applied that anonymise users. No ETA yet, but it's recognised as being a high priority issue.

https://bugs.maemo.org/show_bug.cgi?id=1383

How do I cancel my bugzilla account and remove my details?

You sign up by providing you email address which is fine for the system admins to know. Didn't realize that my private email address would now be plastered on the fricking site and used as a username. There was no obvious warning - I was expecting to be able to select a propoer username.

I'm all for community but this is just plain ******ed and I want that account deleted ASAP. How do I do it - it's not obvious?

you probably need to email the bugzilla team. there is a link at the bottom of every bugzilla page.

If you set a "real name" (obviously it can be fake) in the preferences, the email will only be shown for logged in users.

Didn't realize that my private email address would now be plastered on the fricking site and used as a username.

Set a realname in the preferences. Log out and check yourself if your email address is displayed. Or not.

There was no obvious warning - I was expecting to be able to select a propoer username.

Feel free to file an upstream request for this in Bugzilla's Bugzilla at bugzilla.mozilla.org, if it does not exist yet.

I want that account deleted ASAP.

Accounts cannot be deleted (and it makes no sense anyway). You could disable it though.

Accounts cannot be deleted (and it makes no sense anyway). You could disable it though.


Erm, Can not or will not?

I think anyone has the right (legal or otherwise) to be fully removed from sites if they wish? especially open source led ones? (Sounds micro-facebook'softed, that sentence)

I'd feel a bit peeved if i knew that there was no way for me to remove myself...

I do understand it would screw up parts, but could the system not realise that and place "Removed User" in it's place?

Accounts cannot be deleted (and it makes no sense anyway). You could disable it though.

Huh? Of course it makes sense. And it is a legal requirement under the Data Protection Directive. Just look at all the trouble that Facebook got into about not letting people delete accounts.

I think anyone has the right (legal or otherwise) to be fully removed from sites if they wish?
I do understand it would screw up parts, but could the system not realise that and place "Removed User" in it's place?

See the upstream ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=392184

Seeing as that upstream ticket has been going on since 2007, it's not very useful. And in any case it's not right to redirect a legal issue (which this really is, I can only agree with the previous poster) to a technical one.

Feel free to file an upstream request for this in Bugzilla's Bugzilla at bugzilla.mozilla.org, if it does not exist yet.

Wouldn't he then have his email displayed on that bugzilla? :confused:

If you set a "real name" (obviously it can be fake) in the preferences, the email will only be shown for logged in users.

Thanks but sadly that's not really much of a solution - I don't want my email address shown to anyone, logged in or not. Can you imagine if facebook only showed your email address to logged in users? Would that be OK?

Set a realname in the preferences. Log out and check yourself if your email address is displayed. Or not.

I can see everybody elses email addresses when logged in. Surely that tells me all I need to know. Email addresses are visable when logged in unless I'm missing something.



Feel free to file an upstream request for this in Bugzilla's Bugzilla at bugzilla.mozilla.org, if it does not exist yet..

Er - How does that help me? That makes my own situation worse doesn't it? I'm pissed off that it's showing my email address and the solution is to do it again. (And in fact it's not a solution - all it does it logs my complaint - there's no resolution promised).

Accounts cannot be deleted (and it makes no sense anyway). You could disable it though..

How? I can't find any way to disable an account. Am I missing something?

Even if you add a username to your account your email address is still displayed in the CC list as well as every who has posted to the bug :mad:
Had i know of this i would have never reported a bug :mad:

how hard is it to get a new email account?

does changing email update the new address to every comment etc written before?

I'm not understanding the complaint.

- I get no spam at all due to this;
- I don't care if others in the ecosystem see my email

???

I can see everybody elses email addresses when logged in. Surely that tells me all I need to know.

Yes, always been like that with Bugzilla.

I'm not understanding the complaint.

- I get no spam at all due to this;
- I don't care if others in the ecosystem see my email

???

But some people do care. People like the OP (and a lot of my close friends) like to preserve their privacy rights. Not everyone is on facebook blasting their information to the world :)

There has to be a way to follow up on bug reports and comments, thus the email requirement and why anonymous reports are not accepted. I'd really be interested to know why this is an issue.

btw does the bugzilla account creation state that the email wont be shown to anyone?

Having corresponded with Andre it seems that you can not disable account. You can change the email address to something else which should work in removing the address of any accounts you care about from the web - which is all I actually wanted.

Not perfect by any means but it's all we have for now.

Thanks Andre.

Even if you add a username to your account your email address is still displayed in the CC list as well as every who has posted to the bug :mad:
Had i know of this i would have never reported a bug :mad:

And the problem with the described behaviour is.......?

But some people do care. People like the OP (and a lot of my close friends) like to preserve their privacy rights.

Better to avoid any mailing list then, as it uses.... email. :-)

Better to avoid any mailing list then, as it uses.... email. :-)

But it is typically not possible for a mailing list user to see all of the members of a list, as mail messages only go to the mailing list address.

I am a bit disturbed by the somewhat flippant responses to this privacy issue. It reminds me of Google's attitude: http://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmidt-dismisses-privacy Just because you don't think that this isn't important doesn't mean that you should dismiss those who think that it is.

I would like to understand why maemo think that they can ignore the DPD, just because it is an upstream bug. The server administrators might want to consider who is responsible for the maemo.org servers and the legal implications thereof. I think you are sorely mistaken if you think that "it's an upstream bug" will hold up in court.

btw does the bugzilla account creation state that the email wont be shown to anyone?

Good question. I think the info should be clearly disclosed during account creation.

And FYI-- I'm not being flippant at all about this. I do understand and agree with privacy concerns in general. But incertain instances we decide where we want privacy and where we don't mind info shared. In the context of bug reporting, why would we want anonymity from participants? That's not a rhetorical question; I'm genuinely curious.

Good question. I think the info should be clearly disclosed during acciunt creation.

And FYI-- I'm not being flippant at all about this. I do understand and agree with privacy concerns in general. But incertain instances we decide where we want privacy and where we don't mind info shared. In the context of bug reporting, why would we want anonymity from participants? That's not a rhetorical question; I'm genuinely curious.

I should clarify that I am not that bothered about privacy on maemo.org - I use the same username here as I do on several other sites and it is trivial for people to find out my real-world identity. Off the top of my head I can't think of any situations where you might want to hide the submitter's e-mail address, but at the same time I think it is not right that the e-mail address is made public without warning. You can easily imagine that someone might want to set up a throwaway e-mail account for reporting bugs if they knew that this setup was in effect.

But the revelation of e-mail addresses is really a side issue. The real problem for me is the inability to delete accounts, as this is a legal requirement and other websites (specifically Facebook) have got into trouble over this.

Good question. I think the info should be clearly disclosed during acciunt creation.

And FYI-- I'm not being flippant at all about this. I do understand and agree with privacy concerns in general. But incertain instances we decide where we want privacy and where we don't mind info shared. In the context of bug reporting, why would we want anonymity from participants? That's not a rhetorical question; I'm genuinely curious.

I think the issue is that you can not specify a username to show in lieu of the email address. I know there are some bugs with quite a few comments. I wouldn't necessarily want everyone that comments on the bug (or just views it while logged in) to see my email. If more info is required the administrators can contact me for more info. Assuming that for some reason I commented, but aren't following the bug.

I don't think anyone here would like their email address to be shown to anyone logged in to the forum. Does your email address show to all logged in on wiki pages?

I think the issue is that you can not specify a username to show in lieu of the email address. I know there are some bugs with quite a few comments. I wouldn't necessarily want everyone that comments on the bug (or just views it while logged in) to see my email. If more info is required the administrators can contact me for more info. Assuming that for some reason I commented, but aren't following the bug.


Then it's probably best that you cease your participation on bugs.maemo.org. :)

Better to avoid any mailing list then, as it uses.... email. :-)

What a horrible "official" response to this issue from Nokia. Yes it's an official response because you represent Nokia as an employee.
Discouraging others from participating in debugging your buggy software just because they have privacy issues?? Tisk tisk..

Note: I do not have a problem with the way it is now, but others do, and I understand the problem they have with it.

craftyguy, note the emoticon after Andre's statement.

What a horrible world we're in if wry humor is now considered... horrible.

What a horrible "official" response to this issue from Nokia. Yes it's an official response because you represent Nokia as an employee.
Discouraging others from participating in debugging your buggy software just because they have privacy issues?? Tisk tisk..
So you want to get your bug fixed but don't want to even give your email address to the people that will fix your bug? (aka everybody, since this is OSS). What a weird point of view.

Email addresses --you need to share them to allow people to message you. That's how they work.

And this is really a nonissue since getting more addresses is so damn easy (well, spam and spambots is another story and the reason one might hide them from the open internet)... Facebook didn't get in trouble because of this.

Then it's probably best that you cease your participation on bugs.maemo.org. :)

Well, you certainly don't see my name on any of the long bugs anyway.

Fortunately, when I registered, I used a brand new email address :) (which now that I mentioned it will likely start getting spammed endlessly, o well such is life)

So you want to get your bug fixed but don't want to even give your email address to the people that will fix your bug? (aka everybody, since this is OSS). What a weird point of view.

Email addresses --you need to share them to allow people to message you. That's how they work.

And this is really a nonissue since getting more addresses is so damn easy (well, spam and spambots is another story and the reason one might hide them from the open internet)... Facebook didn't get in trouble because of this.

Totally missing the point. There was no warning that his email address was going to be made public. If he had known, he could have used a "throwaway" address instead of the one he'd rather have kept private ( or for selective personal use).

Privacy-loving people should already know about mailinator.com and other pages that allow users to create "throw-away" e-mail addresses on the fly.

There also exist services that allow you to create temporary-forwarding addresses that will accept only a few (e.g. 10) mails and then stop fowarding mail to your real address. Can't remember right now how that service is called, though.

But it is typically not possible for a mailing list user to see all of the members of a list, as mail messages only go to the mailing list address.

I am a bit disturbed by the somewhat flippant responses to this privacy issue. It reminds me of Google's attitude: http://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmidt-dismisses-privacy Just because you don't think that this isn't important doesn't mean that you should dismiss those who think that it is.

I would like to understand why maemo think that they can ignore the DPD, just because it is an upstream bug. The server administrators might want to consider who is responsible for the maemo.org servers and the legal implications thereof. I think you are sorely mistaken if you think that "it's an upstream bug" will hold up in court.

just creating a bugzilla account doesnt give away your email. just like joining mailing list. but what about posting stuff? can you do that anonynously?

...excellent analogy

e: and removing account could leave multiple crippled bugs when ones every piece of content would be removed. what about quoted messages etc?

imo only warning to signup is good enough. its ones own fault if he doesnt read the small print

Totally missing the point. There was no warning that his email address was going to be made public. If he had known, he could have used a "throwaway" address instead of the one he'd rather have kept private ( or for selective personal use).
was there a promise that it will be kept secret?

There was no warning that his email address was going to be made public. If he had known, he could have used a "throwaway"
So you're telling me that he didn't read ANY previous bug report before filling his one? Ah well.

craftyguy, note the emoticon after Andre's statement.

What a horrible world we're in if wry humor is now considered... horrible.

Where I come from, emoticons can be thrown in to 'soften' any blatant stabs at someone. I agree it's horrible. privacy is a serious issue for some people, and discouraging them from being involved because of it is the wrong way to go.

NOTE: again, I am NOT concerned with my email getting out, I actively participate in many mailing lists and bugzilla posts.

My point is: Respect people's decision to protect their privacy, and do not ridicule them for making an active decision to protect it. Obviously the OP was not aware of the alternatives (such as creating a bogus email) that are available, and judging by the number of 'thanks" i'm getting for my posts, quite a few other members weren't aware either. Why not make these alternative suggestions available on the registration page? It's not acceptable to expect people who want to protect their privacy to just magically know the alternatives.

Hmm sounds to me like some users have the warning thing backwards. I don't recall ever getting a warning that my email address will be visible. The only notification I've seen is that it will NOT be seen. If no such thing is notified, then one should assume that your email address might be visible to others.

I understand how this can be overlooked by someone, but it would still be that person's fault, and not the systems. The possibility of removing the user should however be present, imo.

Where I come from, emoticons can be thrown in to 'soften' any blatant stabs at someone. I agree it's horrible. privacy is a serious issue for some people, and discouraging them from being involved because of it is the wrong way to go.

Point missed.

Andre's comment was mild teasing humor. That's all. Attempts to make anything sinister out of it are utterly disingenuous.

Point missed.

Andre's comment was mild teasing humor. That's all. Attempts to make anything sinister out of it are utterly disingenuous.

Point acknowledged, but proved to be irrelevant because people interpret those stupid emoticons differently (as sarcasm, as joking, as 'softening' something offensive, etc).

For example:
Andre that was a very unprofessional thing to say to a real concern by a participating member of this community :)

Am I joking or being sarcastic, or hiding my opinion behind a smiley face :)

Ok, ok, I'm done.

It helps to actually know the person "speaking". Andre is a great guy, very personable, doubt there's a malicious bone in his body.

More importantly: erring to the side of caution in interpretation is good, too. ;)

craftyguy, note the emoticon after Andre's statement.

What a horrible world we're in if wry humor is now considered... horrible.

Maybe you would be good enough to explain the difference between the grin that expresses wry humor and the same grin expressing 'tough sh.t, you're out of luck, buddy.' I have a hard time distinguishing them.

Maybe you would be good enough to explain the difference between the grin that expresses wry humor and the same grin expressing 'tough sh.t, you're out of luck, buddy.' I have a hard time distinguishing them.

context. like the poster's personality and history. and for those who lack the background, once again: err to the side of caution instead of automatically assuming ill intent.

have to admit, i'm not sure who to take seriously all the time, but i would hope that posts that raise questions for people... especially privacy should be dealt with with a bit less sarcasm at times, at least when its obvious people will get wound up...

Not a kill joy - but can see both sides to the debate here... and think both need a bit of respect :D

...and on the other side it would be nice if people dropped their anxiety at the door (that applies to me too, since I forget too often). ;)

...and on the other side it would be nice if people dropped their anxiety at the door (that applies to me too, since I forget too often). ;)

hehe :D

yeah... res'pecccccct (Said in a daffy duck styleee) gets forgotten both sides when typing.... :(

Also people forget that you could be taking things really seriously... and at the other end of the debate is a Texrat sitting there sipping pina colada's next to a paddling pool :D (Well, relaxed anyway)

Oh the joys of t'internet and wireless ;)

Speaking of which, I'm about to have some red wine.

Are we done with the debate, yet? :D

Speaking of which, I'm about to have some red wine.

Are we done with the debate, yet? :D

Yes, have a glass(or three) for us! :)

If you post to Google Groups your email can be seen be anyone in the group. Google doesn't clearly notify you at any point of joining a group that this will occur, though it is somewhere in their Privacy Policy, but if you already have a gmail account and are logged in you won't see the tiny link to their Privacy Policy, which only occurs if you go to google groups url when not signed in to a gmail account.

While this is common for some bug tracking and support groups to expose email addresses to members, unfortunately the Privacy Policy of maemo.org says

"You expressly accept and give your unambiguous consent that Nokia, Nokia’s subcontractors or agents performing support and thereto related tasks may have access to your Personal Information in order to complete the task in question. These entities performing these functions have accepted appropriate confidentiality obligations when processing your personal information. Your Personal Information will not be revealed to any third parties without your prior consent, except as otherwise provided above in this Privacy Policy or required by law, court order or law enforcement officials. "
http://maemo.org/legal/privacy_policy/

But there is no confidentiality agreement/obligation you submit to, when you join bugs.maemo.org, so it is not true that your personal information is only given to persons who have signed confidentiality agreements/obligations. Maemo needs to update their privacy policy. The policy was written in 2005, so this was well before there was a bugzilla for maemo, which started in 2008.

Maemo should look at Google Groups Privacy Policy, which clearly states that your email is available to all who are members of any group you join.

Maemo should look at Google Groups Privacy Policy, which clearly states that your email is available to all who are members of any group you join.

Right. IMO that's the simplest, best solution.

Point missed.

Andre's comment was mild teasing humor. That's all. Attempts to make anything sinister out of it are utterly disingenuous.

No it is the posts after that in support of his "mild teasing humor" statement that suck...

To everyone else my opinion is:

Bugzilla ain't freakin' "Facebook".
It is for serious reports from serious people, I have no problem with using my addy as I want a serious response to the dang bugs I report.

I also don't want the process ruined by anonymous, spammed bug reports. It is boring and tedious enough to manage the information I receive from this "anonymous" forum as it is.

I understood that the minute I crossed over from this forum and registered on the maemo.org side of the house.
Sooner or later ya got to grow up. :)

If you don't want your email addy displayed, simple fix: Register a throw away and change it to that on your user account page.

And for those piping up about legal requirements and whatnot... Good luck with that. What are you going to pay your lawyer with, karma?

I agree the standard MO response to "Feel Free to...(whatever)" can get a person riled up. Typically the first response to hearing that is well then "feel free to go... (whatever ;) ) yourself". :eek:

...but it is what it is.

If you're serious about improving your device then participate and deal with it.
If not then feel free to....

No it is the posts after that in support of his "mild teasing humor" statement that suck...

Just when I thought we were done with pointless provocation.

:rolleyes:

Just when I thought we were done with pointless provocation.

:rolleyes:

:rolleyes::rolleyes::rolleyes:

If that one line is all that you got out my multi paragraph post then I guess you're the one that's not done. :)

This ridiculous debate has convinced me to leave maemo.org. I would like to delete my account. Please let me know who I should contact about this.

Somebody's trying to leave.

Smithers, get the dogs!

This ridiculous debate has convinced me to leave maemo.org. I would like to delete my account. Please let me know who I should contact about this.
I hope you enjoyed the two months and thanks for all your valuable contributions :D
Ridicilous is only the assumption and naivety of the original poster who probably never used a bugtracker before and doesn't get the ideas of open source collaboration and teamwork, then people getting into privacy ranting mode (nobody posted your underwear pictures, but an email address useful for communication about specific problems where we share a common interest).
You know, some of us come from an age where E-Mail was all we had :D

The title of this thread could equally well have been "ZOMG! Bugzilla is using my email address as an email address, I might get email!"

Really, that's what it's for.

Accounts cannot be deleted (and it makes no sense anyway). You could disable it though.

Just to clarify on anyone that was confused by this "you can't delete accounts". He's actually correct - deleting an account would break the referential integrity of the system. Wherever the account had been used there would be a back hole if it was completely deleted. The parser would error out when trying to construct the page from the database.

To be technically correct you should 'null out' all the data on the account - email address, etc. Depending on your view to data protection you could also null out all previous comments by that account (so they show as being made, but just as a blank).

Just to clarify on anyone that was confused by this "you can't delete accounts". He's actually correct - deleting an account would break the referential integrity of the system. Wherever the account had been used there would be a back hole if it was completely deleted. The parser would error out when trying to construct the page from the database.

To be technically correct you should 'null out' all the data on the account - email address, etc. Depending on your view to data protection you could also null out all previous comments by that account (so they show as being made, but just as a blank).

Just have a single "Deleted user" account (with email notifications disabled), and merge any others into it when they ask to be deleted. There's scripts available for merging bugzilla accounts.

What a horrible "official" response to this issue from Nokia.

This was not an "official" response from Nokia as I do not work for Nokia. So please don't state that. Thanks.

I think the info should be clearly disclosed during account creation.

This will be fixed in the next weeks when we have finally upgraded maemo.org Bugzilla to version 3.4.
See https://landfill.bugzilla.org/bugzilla-3.4-branch/createaccount.cgi:

"PRIVACY NOTICE: Bugzilla is an open bug tracking system. Activity on most bugs, including email addresses, will be visible to the public. We recommend using a secondary account or free web email service (such as Gmail, Yahoo, Hotmail, or similar) to avoid receiving spam at your primary email address. "

As a general note, everybody can always test the latest stable Bugzilla version online, upstream at https://landfill.bugzilla.org/bugzilla-3.4-branch/ to check if any requests/improvements exist in that new version.

btw does the bugzilla account creation state that the email wont be shown to anyone?

Bugzilla 3.4 will fix this by displaying a hint on account creation:
"PRIVACY NOTICE: Bugzilla is an open bug tracking system. Activity on most bugs, including email addresses, will be visible to the public. We recommend using a secondary account or free web email service (such as Gmail, Yahoo, Hotmail, or similar) to avoid receiving spam at your primary email address."

Just have a single "Deleted user" account (with email notifications disabled), and merge any others into it when they ask to be deleted. There's scripts available for merging bugzilla accounts.

Uhm, that sounds dirrrrty!
So let's say three employees of the company X quit the company and have been active in the Bugzilla of X. Now "deleting" these three user accounts and merging them into one big "Once upon a time this was a Bugzilla user" account will make it impossible later on to see which person has written (and especially: decided) what. Unlikely that this is wanted from a company and community point of view with regard to transparency.

- I get no spam at all due to this;


Wish I could say different - I've been receiving spam regularly on my b.m.o. email address for the last few months and I wouldn't be surprised if it's related to bug #6873 (https://bugs.maemo.org/show_bug.cgi?id=6873) which, for an information security issue, is getting sod all attention. For years we've asked people to vote on bugs, and their reward is to have their email addresses exposed for potential harvesting by spammers.


In the context of bug reporting, why would we want anonymity from participants?

A fair question, but why is it necessary to show email addresses at all?

The system knows who each individual is, the system should be displaying full names and never email addresses.

Unless I'm missing an obvious point, there should be absolutely no reason for me or anyone else to know someone's email address in Bugzilla. The only time this has been useful is when adding someone manually as a CC - as I did recently (to no avail) with Sergio on a Modest/POP bug - but there should instead be a mechanism where I can search for his full name and the system then adds his reference, his email doesn't need to be known by me or divulged to me.

It really is a deficiency of the Bugzilla design that it leaks private and personal information *unnecessarily*.

Privacy-loving people should already know about mailinator.com and other pages that allow users to create "throw-away" e-mail addresses on the fly.

There also exist services that allow you to create temporary-forwarding addresses that will accept only a few (e.g. 10) mails and then stop fowarding mail to your real address. Can't remember right now how that service is called, though.

The problem with temporary addresses in the context of Bugzilla is that you will never be notified of updates to your bugs, and when there are requests for "more information" it's a sure fire way to see the bug closed, unresolved, sooner than later, when nobody responds (as they no longer receive the notification emails...)

Drive-by Bug creation is not something to be recommended. :)

"PRIVACY NOTICE: Bugzilla is an open bug tracking system. Activity on most bugs, including email addresses, will be visible to the public. We recommend using a secondary account or free web email service (such as Gmail, Yahoo, Hotmail, or similar) to avoid receiving spam at your primary email address. "

Hold on, does this mean email addresses will be open to EVERYONE or only authenticated/logged in users? If the former, do you also define "fixing it" as "making the current situation worse"? It does sound like this warning is just a band-aid over a gaping wound - the underlying problem is the design of Bugzilla which is unnecessarily poor in respect of user privacy.

Honestly, what benefit is to be gained from displaying email addresses at all in Bugzilla, even to authenticated users? Are there any plans to enhance Bugzilla so that it is able to function without users publicly viewing or entering email addresses?

Hold on, does this mean email addresses will be open to EVERYONE or only authenticated/logged in users?

emails have never been open to everyone, only to people who have a bugzilla account.

emails have never been open to everyone, only to people who have a bugzilla account.

Yes, and I hope that remains the case although I think Bugzilla (the software) needs to go further and dispense with visible email addresses entirely.

However regarding b.m.o., the new warning doesn't differentiate between authenticated and non-authenticated users.

Being the uber cynic that I am, one way of resolving the information security issues that have plagued b.m.o. since it's inception (http://www.gossamer-threads.com/lists/maemo/developers/21083?nohighlight=1#21083) would be to not bother protecting emails at all and just rely on this warning text... ie. putting the onus on the end user.

Yes, and I hope that remains the case although I think Bugzilla (the software) needs to go further and dispense with visible email addresses entirely.

...as for example Launchpad does. I totally agree, but must also admit that I don't track Bugzilla upstream development closely, so I have no idea if there are plans for this.

emails have never been open to everyone, only to people who have a bugzilla account.

Yes, but that's not what the privacy notice states. It could be worded more accurately ie "registered users" instead of "public".

That could give novice users a reason to not register or use throwaway email and defeat the purpose.

Are there any plans to enhance Bugzilla so that it is able to function without users publicly viewing or entering email addresses?

Don't know myself - best to query/ask upstream (Mozilla).

Yes, but that's not what the privacy notice states. It could be worded more accurately ie "registered users" instead of "public".

True. Feel free to file this as a bug report in bugzilla.mozilla.org so it can get fixed.

True. Feel free to file this as a bug report in bugzilla.mozilla.org so it can get fixed.

Can you at least explain what the Maemo/MeeGo policy is regarding the privacy of Bugzilla account emails - will they in future be visible to non-authenticated users, or not?

The wording of the Bugzilla 3.4 notice is ambiguous because b.m.o. has made an effort in the past (http://www.gossamer-threads.com/lists/maemo/developers/21083?nohighlight=1#21083) to hide emails from non-authenticated users, and this may be non-standard out-of-the-box behaviour hence why the upstream message is inaccurate (in which case filing a bug is pointless, no?)

And depending on your answer, will Bugzilla 3.4 resolve bug 6873 (https://bugs.maemo.org/show_bug.cgi?id=6873)?

Thanks. :)

True. Feel free to file this as a bug report in bugzilla.mozilla.org so it can get fixed.

It is free software; you're allowed to customise it yourself.

I think the warning is a terrible idea since it will inevitably lead to people setting up new addresses, then ignoring them completely which does no one any good.

Ewan

True. Feel free to file this as a bug report in bugzilla.mozilla.org so it can get fixed.

Thanks, but no thanks :)

Not passionate enough about this to:
1) sign up for another account online (that I likely won't ever use again),
2)expose my email address in yet another bugtracker (or use a throwaway one, bad),

Just to address an issue with verbiage in a warning that tells me how I'm exposing my email address? Which might not get changed anyway?

Any one else that already has an account at bugzilla.mozilla.org please feel free to step in and file a bug :)

There is a vast difference between email addresses exposed in mailing lists, and email addresses exposed on web pages. The latter ones are always harvested by spammers, the former only rarely. Fortunately bugzilla apparently forces you to have an account before you see any email address, but I've always been surprised why it has to expose them in the first place. To see them in the bugzilla emails themselves isn't a big problem. However, I don't see why there's should be some technical reason to expose them on the web page. Even though there's a veneer of protection (=the need for an account) over it.

For the record, I have some email addresses that have been rendered completely useless because they were exposed on the web by some software, I typically get thousands of spam messages a month there. I can't use them anymore. Just pray that you didn't use your primary email address (the one all your friends and colleagues know about) when that happens to you.

Fortunately bugzilla apparently forces you to have an account before you see any email address

Unfortunately it seems to be worse than that. Visit https://bugs.maemo.org/votes.cgi?action=show_bug&bug_id=5357 while not logged onto Bugzilla, for example.

Ops... you're right. Now that is bad, whatever way you look at it. Some simple obfuscation should at least be added (most web-interfaces to mailing lists do that).

Ops... you're right. Now that is bad, whatever way you look at it. Some simple obfuscation should at least be added (most web-interfaces to mailing lists do that).

According to the bug report, that's fixed in the new Bugzilla version.

What a horrible "official" response to this issue from Nokia. Yes it's an official response because you represent Nokia as an employee.
Discouraging others from participating in debugging your buggy software just because they have privacy issues?? Tisk tisk..


You should probably seek to educate yourself about Andre's actual position before making statements like these. He doesn't actually work for Nokia, he works for maemo.org, nothing he says should ever be interpreted as an official statement from Nokia, since he's not actually an employee.

For the record, I have some email addresses that have been rendered completely useless because they were exposed on the web by some software, I typically get thousands of spam messages a month there. I can't use them anymore. Just pray that you didn't use your primary email address (the one all your friends and colleagues know about) when that happens to you.

Interestingly enough I have two primary email accounts, one of which has been in use since 2000 and both of which are plastered all of the web. The spam rate on both is less than a message a day.

You should probably seek to educate yourself about Andre's actual position before making statements like these. He doesn't actually work for Nokia, he works for maemo.org, nothing he says should ever be interpreted as an official statement from Nokia, since he's not actually an employee.

My apologies to Andre then.
Even if he's not making a statement as a Nokia employee, he's still a representative for the maemo.org community. Comments such as his (even though it was ultimately in jest) are not very professional when people are bringing up real concerns.

For the 'record', spam RARELY made it to my inbox before I joined in on the Maemo bugzilla fun, now I get several a day that make it past the gmail spam blocker..

*sigh*.....

Can you at least explain what the Maemo/MeeGo policy is regarding the privacy of Bugzilla account emails - will they in future be visible to non-authenticated users, or not?

Bugzilla 3.4 does not show user account email addresses to people not authenticated. If it does somewhere, it is a bug.
Don't know of any Maemo/MeeGo policies about this.


And depending on your answer, will Bugzilla 3.4 resolve bug 6873 (https://bugs.maemo.org/show_bug.cgi?id=6873)?

Yes. See comment 5 in that report.

My apologies to Andre then.

Heh, no problem.

Even if he's not making a statement as a Nokia employee, he's still a representative for the maemo.org community.

Well, I could add a footer to each of my postings here:
"It should be obvious but in case it isn't: the opinions reflected here are my own. They are not the views of my employer, the Queen of England, George W. Bush or anyone else." (copied from mezcalero's blog).
However I have no plans to do that.
Plus I could also simply stay away from talk.maemo.org.
But I have no plans to do that either.

Comments such as his (even though it was ultimately in jest) are not very professional when people are bringing up real concerns.

True. However I don't manage to be serious the entire day as work and open source communities should also be fun, and I can live with the fact that sometimes my specific sense of humour is confusing, not understood, or not well-received.
That's the collateral damage I am more than willing to accept as egoistically speaking I have a way better life by that.

Plus I get more hatemail (being the evil guy closing some unbelievably important bug reports/requests that will make the world collapse tomorrow if not getting fixed ASAP) that I collect and later on publish as a book to make lotsa $$$$!!!!

(Disclaimer: This was a bloody serious posting, as always.)

Bugzilla 3.4 does not show user account email addresses to people not authenticated. If it does somewhere, it is a bug.


Thanks - I thought it best to ask as your boiler plate text confused me. No doubt it will confuse new bug reporters too, many of whom may decide not to bother signing up as a result.


Don't know of any Maemo/MeeGo policies about this.


It might be worth clarifying that before we all pile headlong into the new meego.com defect tracking system. All organisations should at least decide and agree publicly that the privacy of their members/community is of paramount importance, even if they can't decide in a month of Sundays what fracking forum software to use (joke). :)

Yes. See comment 5 in that report.

Thanks.

Plus I get more hatemail (being the evil guy closing some unbelievably important bug reports/requests that will make the world collapse tomorrow if not getting fixed ASAP) that I collect and later on publish as a book to make lotsa $$$$!!!!

Put me down for a copy!

bugs.maemo.org refuses to open new accounts for users who protect themselves with disposable email addresses. Then the db admins have the nerve to publicize everyones email address! This is totally reckless and irresponsible.

bugs.maemo.org is being harvested by spammers, who are then attacking these accounts chronically.

Has anyone discovered a type of disposable email address that bugs.maemo.org does not know about?

Gmail keeps the spam out.

Spam is a fact of life, you just have to deal with it. Having an email address that can't filter spam is like having a car with no roof - it's not practical for everyday use.

Gmail keeps the spam out.

True that. I already got to my GMail account before I signed up here, so I never thought about that.

Gmail keeps the spam out.

Sure, as well as the legit email. Gmail is for simple users. Advanced users certainly do not depend on gmail accounts. It has false positives and in terms of capability it's too limiting. It's also weakly secured and far too inadequate to win support from any street wise users.

Know your audience. A bug tracking system needs to cater to advanced users. By accepting disposable addresses, this would not prevent basic users from supplying their gmail addresses if they want access.

Spam is a fact of life,

Of course. You are stating my case.

you just have to deal with it.

Exactly my point. So why limit yourself to one lousy mechanism for protection? You don't force everyone to adopt the lowest common denominator. It makes no sense from a security standpoint. The rule of least privilege trumps here. You don't disclose more sensitive information than needed for the job - even in your hypothetical world where there are no false positives, and all spam is detected as a true positive.

Having an email address that can't filter spam is like having a car with no roof - it's not practical for everyday use.
Insisting that users rely on one instrument for protection is like having a car with a roof but no windows, and claiming the roof will protect you from the rain. It's not a complete solution. Nor is filtering.

Of course you still filter. But you do it based on content, not IP address. Gmails filtering is not sophisticated enough to rely wholly on content analysis. Gmail takes that crude and error prone step of blackballing IP addresses. Gmail also has blocks in place to prevent dynamic outbound FROM header fields. They overzealously try to stop their own users from sending spam, and as a result they restrict users from using the more effective self-defensive mechanisms.

Spam is a fact of life, you just have to deal with it.

Spam is not a fact of life unless you are flippant with your email address, I am not, and I have not had spam for some years, but having joined the bug tracker system and added to bug reports, I now am getting some spam, too much of a coincidence me thinks.

There is no reason for everyone’s email addresses to be displayed, the system could keep them hidden and safe by making sure everyone used an alias and displaying that instead. Then everyone concerned could still get notified when a bug report gets added to.
talk.maemo.org works very well this way and I joined it along time before joining the bug tracker system.

If the bug tracker system is known to spammers as a weak site, there is nothing stopping them from signing up and harvesting everyone’s emails.

havent seen any spam in my email I use in bugzilla....

The following threads have been merged into this thread:
"What? Bugzilla uses my email address as my ID?" with eighty-four posts
"Bug db forces non-disposable email addresses, then they publicize it!" with six posts

Privacy-loving people should already know about mailinator.com and other pages that allow users to create "throw-away" e-mail addresses on the fly.

Have you confirmed that bugs.maemo.org accepts mailinator.com addresses?

If it does, that's would be almost reasonable. I say "almost", because mail sent to mailinator addresses is public, and the user has the burden of proactively checking the web for replies (and it's a separate check per address).

There also exist services that allow you to create temporary-forwarding addresses that will accept only a few (e.g. 10) mails and then stop fowarding mail to your real address. Can't remember right now how that service is called, though.
spamgourmet.com is one -- and it's being blocked from those who sign up for bug tracker accounts.

havent seen any spam in my email I use in bugzilla....
I've proven the contrary. I managed to find a disposable address that didn't get rejected. So all the spam now flooding into that address is purely from a compromise in the bugzilla system. It's the reason I started the thread that got merged with this one.

(if you're wondering why I don't continue with that type of address, the sysadmins have figured it out since I created it, and it's now blocked. bugs.maemo.org now blocks the slightest modification to that address)

In the context of bug reporting, why would we want anonymity from participants? That's not a rhetorical question; I'm genuinely curious.

Bug reporters are public servants who contribute positively to the community. The idea is to encourage this (uncompensated) behavior.

Both forcing users to give up a real email address, and then simultaneously denying them the option to hide that address is not the way to encourage participants to offer their services.

It's totally unreasonable that maemo.org has taken a stance against disposable addresses, and then forced exposure of the more sacred addresses they forced people to register with.

Both forcing users to give up a real email address, and then simultaneously denying them the option to hide that address is not the way to encourage participants to offer their services.

I don't support that combination, either, but I don't have a problem with requiring real email accounts for bug reporting AND allowing them to be hidden from report views.

At talk.maemo.org the Mailadresses are hidden by default and you can show it to all members if you want. The system provides the possibility to send a Mail to the Member thru the system for a first contact. You don't need to have the Mailadress for this, it's enought that the system has the Adress.

In my opinion bugs.maemo.org should work the same way. Hide the Mailadress by default and show only real Names or if you want to stay incognito Nicknames.

In my opinion it is sometimes very important to hide your real identity. I have at example here at talk.maemo.org two accounts. This one to hide my real identity and a second one to publish my real name to everyone.

I don't support that combination, either, but I don't have a problem with requiring real email accounts for bug reporting AND allowing them to be hidden from report views.

Although that would be an improvement, it neglects basic security principles. It's backwards to pursue a model of least security, and then ask to justify policies that are more secure. The way forward is to start with the policy that is most secure (ie. minimal disclosure), and demand justification when a policy reduces security.

IOW, the question is not why the personal identities of users need to be withheld. The question is why the personal identities of participants on a bug reporting system must be disclosed. From a security viewpoint, there does not exist a rational justification. Registration already covers the need to shut down malicious users.

The only benefit to identity disclosure is attribution. And if a user wants to make sure that they get credit for documenting a bug or workaround, they can do this regardless of whether forced disclosure is in place.