Diff for "LEP/BetterPrivacy"

Not logged in - Log In / Register

Differences between revisions 5 and 60 (spanning 55 versions)
Revision 5 as of 2010-04-21 16:03:13
Size: 5180
Editor: jml
Comment:
Revision 60 as of 2012-04-23 17:34:52
Size: 10874
Editor: sinzui
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
SCOPE:
 * Privacy
 * Permission management
 * Notification
 * "Ownership"
Line 12: Line 6:
Canonical's internal business relies more on Launchpad each day. Much of this  Canonical's internal business relies more on Launchpad each day. Much of this
Line 21: Line 15:
 * OEM Services
   * Joey Stanford (February 2010?)
   * Steve Magoun (February 2010?)
These stakeholders are in order of precedence. PES has a greater need than
Ubuntu to work in private. The feature must work for PES, it may work for
Ubuntu.

 * PES
   * Steve Magoun
Line 25: Line 22:
 * Hardware enablement
   * Chris Van Hoof
Line 26: Line 25:
   * ???    * Matt Griffin
 * Linaro
   * Kiko
Line 30: Line 31:
   * ?
 * Corporate Services
   * Boris Devouge
 * Swift <<Commercial example>>
   * Monty Taylor
 * Ubuntu (Bryce Harrington)
Line 33: Line 41:
''What MUST the new behaviour provide?''

A way of running projects in total privacy.
  e.g. Any OEM project (note these are often better expressed as distributions)

A way of running software projects that have public client components and
proprietary server components
  e.g. Landscape, Ubuntu One

A way of running projects that do much of their work in private, but do some in
public.
  e.g. code is closed but bugs can be filed

A way of sharing access to private projects across other teams
  e.g. initial openid provider work

A way that allows anyone to ask a question, but for that question to be kept
private initially. (The UX team asked for this, but jml can't recall why)

Need logs of who has accessed private stuff in case of privacy breach

Only people who pay us can get privacy
 * No tiered payment system yet -- out of scope

Security bugs, security branches, security patches etc???

Privacy settings must be easy to change

''But'' making "accidental" mistakes has to be hard

Minimal on-going developer burden

Minimal on-going LOSA burden

An intern should be able to control this

Privacy doesn't matter for almost everything, it should not clutter up the page

''What MUST it not do?''
=== Must have ===

 1. A way of granting permission to view a private project to a person
 or team.
   * e.g. initial openid provider project has contributors from many
   groups.
   * e.g. Canonical starts a private project maintained by ~online-services,
   but everyone in ~canonical should be allowed to see it.
 1. A way of revoking permission to view a private project from a person
 or team.
   * Privacy settings must be easy to change on a per-user or per-team basis
     * E.g., bug Bug:283167 (owner of a private branch should be able to
     unsubscribe people who are no longer authorized to see that branch,
     for example because they are no longer employees of the
     organization in question) -- Fixed!
 1. A way of running projects in total privacy.
   * e.g. Any PES project -- private team owns a private project with
   private mailing lists, private bugs, private branches etc.
     * "Total privacy" means... everything subordinate to that project is
     private, they cannot be made public, and you can't even
     see that they exist.
 1. A way of running software projects that have public parts and
 proprietary parts.
   * e.g. Landscape has some open source client code and some
   proprietary server code. They want their open source code to be
   publicly available and for users to be able to file bugs and see bugs
   on that part, but they want their proprietary code to be restricted,
   and for bugs on that to also be restricted. They need also to be able
   to manage bugs that affect both private and public parts.
 1. A way of running projects that do much of their work in private, but
 do some in public.
   * e.g. Code is closed but bugs can be filed; before Launchpad was
   open sourced, we relied quite heavily on this to allow users to file
   bugs even while we kept our code hidden.
 1. Allowing private, security branches and private, security bugs on
 otherwise public projects. Another related use-case is a private branch
 of an otherwise public project, where that private branch will
 eventually be made public. (see
 [[https://bugs.launchpad.net/launchpad-code/+bug/527900|bug 527900]])
 1. Minimal on-going developer burden
 1. Minimal on-going LOSA burden
 1. An intern should be able to control this. That is:
   * control must be separated from the Launchpad admins team and
     possibly the project maintainers.
     eg. ~pmteam maintains PES projects, but delegate to the driver team.
   * controls must be mindless (self-explanatory)
   * controls probably should be primarily web-based
   so that we don't waste developer or ops cycles on this.
 1. Privacy doesn't matter for almost everything, it should not clutter
 up the page for public things.
 1. As a maintainer of a private project,<<BR>>
 I must be able to see who something is shared with,<<BR>>
 I am allowed to reveal in, say, comments. (see
 [[https://bugs.launchpad.net/launchpad-registry/+bug/298152|bug 298152]] -- fixed)
   * Many users stare at private bugs all day, they actually want to see
   the bugs that are private -- they want visually obvious exceptions to
   the normal pattern.
 1. As a Launchpad administrator,<<BR>>
 I want to see all private things that are shared with someone so<<BR>>
 that I can verify that what is disclosed.
 1. Privacy must add no significant performance penalty


=== Nice-to-have ===

 * As someone fixing a security issue in an open source project, I want
 to push private branches to public projects and have them reviewed and
 landed so that I can fix the issue without revealing details of the
 vulnerability before it is fixed. (see
 [[https://bugs.launchpad.net/launchpad-code/+bug/527900|bug 527900]])

 * If an intern is able to do this, then it would be nice if someone (a
 LOSA? the hypothetical intern?) could grant permission to non-Launchpad
 Canonical staff to create private projects.

 * Private comments or private threads on bugs
   * Technical Architect says we can't do this without significant
   performance penalty. Therefore, out-of-scope.


=== Out of scope ===

A systematic approach to write permissions is out-of-scope for this LEP,
although may be a part of [[LEP/PermissionsAndNotifications]]

A systematic approach to granting non-admins access to restricted
features is out-of-scope for this LEP, although may be a part of
[[LEP/PermissionsAndNotifications]]

Line 75: Line 134:
''Other LaunchpadEnhancementProposal``s that form a part of this one.''  1. [[LEP/TrustedPickers]] Person and Project pickers clearly state who
 or what the item is.

 1. [[LEP/PrivacyTransitions]] Pages must clearly state if information
 is private, or will be private. Users must be informed when their
 actions disclose private information and may choose to cancel the action.

 1. [[LEP/HardenedBugsProjectsTeams]] Open and delegated teams cannot be
 placed in trusted relationships, nor can exclusive teams become inclusive
 if they are in a trusted relationship.

 1. [[LEP/SocialPrivateTeams]] Private teams can interact with public data
 and join teams, revealing only the information that another party needs
 to know.

 1. [[LEP/ManagingDisclosure]] Viewing who has access, knowing its kind,
 and seeing a summary of what is disclosed.

 1. [[LEP/PrivateProjectsAndDistributions]] Projects can be made private
 and all subordinate artefacts are also private.

 1. [[LEP/BugDependencies]] (to be done by a different team) Allows users
 to describe the relationship between two bugs, and only users who can see
 both bugs can see the relationship.
Line 79: Line 161:
''What are the workflows for this feature?''
''Provide mockups for each workflow.''

'''''You do not have to get the mockups and workflows right at this point. In fact, it is better to have several alternatives, delaying deciding on the final set of workflows until the last responsible moment.'''''
=== Create a private project ===

=== Create a private team ===

=== Allow a person to see a bug on a private project ===

=== Create a private branch in a public project ===

Currently, you have to "register" the branch, which is counter-intuitive.

=== Report a security issue, fix it, then publicize it ===

=== Get access to a private project that should be shared with you ===
Line 90: Line 181:
== Release Note ==

''This section should include a paragraph describing the end-user impact of this change. It is meant to be included in the first part of our release change log. It is mandatory.''
Line 96: Line 183:
Useful to distinguish between containers (e.g. project, distro) and artifacts Useful to distinguish between containers (e.g. project) and artifacts
Line 99: Line 186:
We have a bit of a mess right now on hiding completely (e.g. raising a 404) and
denying access (e.g. raising a 403).
We have a bit of a mess right now on hiding completely (e.g. raising a
404) and denying access (e.g. raising a 403).
Line 103: Line 190:
    OEM people are confused by the fact that a team exists across project.     PES people are confused by the fact that a team exists across project.
Line 106: Line 193:
Team privacy and project privacy are orthogonal. Useful for use cases like DX, 
but less useful of OEM.  
Team privacy and project privacy are orthogonal. Useful for use cases like DX,
but less useful of PES.
Line 126: Line 212:
Might be necessary to distinguish between READ access and VIEW ACL accces.
Ask OEM how important this is? Really convulated for the bug case.
Might be necessary to distinguish between READ access and VIEW ACL access.
Ask PES how important this is? Really convulated for the bug case.
 * Is that the same as being able to see the object exists vs being able
 to see details about it? -- mbp
   * I have no idea. I think it's actually the difference between being
   able to see an object and being able to see who can see an object (I
   think). -- jml

Consider the case "jdoe, please join the private-sekret-team" mailing
list. At the moment this is hard because you can't see it and you can't
find out who owns it. In this case, and perhaps in others, it would be
useful to at least let you send a one-way message to the owner of the
object, asking for access?
 * There's a tension here, because some people would argue that we
 shouldn't even show a "Forbidden" message for projects like this. It's
 also a potential social engineering avenue. Still, it's a workflow
 worth designing for. -- jml

How will ACLs be represented in the API? What kind of manipulation
might people like to do programatically?
  * See the linked acl.txt file -- jml
Line 133: Line 238:
=== Containers ===

 * Team
 * Project
 * ProjectGroup?
 * Distribution
 * Series?

* Private project/distribution means that everything related to that object
 should be private. 
 * Private project means that everything related to that object
 should be private.
Line 144: Line 241:
   * Must allow be able to override the .
   *
 
=== Assets ===

 * Series?
 * Milestones?
 * Recipes?
 * Source packages (release?)
 * Binary packages (release?)
 * Build records
 * Blueprints
 * Sprints
 * Questions
 * FAQs?
 * Comments?
 * Mailing lists
 * Branches
 * Archives?
 * Merge proposals?
 * Bugs?
 * Tarballs (release files)?
 * Translations?
 * Attachments
   * Must allow be able to override the container level privacy.

 * Do we need a standard way to distinguish between restricted objects
 and non-restricted objects?


=== Proposed approach ===

We will add a visibility context to all Pillars. The context controls
visibility of everything in the context.

Adding a bug task to a IHasBugs with a different visibility context won't
be permitted.

We will add a long requested feature - bug links - and those will only be
visible when the user has access to both ends of the link. The UI for
it will be nice and tasteful.

There will be a clear indicator on pages that have restricted visibility.

If needed we can add a finer visibility context than pillar, but we hope
we don't need to because that massively multiplies the difficult in
users understanding how visible things are.

fin

-- RobertCollins

Line 171: Line 273:
https://wiki.canonical.com/Launchpad/PrivacyFeatures
https://bugs.edge.launchpad.net/launchpad-project/+bugs?field.tag=privacy
https://bugs.edge.launchpad.net/soyuz/+bugs?field.tag=p3a
https://bugs.edge.launchpad.net/malone/+bugs?field.tag=oem-services

https://bugs.edge.launchpad.net/malone/+bug/388084
 => jml, talk to OEM a bit more
    * how important?
    * how common?
    * involve the bugs team

https://bugs.edge.launchpad.net/oem-process/+bug/372797
 * Private bug kind of about privacy. Boogedah boogedah!

== Actions ==
 * [[LEP/PermissionsAndNotifications]]
 * [[/ImplementationNotes]]
 * [[/ACLImplementationForBugs]]
 * [[https://code.launchpad.net/~bjornt/launchpad/privacy-spike|lp:~bjornt/launchpad/privacy-spike]],
 and specifically the
 [[http://bazaar.launchpad.net/~bjornt/launchpad/privacy-spike/annotate/head:/lib/lp/services/doc/acl.txt|lib/lp/services/doc/acl.txt]]
 and
 [[http://bazaar.launchpad.net/~bjornt/launchpad/privacy-spike/annotate/head:/lib/lp/services/acl/model/tests/test_acl.py|test_acl.py]]
 files in that branch.

Better Privacy

Rationale

Canonical's internal business relies more on Launchpad each day. Much of this business must be conducted in private. Launchpad currently provides some of what Canonical needs, but not all. What it does provide is often inconsistent and hard to understand. These inconsistencies increase the chance of privacy leaks, which could do irreparable harm to our business.

Stakeholders

These stakeholders are in order of precedence. PES has a greater need than Ubuntu to work in private. The feature must work for PES, it may work for Ubuntu.

  • PES
    • Steve Magoun
    • Cody A.W. Somerville
  • Hardware enablement
    • Chris Van Hoof
  • Ubuntu One
    • Matt Griffin
  • Linaro
    • Kiko
  • ISD
    • Stuart Metcalfe
  • Landscape
    • ?
  • Corporate Services
    • Boris Devouge
  • Swift <<Commercial example>>

    • Monty Taylor
  • Ubuntu (Bryce Harrington)

Constraints

Must have

  1. A way of granting permission to view a private project to a person or team.
    • e.g. initial openid provider project has contributors from many groups.
    • e.g. Canonical starts a private project maintained by ~online-services, but everyone in ~canonical should be allowed to see it.
  2. A way of revoking permission to view a private project from a person or team.
    • Privacy settings must be easy to change on a per-user or per-team basis
      • E.g., bug 283167 (owner of a private branch should be able to unsubscribe people who are no longer authorized to see that branch, for example because they are no longer employees of the organization in question) -- Fixed!

  3. A way of running projects in total privacy.
    • e.g. Any PES project -- private team owns a private project with private mailing lists, private bugs, private branches etc.
      • "Total privacy" means... everything subordinate to that project is private, they cannot be made public, and you can't even see that they exist.
  4. A way of running software projects that have public parts and proprietary parts.
    • e.g. Landscape has some open source client code and some proprietary server code. They want their open source code to be publicly available and for users to be able to file bugs and see bugs on that part, but they want their proprietary code to be restricted, and for bugs on that to also be restricted. They need also to be able to manage bugs that affect both private and public parts.
  5. A way of running projects that do much of their work in private, but do some in public.
    • e.g. Code is closed but bugs can be filed; before Launchpad was open sourced, we relied quite heavily on this to allow users to file bugs even while we kept our code hidden.
  6. Allowing private, security branches and private, security bugs on otherwise public projects. Another related use-case is a private branch of an otherwise public project, where that private branch will eventually be made public. (see

    bug 527900)

  7. Minimal on-going developer burden
  8. Minimal on-going LOSA burden
  9. An intern should be able to control this. That is:
    • control must be separated from the Launchpad admins team and
      • possibly the project maintainers. eg. ~pmteam maintains PES projects, but delegate to the driver team.
    • controls must be mindless (self-explanatory)
    • controls probably should be primarily web-based so that we don't waste developer or ops cycles on this.
  10. Privacy doesn't matter for almost everything, it should not clutter up the page for public things.
  11. As a maintainer of a private project,
    I must be able to see who something is shared with,
    I am allowed to reveal in, say, comments. (see bug 298152 -- fixed)

    • Many users stare at private bugs all day, they actually want to see the bugs that are private -- they want visually obvious exceptions to the normal pattern.
  12. As a Launchpad administrator,
    I want to see all private things that are shared with someone so
    that I can verify that what is disclosed.

  13. Privacy must add no significant performance penalty

Nice-to-have

  • As someone fixing a security issue in an open source project, I want to push private branches to public projects and have them reviewed and landed so that I can fix the issue without revealing details of the vulnerability before it is fixed. (see

    bug 527900)

  • If an intern is able to do this, then it would be nice if someone (a LOSA? the hypothetical intern?) could grant permission to non-Launchpad Canonical staff to create private projects.
  • Private comments or private threads on bugs
    • Technical Architect says we can't do this without significant performance penalty. Therefore, out-of-scope.

Out of scope

A systematic approach to write permissions is out-of-scope for this LEP, although may be a part of LEP/PermissionsAndNotifications

A systematic approach to granting non-admins access to restricted features is out-of-scope for this LEP, although may be a part of LEP/PermissionsAndNotifications

Subfeatures

  1. LEP/TrustedPickers Person and Project pickers clearly state who or what the item is.

  2. LEP/PrivacyTransitions Pages must clearly state if information is private, or will be private. Users must be informed when their actions disclose private information and may choose to cancel the action.

  3. LEP/HardenedBugsProjectsTeams Open and delegated teams cannot be placed in trusted relationships, nor can exclusive teams become inclusive if they are in a trusted relationship.

  4. LEP/SocialPrivateTeams Private teams can interact with public data and join teams, revealing only the information that another party needs to know.

  5. LEP/ManagingDisclosure Viewing who has access, knowing its kind, and seeing a summary of what is disclosed.

  6. LEP/PrivateProjectsAndDistributions Projects can be made private and all subordinate artefacts are also private.

  7. LEP/BugDependencies (to be done by a different team) Allows users to describe the relationship between two bugs, and only users who can see both bugs can see the relationship.

Workflows

Create a private project

Create a private team

Allow a person to see a bug on a private project

Create a private branch in a public project

Currently, you have to "register" the branch, which is counter-intuitive.

Report a security issue, fix it, then publicize it

Get access to a private project that should be shared with you

Success

How will we know when we are done?

How will we measure how well we have done?

Thoughts?

Useful to distinguish between containers (e.g. project) and artifacts (e.g. bugs, code)?

We have a bit of a mess right now on hiding completely (e.g. raising a 404) and denying access (e.g. raising a 403).

The "team exists across all projects" thing is going to confuse people

  • PES people are confused by the fact that a team exists across project. Why can't you create a team which only makes sense within a team.

Team privacy and project privacy are orthogonal. Useful for use cases like DX, but less useful of PES.

Standard way of showing a link to a private object

  • when you cannot see it?
  • when you can see it?

What are our encryption requirements?

What are our legal requirements?

Probably need to have a "GRANT" permission or something similar

Prior art in web ACLs?

What about projects that go open source?

What about projects that go closed source?

Might be necessary to distinguish between READ access and VIEW ACL access. Ask PES how important this is? Really convulated for the bug case.

  • Is that the same as being able to see the object exists vs being able to see details about it? -- mbp
    • I have no idea. I think it's actually the difference between being able to see an object and being able to see who can see an object (I think). -- jml

Consider the case "jdoe, please join the private-sekret-team" mailing list. At the moment this is hard because you can't see it and you can't find out who owns it. In this case, and perhaps in others, it would be useful to at least let you send a one-way message to the owner of the object, asking for access?

  • There's a tension here, because some people would argue that we shouldn't even show a "Forbidden" message for projects like this. It's also a potential social engineering avenue. Still, it's a workflow worth designing for. -- jml

How will ACLs be represented in the API? What kind of manipulation might people like to do programatically?

  • See the linked acl.txt file -- jml

Hypothesis is that ACL system is distinct from the subscription levels.

  • Probably want to do clever thing like automatically grant access when subscribing.
  • Private project means that everything related to that object should be private.
  • Privacy support at the asset level
    • Must allow be able to override the container level privacy.
  • Do we need a standard way to distinguish between restricted objects and non-restricted objects?

Proposed approach

We will add a visibility context to all Pillars. The context controls visibility of everything in the context.

Adding a bug task to a IHasBugs with a different visibility context won't be permitted.

We will add a long requested feature - bug links - and those will only be visible when the user has access to both ends of the link. The UI for it will be nice and tasteful.

There will be a clear indicator on pages that have restricted visibility.

If needed we can add a finer visibility context than pillar, but we hope we don't need to because that massively multiplies the difficult in users understanding how visible things are.

fin

-- RobertCollins

References

LEP/BetterPrivacy (last edited 2012-04-26 14:26:23 by matthew.revell)