Information Types

Launchpad does not have a consistent means to classify the kinds of information that an artefact/page might contain. It is difficult to know who should have access to private data because the reason why the data is private is ambiguous. It is difficult to which rules apply to private data based it is ambiguous.

Contact: Curtis
On Launchpad: disclosure + information-type

Rationale

It is not possible to share all of one kind of information with a user because bugs and branches have defined different kinds of information. Bugs has 4 states two of which are private, branches has two states, 1 of which is private. Information types must be symmetric, or adaptable so that I can share security, user data or Proprietary bug and branch information at the project level. While security and user data can be shared between projects, proprietary information cannot. Information types must be clear to apply rules, explain why something is private, and ensure the proper people have access.

Ubuntu co-opted private to mean user data where it was intended to mean proprietary. Most bugs in Launchpad are private because they contain user data, but Launchpad cannot say that. In a review of private bugs belonging to open projects, most were made private because one comment contains user data.

This issue was discovered while planning Managing Disclosure. Proprietary projects have proprietary data that cannot be shared with other projects. Open projects may have security or user data that can be shared with projects, but are often restricted to a subset of users in project roles.

Stakeholders

User stories

$STORY_NAME

As a project maintainer
I want to state a bug contains user data
so that a bot can be the only thing that can access it.

As a project maintainer
I want to state a bug contains embargoed security data
so that it is clear that only the security team address it.

As a the maintainer of a proprietary project
I want to state a bug contains proprietary data
so that it cannot affect other projects and I decide who it is shared with.

As a project developer
I want to state a branch is a security fix
so that it is only shared with users in the embargoed security policy.

As a driver or an open project
I want state a bug is proprietary
so that I do not need to later state the bug is not a security issue.

Constraints and Requirements

Must

Nice to have

Must not

Out of scope

Subfeatures

Success

How will we know when we are done?

How will we measure how well we have done?

Thoughts?

LEP/InformationTypes (last edited 2012-04-23 20:44:07 by sinzui)