= Better Privacy checkpoint 2011-12-14 = == Summary == * Social private teams are go! Purple have made a breakthrough. This no longer needs a separate project. * The new name for "Disclosure" is "Sharing". * We've made progress on +manage-disclosure (+manage-sharing soon!) despite the additional work on social private teams. == Harden bugs and teams == * Purple have been thinking about how to modify the footgun feature flag to preserve multi-tenancy for security bugs. * Once they have a good solution, they'll enable the footgun feature flag to reduce the growing number of private bugs that have bug tasks from several projects. * Purple have also been considering how to present embargoed issues in the UI. * William is concerned about how we handle bugs that are flagged as both security and privacy issues. Curtis says only one bug in LP's history has been marked both a security and private issue. The decision is not to prevent people from marking a bug as both security-related and private because people will naturally not want to do that. * The privacy ribbon wording is vague, especially in light of how we're now offering more security and privacy options. Dan will provide new wording. === Actions === * [purple] Modify the footgun feature flag to keep multi-tenancy for security bugs. * [purple] Enable footgun feature flag to reduce growing the number of private bugs with multiple projects * [mrevell]: Agree on the terminology and mutual exclusivity behaviour of security/propietary bugs. Respond to Curtis' email on the list. == Manage disclosure == When a private team takes a role in a public project, such as owner or driver, we are going to display that team's name in the usual places. This will reveal the existence of the team and its name. Jon is adding warnings to the pickers so that when people do this they are fully aware of the consequences. === Actions === * [purple] Implement tweaked +manage-disclosure clickable mock-up * [danhg] User-test the tweaked clickable +managing-disclosure mock-ups * [purple] Populating and maintaining the access policy data * [huwshimi]: speak to sinzui about how to present embargoed security bugs in the UI * [danhg]: speak to sinzui to then rewrite the privacy ribbon messages to take account of the new situations it must handle * [EVERYONE!]: we will refer to "Sharing" rather than "Disclosure" * [purple]: replace references to "disclosure" with "sharing" == Social private teams == The surprise of the checkpoint was that the Purple squad, following discussions with Rob, have cracked many of the issues around social private teams! So, rather than having to consider this as a separate project we can now expect it to be near complete at the next checkpoint! === Actions === * [purple]: PPA subscribers should have access to only the archive itself * [purple]: Subscribers to a private team's branch should be permitted to see the branch and its merge proposals * [purple]: priv teams can be package maintainers * [purple]: priv teams can subscribe to blueprints * [purple]: priv teams can subscribe to bugs * [purple]: we will fix the situation where you can lose access to your private team * [purple]: warn in the picker when you're about to expose the name of a private team * [huwshimi]: speak to jcsackett about the design of the warning * [danhg]: test the warnings * [mrevell]: seek agreement from stakeholders on how adding a private team to a private team should work * [danhg]: what should someone who is not a member of a private team see when they visit that private team's overview page? Dan to gather data. (bug 904293)