Mention the contact information encryption in our design document
As of Gerrit 2.0.4 we encrypt the contact information for a user account, limiting the amount of data we capture and store. This is an important to mention when describing how we manage private user information. Signed-off-by: Shawn O. Pearce <sop@google.com>
This commit is contained in:
parent
142385def7
commit
aa8b3d4e2d
@ -359,10 +359,10 @@ Gerrit stores the following information per user account:
|
||||
|
||||
* Full Name
|
||||
* Preferred Email Address
|
||||
* Mailing Address '(Optional)'
|
||||
* Country '(Optional)'
|
||||
* Phone Number '(Optional)'
|
||||
* Fax Number '(Optional)'
|
||||
* Mailing Address '(Optional, Encrypted)'
|
||||
* Country '(Optional, Encrypted)'
|
||||
* Phone Number '(Optional, Encrypted)'
|
||||
* Fax Number '(Optional, Encrypted)'
|
||||
|
||||
The full name and preferred email address fields are shown to any
|
||||
site visitor viewing a page containing a change uploaded by the
|
||||
@ -385,17 +385,24 @@ to cull email addresses from published Gerrit comments. In most
|
||||
cases these same addresses would be more easily obtained from the
|
||||
project's mailing list archives.
|
||||
|
||||
The user's name and email address is stored unencrypted in the
|
||||
Gerrit metadata store, typically a PostgreSQL database.
|
||||
|
||||
The snail-mail mailing address, country, and phone and fax numbers
|
||||
are gathered to help project leads contact the user should there
|
||||
be a legal question regarding any change they have uploaded.
|
||||
This data is only visible to the account owner and to the Gerrit
|
||||
site administrator. It is expected that the information would only
|
||||
be revealed with a valid court subpoena, but this is really left
|
||||
to the discretion of the Gerrit site administrator as to when it
|
||||
is reasonable to reveal this information to a 3rd party.
|
||||
|
||||
All user account information is stored unencrypted in the Gerrit
|
||||
metadata store, typically a PostgreSQL database.
|
||||
These sensitive fields are immediately encrypted upon receipt with
|
||||
a GnuPG public key, and stored "off site" in another data store,
|
||||
isolated from the main Gerrit change data. Gerrit does not have
|
||||
access to the matching private key, and as such cannot decrypt the
|
||||
information. Therefore these fields are write-once in Gerrit, as not
|
||||
even the account owner can recover the values they previously stored.
|
||||
|
||||
It is expected that the address information would only need to be
|
||||
decrypted and revealed with a valid court subpoena, but this is
|
||||
really left to the discretion of the Gerrit site administrator as
|
||||
to when it is reasonable to reveal this information to a 3rd party.
|
||||
|
||||
|
||||
Spam and Abuse Considerations
|
||||
|
Loading…
x
Reference in New Issue
Block a user