f3de4b1b7c
A security review strongly suggested moving the personal contact details for an account out of the database and into an encrypted data store that is stored separately from the rest of Gerrit's metadata. The rationale being that the contact information is really quite personal, and just doesn't need to be accessed, except in the most extreme circumstances, like if a court has issued a valid subpoena to the Gerrit administrators to turn over contact information for a specific account. Any captured contact information is now encrypted using GnuPG, and fired off via SSL protected HTTP POST to another system. That other system could be "gerrit-contactstore", running on Google App Engine, or it could be a very simple CGI which stores the encrypted data to files on disk. With this change, Gerrit only has the user's contact information transiently in memory while it is encrypting the message for long-term storage. Only the GnuPG public key needs to be available, so Gerrit reads an ASCII armored key, e.g. "gpg --export -a KEY >pub", simplifying the installation of Gerrit. Signed-off-by: Shawn O. Pearce <sop@google.com>