GNOME Bugzilla – Bug 371486
Submitted email made public
Last modified: 2006-11-15 15:05:25 UTC
Hi! I've noticed that when an user open a bug for the first time through bug-buddy, the email submitted is made public (without any advice) at gnome.org webpage until the new account is configured. That would be very disgusting if a spam bot detect an email owned by a person who has spent his time publishing a bug and trying to help the community.
Cedric, spam bots can only harvest those email addresses after having logged in to bugzilla.gnome.org exactly for this reason - just try yourself woithout being logged in. :-)
I've seen my email address without being logged, that's why I logged in, changed the pass, and introduced a name.
Anyway, I don't given my authorization to anyone to publish my email address, even if it is visible only to people who is logged in.
Where did you see your email address then? And I really mean your email address (@ included).
[...] "Sensitive data may be present in the debug information, so please " "review details below if you are concerned about transmitting " "passwords or other sensitive data.\n"));
Olav: the email was present without the @ and the DOT, but it's so obvious what it is. Fernando: This phrase refers to the box for debug data info, not for the other stuff.
In any case, my email is still visible to anyone in this forum.
Without the '@' and the dots, it is not an email address. So a spam bot cannot just figure out it is an email address. I do agree we should make it more clear that the bugreport will be posted to a website viewable for anyone. (In reply to comment #7) > In any case, my email is still visible to anyone in this forum. This is not a forum. It is a bugtracker, used to fix bugs. Free software is developed in the open, it is not like there is a group of people sitting in a building or something. (In reply to comment #3) > Anyway, I don't given my authorization to anyone to publish my email address, > even if it is visible only to people who is logged in. First of all, it is not 'published'. Secondly, why did you fill in your email address then if you do not want us to have it / be able to contact you?
(In reply to comment #8) > Without the '@' and the dots, it is not an email address. So a spam bot cannot > just figure out it is an email address. There are spam bots that don't need '@' and '.'. > This is not a forum. It is a bugtracker, used to fix bugs. Free software is > developed in the open, it is not like there is a group of people sitting in a > building or something. ¿That's not a forum? ¡Ah! It's true, a forum is like something where people opens a thread and others replies him. And a bugtracker is definitively different, it's something where people opens a thread and others replies him. > First of all, it is not 'published'. Secondly, why did you fill in your email > address then if you do not want us to have it / be able to contact you? I want people to be able to contact me, but there are ways where the contact email is hidden. ---------------------------------------------------------------------------------- Finally, to resume: 1.- Bug-buddy does an advice about the data within de debug info, but says nothing about the contact info. And that's a fact. 2.- Bug-buddy creates an account at bugzilla.gnome.org without any advice to the bug-reporter. And that's a fact. 3.- The created account is identified by the email submitted by the bug-reporter. And that's a fact. 4.- Until the bug-reporter (henceforth the owner of the new account) submit a name in the tab preferences of his account, the email address is shown (without '@' and '.') to everyone, even if they are not logged in. And that's a fact. 5.- Even if the bug-reporter modifies his account, the email address is still shown to logged people. And that's a fact. 6.- There's no info about in which way the email address is used (at least as I know). And that's a belief.
> There are spam bots that don't need '@' and '.'. Would be pretty amazing. Can you back that up? Anyway, I had enough of this. I'll open a new bug for the *pre-* advise of posting the bugreport. For the rest / facts you made up: I disagree.
CedricMC: > There's no info about in which way the email address is used (at least as I > know). And that's a belief. where do you expect that info? in bug-buddy? can you propose a sentence that should be added, also with regard to the email address that can be seen after somebody has logged in to bugzilla? i'd like to get this bug report a bit more constructive again. :-) thanks in advance for any improvement proposals.
In advance, excuse me for my poor english. In fact, I don't know how bug-buddy send the information to bugzilla.gnome.org. In anyway, I would include an option to registered user of bugzilla and new users. For registered users, two boxes for the ID account and the password account. For new users, a box for the ID account and a sentence advertising that an account will be created at bugzilla, a little explanation about the purposes to create this account and a link to the bugzilla's "licence and conditions of use".
The place where the email address is made public is in the Opened by line on bug reports opened by an email (rather than someone registering an account normally), which looks like this: Opened by bogusname@bogusemailaddress.com (reporter, points: 1) Until the Real Name is configured it shows the real email address! As for the claim that some spambots don't need @ and . I question that, as I've had my email address public on my website for 4 years, masked by simply removing punctuation and saying to fill in the blanks. I had not received ANY spam on that account until 2006-08-23 (except via sourceforge, which I quarantine separately), which was not terribly long after I submitted a gnome bug report via email on 2006-08-12. I had been unaware of the Real Name feature until today.
Oh I should also note that real email addresses can be found in the View Page Source in any web browser, the only masking I can see is that the @ is escaped and I suspect spambots would not have difficulty supporting escaped @ characters, this is quite a tragic issue for the open source community if everyone who files a bug report gets spammed. Perhaps users should be referenced by number in URLs used in the bugzilla system and the email address completely hidden in all cases except if you are genuinely logged in and are viewing the information page about another user. (Which does not prevent a spam bot from registering an account at every bugzilla system, but it does at least significantly reduce the issue) Additionally I think the email address should be masked in some way (such as the fill in the blanks method) on the user information page. These are of course only suggestions, I'm just saddened by the situation.
Please log out and look again for email addresses.
(In reply to comment #15) > Please log out and look again for email addresses. Indeed all the links to users are not links, so the only ones that would be revealed when not logged in are people who have not entered a real name at all (as I mentioned I went months without knowing that I should set up anything on the account, so my user name was listed as my email address), which I think is what the person starting this thread was talking about.