diff options
| author | Shawn O. Pearce <sop@google.com> | 2009-03-01 11:10:55 -0800 |
|---|---|---|
| committer | Shawn O. Pearce <sop@google.com> | 2009-03-01 11:10:55 -0800 |
| commit | aa8b3d4e2d2db8da124488d889b066f1350b4f33 (patch) | |
| tree | 015f691a6ab474c50be7681e197d33af586710c2 | |
| parent | 142385def74cbd25b94c36fd89278f65bb9380e7 (diff) | |
Mention the contact information encryption in our design document
As of Gerrit 2.0.4 we encrypt the contact information for a user
account, limiting the amount of data we capture and store. This
is an important to mention when describing how we manage private
user information.
Signed-off-by: Shawn O. Pearce <sop@google.com>
| -rw-r--r-- | Documentation/dev-design.txt | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/Documentation/dev-design.txt b/Documentation/dev-design.txt index 14400836f2..3dc7d5a7aa 100644 --- a/Documentation/dev-design.txt +++ b/Documentation/dev-design.txt @@ -359,10 +359,10 @@ Gerrit stores the following information per user account: * Full Name * Preferred Email Address -* Mailing Address '(Optional)' -* Country '(Optional)' -* Phone Number '(Optional)' -* Fax Number '(Optional)' +* Mailing Address '(Optional, Encrypted)' +* Country '(Optional, Encrypted)' +* Phone Number '(Optional, Encrypted)' +* Fax Number '(Optional, Encrypted)' The full name and preferred email address fields are shown to any site visitor viewing a page containing a change uploaded by the @@ -385,17 +385,24 @@ to cull email addresses from published Gerrit comments. In most cases these same addresses would be more easily obtained from the project's mailing list archives. +The user's name and email address is stored unencrypted in the +Gerrit metadata store, typically a PostgreSQL database. + The snail-mail mailing address, country, and phone and fax numbers are gathered to help project leads contact the user should there be a legal question regarding any change they have uploaded. -This data is only visible to the account owner and to the Gerrit -site administrator. It is expected that the information would only -be revealed with a valid court subpoena, but this is really left -to the discretion of the Gerrit site administrator as to when it -is reasonable to reveal this information to a 3rd party. - -All user account information is stored unencrypted in the Gerrit -metadata store, typically a PostgreSQL database. + +These sensitive fields are immediately encrypted upon receipt with +a GnuPG public key, and stored "off site" in another data store, +isolated from the main Gerrit change data. Gerrit does not have +access to the matching private key, and as such cannot decrypt the +information. Therefore these fields are write-once in Gerrit, as not +even the account owner can recover the values they previously stored. + +It is expected that the address information would only need to be +decrypted and revealed with a valid court subpoena, but this is +really left to the discretion of the Gerrit site administrator as +to when it is reasonable to reveal this information to a 3rd party. Spam and Abuse Considerations |