attachment removal and public transition in same e-mail

Bug #373351 reported by Brian Murray
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
High
Unassigned

Bug Description

In the event that an attachment is removed, for example a CoreDump.gz, and a bug is made public within a short period of time both events will show up in the e-mail to the ubuntu-bugs mailing. Since the attachment isn't removed right away its possible for someone monitoring the mailing list to still get the "deleted" attachment.

Here's an e-mail to the mailing list:

From: Brian Murray <email address hidden>
To: <email address hidden>
X-Launchpad-Bug: distribution=ubuntu; sourcepackage=compiz; component=universe;
        status=New; importance=Medium; assignee=None;
X-Launchpad-Bug-Tags: apport-crash
X-Launchpad-Bug-Private: no
X-Launchpad-Bug-Security-Vulnerability: no
X-Launchpad-Bug-Commenters: apport leif.walsh
References: <email address hidden>
Message-Id: <email address hidden>
Subject: [Bug 323858] Re: compiz.real crashed with SIGSEGV in g_slist_prepend()
X-Launchpad-Message-Rationale: Subscriber (Ubuntu) @ubuntu-bugs
Precedence: bulk
X-Generated-By: Launchpad (canonical.com); Revision="None";
        Instance="initZopeless config overlay"
X-Launchpad-Hash: d7c8186d554906b70063143bf384f0641b625a59
X-BeenThere: <email address hidden>
X-Mailman-Version: 2.1.8
Reply-To: Bug 323858 <email address hidden>
List-Id: Ubuntu bug tracker changes - HIGH VOLUME
        <ubuntu-bugs.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs>,
        <mailto:<email address hidden>?subject=unsubscribe>
List-Post: <mailto:<email address hidden>>
List-Help: <mailto:<email address hidden>?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs>,
        <mailto:<email address hidden>?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: <email address hidden>
Errors-To: <email address hidden>
Delivered-To: <email address hidden>

** Attachment removed: "CoreDump.gz"
   http://launchpadlibrarian.net/21871693/CoreDump.gz

** Visibility changed to: Public

** Changed in: compiz (Ubuntu)
   Importance: Undecided => Medium

--
compiz.real crashed with SIGSEGV in g_slist_prepend()
https://bugs.launchpad.net/bugs/323858
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

Tags: lp-bugs
Revision history for this message
Graham Binns (gmb) wrote :

A simple fix for this issue would be to not generate notifications for attachment removals on private bugs. That's not necessarily The Right Thing but it solves the problem until we can produce a better, security-aware notification system.

Changed in malone:
importance: Undecided → High
milestone: none → 2.2.5
status: New → Triaged
Changed in malone:
milestone: 2.2.5 → 2.2.6
Revision history for this message
Gavin Panella (allenap) wrote :

The librarian URL for the deleted attachment also appears in the
activity log, so we must ignore all attachment changes in private
bugs. Unfortunately, this also reduces the usefulness of private bugs.

Perhaps a different solution here is to make sure the librarian either
deletes or denies access for deleted files? A new "purge" mechanism
could be added to the librarian (if one doesn't already exist) for
this use case.

Changed in malone:
milestone: 2.2.6 → none
Revision history for this message
Brian Murray (brian-murray) wrote :

Bug 181365 is likely a duplicate of this one or vice versa.

Revision history for this message
Martin Pitt (pitti) wrote :

I'll add an apport task to wait at least 5 minutes before making these bugs public, as a workaround.

But in general, I have the feeling that Launchpad just became waaaaaay to chatty with bug mail. Nowadays we get tons of useless mails about "attachment removed", "branch linked", "bug #234 marked as duplicate of this", "translation imported", etc., none of which is really relevant. From my POV, only state changes, new attachments, and comments are interesting; if comment mails are _augmented_ with additional data, such as "branch linked" or "attachment removed", that's fine, but having these as single mails, they are pretty much useless anyway (and in practice, the useful ones are accompanied by comments). So as a longer-term goal, I wish that we could review this.

Changed in apport (Ubuntu):
status: New → Won't Fix
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → High
status: Won't Fix → Triaged
Revision history for this message
Brian Murray (brian-murray) wrote :

With regards to Launchpad being too chatty I tend to agree. However, with regards to linking branches - one is not prompted to add a comment when linking a branch so I think it is easy for people to over look adding one. Additionally, when this is combined with the inability to search for bugs with branches I think we run into a situation where it becomes quite easy to miss these low hanging fruit. So ideally one should be prompted to also add a comment when adding a branch if the notification were to be removed.

Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 373351] Re: attachment removal and public transition in same e-mail

Hello,

Brian Murray [2009-07-15 19:10 -0000]:
> With regards to Launchpad being too chatty I tend to agree. However,
> with regards to linking branches - one is not prompted to add a comment
> when linking a branch

Right, since it doesn't even happen in the web UI. If you use --fixes
lp:xxxxx (or debcommit), then the branch is automatically linked to
the branch, without any manual activity. However, you are still urged
to set the bug to "fix committed" once the branch is actually ready,
etc.

Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)

Curtis Hovey (sinzui)
Changed in apport (Ubuntu):
status: Triaged → Invalid
no longer affects: apport (Ubuntu)
William Grant (wgrant)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.