Apache OpenOffice (AOO) Bugzilla – Full Text Issue Listing |
Summary: | bugzilla mailserver does not use TLS on outbound connections => securiy problem and GDPR violation | ||
---|---|---|---|
Product: | Infrastructure | Reporter: | Don't show my email <apache> |
Component: | Bugzilla | Assignee: | AOO issues mailing list <issues> |
Status: | CLOSED NOT_AN_OOO_ISSUE | QA Contact: | |
Severity: | Normal | ||
Priority: | P5 (lowest) | CC: | mseidel, oooforum, petko |
Version: | current | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Issue Type: | DEFECT | Latest Confirmation in: | --- |
Developer Difficulty: | --- |
Description
Don't show my email
2019-09-09 11:20:05 UTC
Can you state which personal Information has been leaked to the public? Ohh, yea, please note all information that you post are public. If you do not want that then contact private@openoffice.apache.org. (In reply to Don't show my email from comment #0) > which is a DP violation for european corps and organisations Much Ado About Nothing This is just a bug tracking system Of course you did not leak any personal informations yet, thats not the point. EU GDPR §32 states, that if easy and simple possible, the genernal transport of personal data has to be encrypted/protected. The fact, that you as receiver can't know in advance, what people will send to you via email, leads to the consequence, that you have to protect any incoming transmission. I am part of a european corp/organisation and we have to obey the GDPR, as it's a european law. So, any disabling of the TLS enforce policy, means a violation for us, because in that timeframe a mail with personal data could come in. I admin, it's theoratically, first, but if i have to leave the tls enforcer disabled, for every mail your bugzilla is sending, i.e. as reaction to a ticket, it's no longer theoratically, it becomes a real violation. Means in the end, a lawfull corp/org has to block unencrypted email traffic. The worst part is the fact, that you send it unencrypted at all. We have 2019! Not 1990. I had the same discussion with mozilla, and i won :) Be nice, enable tls for tls capable mailservers. Besides the eu friendly policy, it's a security enhancement, as sensitive informations are no longer send in plain text around the globe. However, this is not a bug in OpenOffice, but in the Bugzilla installation. So the issue should be raised with ASF Infra, who is maintaining this (and other) installations. Okay. 1) as you have just confirmed we did not conduct any GDPR violation. 2) you have not passed any personal information to us, that could lead to a GDPR violation. 3) all information on the server except the email address is shown to the public. Also in this point we do not violate the GDPR. I see it is in our full right to do this unencrypted. This is a convenience change for you as you have also confirmed. A smart guy would be nice and do not threat us with a media campaign. I will reach out to infra when I have time and ask them what they can do. Just remember your words matter. Give the people the chance to be nice. |