Move all contact information out of database to encrypted store
A security review strongly suggested moving the personal contact
details for an account out of the database and into an encrypted
data store that is stored separately from the rest of Gerrit's
metadata. The rationale being that the contact information is
really quite personal, and just doesn't need to be accessed,
except in the most extreme circumstances, like if a court has
issued a valid subpoena to the Gerrit administrators to turn
over contact information for a specific account.
Any captured contact information is now encrypted using GnuPG, and
fired off via SSL protected HTTP POST to another system. That other
system could be "gerrit-contactstore", running on Google App Engine,
or it could be a very simple CGI which stores the encrypted data
to files on disk. With this change, Gerrit only has the user's
contact information transiently in memory while it is encrypting
the message for long-term storage.
Only the GnuPG public key needs to be available, so Gerrit
reads an ASCII armored key, e.g. "gpg --export -a KEY >pub",
simplifying the installation of Gerrit.
Signed-off-by: Shawn O. Pearce <sop@google.com>
24 files changed
