Google Git
Sign in
gerrit / gerrit / aa8b3d4e2d2db8da124488d889b066f1350b4f33^! / .
commitaa8b3d4e2d2db8da124488d889b066f1350b4f33[log] [tgz]
authorShawn O. Pearce <sop@google.com>Sun Mar 01 11:10:55 2009 -0800
committerShawn O. Pearce <sop@google.com>Sun Mar 01 11:10:55 2009 -0800
tree015f691a6ab474c50be7681e197d33af586710c2
parent142385def74cbd25b94c36fd89278f65bb9380e7 [diff]
Mention the contact information encryption in our design document

As of Gerrit 2.0.4 we encrypt the contact information for a user
account, limiting the amount of data we capture and store.  This
is an important to mention when describing how we manage private
user information.

Signed-off-by: Shawn O. Pearce <sop@google.com>

diff --git a/Documentation/dev-design.txt b/Documentation/dev-design.txt
index 1440083..3dc7d5a 100644
--- a/Documentation/dev-design.txt
+++ b/Documentation/dev-design.txt

@@ -359,10 +359,10 @@
 
 * Full Name
 * Preferred Email Address
-* Mailing Address '(Optional)'
-* Country '(Optional)'
-* Phone Number '(Optional)'
-* Fax Number '(Optional)'
+* Mailing Address '(Optional, Encrypted)'
+* Country '(Optional, Encrypted)'
+* Phone Number '(Optional, Encrypted)'
+* Fax Number '(Optional, Encrypted)'
 
 The full name and preferred email address fields are shown to any
 site visitor viewing a page containing a change uploaded by the
@@ -385,17 +385,24 @@
 cases these same addresses would be more easily obtained from the
 project's mailing list archives.
 
+The user's name and email address is stored unencrypted in the
+Gerrit metadata store, typically a PostgreSQL database.
+
 The snail-mail mailing address, country, and phone and fax numbers
 are gathered to help project leads contact the user should there
 be a legal question regarding any change they have uploaded.
-This data is only visible to the account owner and to the Gerrit
-site administrator.  It is expected that the information would only
-be revealed with a valid court subpoena, but this is really left
-to the discretion of the Gerrit site administrator as to when it
-is reasonable to reveal this information to a 3rd party.
 
-All user account information is stored unencrypted in the Gerrit
-metadata store, typically a PostgreSQL database.
+These sensitive fields are immediately encrypted upon receipt with
+a GnuPG public key, and stored "off site" in another data store,
+isolated from the main Gerrit change data.  Gerrit does not have
+access to the matching private key, and as such cannot decrypt the
+information.  Therefore these fields are write-once in Gerrit, as not
+even the account owner can recover the values they previously stored.
+
+It is expected that the address information would only need to be
+decrypted and revealed with a valid court subpoena, but this is
+really left to the discretion of the Gerrit site administrator as
+to when it is reasonable to reveal this information to a 3rd party.
 
 
 Spam and Abuse Considerations