Albert Cui | 8e4897c | 2021-03-05 00:55:00 +0000 | [diff] [blame] | 1 | :linkattrs: |
| 2 | = Gerrit Code Review - User Privacy |
| 3 | |
| 4 | == Purpose |
| 5 | |
| 6 | This page documents how Gerrit handles user data. |
| 7 | |
| 8 | |=== |
| 9 | | Note: Gerrit has extensive support for link:config-plugins.html[plugins] |
| 10 | which extend Gerrits functionality, and these plugins could access, export, or |
Han-Wen Nienhuys | 7ee6cd3 | 2022-08-22 17:06:50 +0200 | [diff] [blame] | 11 | manipulate user data. This document only focuses on the behavior of Gerrit |
Albert Cui | 8e4897c | 2021-03-05 00:55:00 +0000 | [diff] [blame] | 12 | core and its link:dev-core-plugins.html[core plugins]. |
| 13 | |=== |
| 14 | |
| 15 | == Types of User Data |
| 16 | |
| 17 | Gerrit stores account data required for collaborating on source code changes. |
| 18 | This data is described by |
| 19 | link:config-accounts.html#account-data-in-user-branch[Account Data in User |
| 20 | Branch] and includes link:config-accounts.html#external-ids[External IDs], |
| 21 | link:config-accounts.html#preferences[User Preferences], |
| 22 | link:config-accounts.html#project-watches[Project Watches] and personally |
| 23 | identifiable information, including name and email address. The email |
| 24 | address is required to associate Git commits with a Gerrit user account. All |
| 25 | data except passwords is made accessible to other users who you are visible to, |
| 26 | as detailed below. |
| 27 | |
| 28 | == User Visibility |
| 29 | |
| 30 | Gerrit has a concept of link:config-gerrit.html#accounts[account visibility] |
| 31 | which determines what users a given user can see. This visibility configuration |
| 32 | applies in account search, reviewer suggestion, and when accessing data through |
| 33 | the link:rest-api-accounts.html#account-endpoints[Account REST endpoints]. If |
| 34 | you can see a user, you have read access to most of the |
| 35 | link:rest-api-accounts.html#account-info[AccountInfo] for that user, including |
| 36 | name and email address. Additional information, including secondary emails, is |
| 37 | included in AccountInfo if the caller has “Modify Account” permissions. |
| 38 | |
| 39 | Additionally, all users on a change (author, cc’d, reviewer) can see each other, |
| 40 | irrespective of the account visibility settings. For example: Say you are a |
| 41 | reviewer on a change where user Foo is also a reviewer. Even if by account |
| 42 | visibility you could not search for Foo, you'd still see their avatar, name, |
| 43 | and email now because you can see the change; this information is required to |
| 44 | collaborate on a code review. If Foo wasn't on that change, you could not add |
| 45 | them because reviewer suggestions would not find them due to the account |
| 46 | visibility settings. |
| 47 | |
| 48 | By default, account visibility on a Gerrit instance is set to `ALL` which allows |
| 49 | all users to be visible to other users, even anonymous (i.e. unauthenticated) |
| 50 | users. Depending on your installation type, you may want to change this: |
| 51 | |
| 52 | * For completely company-internal Gerrit installations (no external users), the |
| 53 | `ALL` default may make sense. |
| 54 | |
| 55 | * If you work with multiple vendors who have |
| 56 | access to their own independent sets of repos, `VISIBLE_GROUP` may be more |
| 57 | appropriate as you wouldn’t want vendor A to see accounts from vendor B. |
| 58 | |
| 59 | * For public installations, e.g. for open source projects, you may want to |
| 60 | change this setting or add a notice for users when they create an account e.g. |
| 61 | “Most of what you submit on this site, including your email address and name, |
| 62 | will be visible to others who use this service. You may prefer to use an email |
| 63 | account specifically for this purpose.” One way to do this is using |
| 64 | link:config-gerrit.html[`auth.registerPageUrl`] in `gerrit.config`. |
| 65 | |
| 66 | == ACLs and User Visibility |
| 67 | |
| 68 | User suggestions for changes, when adding a reviewer or cc-ing someone, always |
| 69 | respect ACLs for that change: only users who can see the change are suggested. |
| 70 | The suggested users are an intersection of who you can see and who can see the |
| 71 | change. |
| 72 | |
| 73 | Consider the following situation: |
| 74 | |
| 75 | * `READ` permission for Registered Users on the host |
| 76 | * User visibility is set to `VISIBILE_GROUP`, so only users of the same domain can |
| 77 | see each other |
| 78 | * a@foo.com creates change 123 |
| 79 | |
| 80 | This would mean: |
| 81 | |
| 82 | * a@foo.com cannot add b@bar.com to the change because these users cannot see |
| 83 | each other due to the user visibility setting. |
| 84 | * b@bar.com can find change 123 |
| 85 | because they have READ permission and could add themselves to the change. |
| 86 | * a@foo.com would then be able to see b@bar.com’s name, avatar, and email on |
| 87 | change 123 |
| 88 | |
| 89 | The only caveat to the above are Private Changes, which are only visible to the |
| 90 | owner and reviewers; reviewers can only see the change once they are added to |
| 91 | the change (if ACLs allow them to be added in the first place), not before. |
| 92 | |
| 93 | ## Right to be Forgotten Limitations |
| 94 | |
| 95 | As a source control system, Gerrit has limited abilities to remove personally |
| 96 | identifiable information. Notably, Gerrit cannot: |
| 97 | |
| 98 | * Remove a user's e-mail from all existing commits |
| 99 | * Remove a user's username |
| 100 | |
Albert Cui | 8e4897c | 2021-03-05 00:55:00 +0000 | [diff] [blame] | 101 | |
| 102 | ## Open Source Software Limitations |
| 103 | |
| 104 | Gerrit is open-source software licensed under the Apache 2.0 license. Unless |
| 105 | required by applicable law or agreed to in writing, software distributed under |
| 106 | the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS |
| 107 | OF ANY KIND, either express or implied. See the License for the specific |
Han-Wen Nienhuys | 7ee6cd3 | 2022-08-22 17:06:50 +0200 | [diff] [blame] | 108 | language governing permissions and limitations under the License. |