Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Promote "Privacy policy" to users in a better way #37

Open
sivaraam opened this issue Jun 26, 2017 · 2 comments
Open

Promote "Privacy policy" to users in a better way #37

sivaraam opened this issue Jun 26, 2017 · 2 comments

Comments

@sivaraam
Copy link

sivaraam commented Jun 26, 2017
edited
Loading

Currently, submitgit doesn't seem to be promoting it's privacy policy to it's users, well. It requests access to use user's email address to send email addresses using Amazon SES but doesn't specify anything about how it would be used; which is a red alarm to the privacy conscious users.

Further, submitgit could possibly face an increase in usage as a result of it being referenced in the CONTRIBUTING.md file of git/git.

So, it's better if the privacy policy was promoted to users to ensure being in the safe side.
@rtyley
Copy link
Owner

rtyley commented Jun 26, 2017

Currently, submitgit doesn't seem to be promoting it's privacy policy to it's users, well. It requests access to use user's email address to send email addresses using Amazon SES but doesn't specify anything about how it would be used; which is a red alarm to the privacy conscious users.

To make clear what submitgit needs from users, and how it will be used:

  • Email registration with Amazon SES allows submitgit to send emails on the user's behalf to the Git mailing list. The Git project currently only accepts emailed patches, and these patches must be very precisely formatted (whitespace, etc), meaning you can't just send these emails from a webmail client. submitgit exists to send those emails on your behalf, generated from GitHub pull requests.
  • submitgit will never send a message from a user's email address without that user's direct intervention, ie specifically by them hitting the 'Send' button in the submitgit interface.
  • Nothing about this setup allows submitgit to read your email, access to which is still controlled by your email provider.
  • It's a general property of email and SMTP that anyone at any time could send email with a From: header containing your email address - they don't need access to your email account to do so. For submitgit the only thing that registering with Amazon SES changes is that Amazon SES adds DKIM headers to the email, specifying that Amazon takes responsibility for sending the message, and Amazon are only willing to do that because you've registered your specific email address with Amazon SES in submitgit's AWS account. Having done all this, your message won't be deleted as spam before it hits the Git mailing list.
  • The list of registered emails is stored in Amazon SES and won't be shared, though it would be easy to find most of them by searching through the Git mailing list archives.

@sivaraam
Copy link
Author

@rtyley Thanks for the detailed info. Any ways in which users could be made aware of this, which could result in an increase in their confidence level ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rtyley @sivaraam