Opened 6 months ago

Last modified 6 months ago

#18916 new enhancement

Gerrit: allow disabeling gravatar/allow local profile pictures

Reported by: nephele Owned by: kallisti5
Priority: normal Milestone: Unscheduled
Component: Website/Gerrit Version:
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

Currently gerrit is hardwired to get avatars from a service called gravatar. I think it is a bit of a privacy/security concern to querry this server while looking at the code review tool-

Change History (6)

comment:1 by nephele, 6 months ago

Summary: Gerrit: allow disabeling gravatar/allow local profilesGerrit: allow disabeling gravatar/allow local profile pictures

comment:2 by pulkomandy, 6 months ago

The way Gravatar works is, Gerrit (or any other service using Gravatar) computes locally a SHA256 hash of the email address, and sends only that to Gravatar.

As a result, no private info is sent to Gravatar. If you have no account there, Gravatar knows nothing about you, only a SHA256 of your email address that they can do nothing with. This request is made client side by the browser of people visiting the website. Gravatar will not know which website you are calling from.

I don't see what the privacy concern is here?

comment:3 by waddlesplash, 6 months ago

If the call happens client-side then anyone not wanting Gravatar data to be fetched from their browser can block it, anyway.

comment:4 by nephele, 6 months ago

Ip adresses are already personable identifiable data under the GDPR, additionally I would need to sign up for a third party service for an avatar while we already have avatars on the forum and should transfer those to our SSO at some point.

Also, a hash does not prevent correlating to email adresses later if you already have the email adress to then find out the associated ip adress.

Additionally gravatar‘s registered users were already scrapped in the past: https://www.searchenginejournal.com/gravatar-breach/429282/

If the call happens client-side then anyone not wanting Gravatar data to be fetched from their browser can block it, anyway.

If it was serverside you wouldn‘t have to make this choice, no client ip would ever be leaked. It seems silly to tell users of a site *that has no visible privacy policy*(our gerrit here) That they should have just blocked stuff in their UA

comment:5 by waddlesplash, 6 months ago

Third-party requests can be disabled in most web browsers, if that's what you want.

comment:6 by nephele, 6 months ago

No, It is not. And it isn‘t relevant to this ticket.

Note: See TracTickets for help on using tickets.