Gerrit: allow disabeling gravatar/allow local profile pictures

[nephele]

Currently gerrit is hardwired to get avatars from a service called gravatar. I think it is a bit of a privacy/security concern to querry this server while looking at the code review tool-

[pulkomandy]

The way Gravatar works is, Gerrit (or any other service using Gravatar) computes locally a SHA256 hash of the email address, and sends only that to Gravatar.

As a result, no private info is sent to Gravatar. If you have no account there, Gravatar knows nothing about you, only a SHA256 of your email address that they can do nothing with. This request is made client side by the browser of people visiting the website. Gravatar will not know which website you are calling from.

I don't see what the privacy concern is here?

[waddlesplash]

If the call happens client-side then anyone not wanting Gravatar data to be fetched from their browser can block it, anyway.

[nephele]

Ip adresses are already personable identifiable data under the GDPR, additionally I would need to sign up for a third party service for an avatar while we already have avatars on the forum and should transfer those to our SSO at some point.

Also, a hash does not prevent correlating to email adresses later if you already have the email adress to then find out the associated ip adress.

Additionally gravatar‘s registered users were already scrapped in the past: ​https://www.searchenginejournal.com/gravatar-breach/429282/

If the call happens client-side then anyone not wanting Gravatar data to be fetched from their browser can block it, anyway.

If it was serverside you wouldn‘t have to make this choice, no client ip would ever be leaked. It seems silly to tell users of a site *that has no visible privacy policy*(our gerrit here) That they should have just blocked stuff in their UA

[waddlesplash]

Third-party requests can be disabled in most web browsers, if that's what you want.

[nephele]

No, It is not. And it isn‘t relevant to this ticket.