I just noticed that Unity’s FogBugz issue tracker is publicly indexed on Google, so if you’ve ever replied to a bug report or included your email in a submission, your email - both your address and what you wrote - is now publicly indexed on Google as well.
Seems like it could be trivial for spammers to harvest a lot of private emails from it, e.g. by doing a search like this.
Might be a good idea for Unity to turn off Google indexing for the FogBugz pages.
Edit: Not quite so bad as I feared: These are only being indexed by Google if the person has publicly shared a link to one of their bugs elsewhere.
Thanks, I don’t know if it’s always been like that or not, but it’s obviously a bit of a privacy issue. At least without it being indexed on Google you need your personal link to see your bug reports, even though it’s still technically public.
Gotta agree with angrypenguin that the whole thing should really be behind a login barrier. Even if it means locking bug submitters out entirely and having them only see their bugs paraphrased by QA in the Issue Tracker it’d probably be better.
I’m actually a little more concerned about the information we share in those bug-reports, as well as attachments and images along the conversation.
@SaraCecilia : Would it be possible to require to login into fogbugz and restrict access only to those bugs that have been reported with the signed in account? I’ve always had a bad feeling with that information being so easily accessible.
Especially since when people reply to a QA email it’s quite different to posting in a forum - they’re more likely to have an expectation that their reply is private.
For what it’s worth, I’m fairly certain that Google is only indexing bugs where people have publicly shared their Fogbugz links, rather than the entire database. We’ve alerted the QA team to see if we can shut off that too, but if you’re not sharing your FB links, they should already not be in Google’s indexes.
Ah thanks, that would explain why you must have thousands of bugs but Google results only seem to show hundreds. As usual you can make good software but it’s the users that ruin everything.
Short of stripping the email/system specs and any urls in the messages from users who have posted images or file upload links… I don’t see that much wrong with the public visible bug reports… maybe the bug submitter had a way to specify if the bug report would be visible to public or not that would help, with stripping of the unneeded info for public viewers.
As overall having searchable access to seeing the recent reported bugs that goto fogbugz would help end users see if there own issues/problems like with release builds have been reported aswel. The issuetracker/forums is more secondary to what is generally reported imo. Also QA seem to provide some useful feedback/ suggestions that is largely hidden from public.
I wonder what an Inexpensive Concert Violation is. Maybe like you forget to hire a security guard for door 5 but your friend steps in and does it for a cheap rate.
It’s a while since I’ve reported a bug, so I can’t remember specifically, but I have a feeling I’ve always assumed that whatever you include is made public.
That said, it does limit what I’m willing to say or do as a part of a bug report in some cases, because when you’re working for someone else it’s not a good look to have tangential information about the project leaking onto the Internet.
I’ve got about 3 different fogbugz/emails accounts I use, and thought it was a bit odd I got spam but it’s the internet so I’m not really bothered… doesn’t seem more or less than usual.
Some of us share information that is not meant for the public. For example, I remember we asked Unity to sign a non disclosure agreement before we actually submitted our project to them through the bug-reporter. Beside the project we also shared images in the conversation that were not meant for the public at this time.
Another big issue in my opinion is that if someone shares a fogbugz issue in this forum example, everyone then has access to every issue that was submitted and is going to be submitted from that reporter. A fogbugz link should provide access to only that one linked issue in my opinion.
Actually, I’d also be interested to hear from Unity how they protect our submitted projects as well as how long they keep them.
I do agree with folks that the FB pages are not ideal for a number of reasons. I would very much like to migrate things to the IssueTracker site, and make that the place you go for viewing all of your own reported issues - including the ability to log in and see your own bugs in a private way, instead of using this ‘magic link’ approach.
We’ve done some design work around this, but implementation is going to take a little while.
Well I did say they could ask bug reporters to specify before submitting the report if they are allowing it to be publicly viewable. Personally I’d make some of the bugs I’ve submitted viewable if some of the stuff previously mentioned was stripped, and I think many others would do the same if it were more easily visible to check other reported issues for a given release. Because the public issue tracker and forums are about as close to this as we get… and yet I’d guess most bug reports goto neither first. You may sometime see similar issue brought up on the forum to see if anyone else is experiencing the same etc Otherwise it would just be from QA feedback direct to bug submissions that goto fogbugz and is probably never really seen by anyone else unless leaked out.
Do users even check the public issuetracker (I barely ever check it because the honestly the layout and usability of the issuetracker is total rubbish and you need google js crap for it even work properly), seems like alot of crossover with fogbugz, I kinda think QA fills out the public issuetracker reports from reported fogbug reports anyway?
Yes.
Either way stripping of some of the info shown publicly on fogbug reports should really happen.
I get that, however I would also guess it is more of a minority of users that would prefer not making certain reports publicly viewable. The benefit is that for majority of bug reports aren’t all that subject to top secret projects or sharing of code in the message etc, even though the information posted can be useful including replies back.
We have done something before to tackle this issue, but it seems it only dealt with a part of it. Though, we are in the process of making the necessary changes to the server, but it may take several days for the search engines to catch up.
