Confidential issues and comments on them are sent out in the clear

I just tested out confidential issues a bit as that's one of the Gitlab features I was looking forward to.

It turns out that notifications containing the creation of confidential issues and comments to them are sent out in the clear, unencrypted, which is problematic.

I am not even sure who exactly gets those notifications. But that's a different thing to investigate (and a bit hard for me to test as I filed a confidential test issue in a project I am owner of and I don't want to spam other projects).

So, Bugzilla solves this part very nicely actually: by default folks watching a confidential issue just get a notice by email that that issue got updated, so there is nothing confidential leaking out here, but one has to log in to actually see what changed/got added. Alternatively, if one adds an OpenPGP key to the user profile, one gets an encrypted mail for issue updates with actual meat one can read locally after decrypting.

I am not sure what exactly is possible in Gitlab but it should not send out notifications for confidential issue updates/creations leaking sensitive information.