Confidential issues and comments on them are sent out in the clear
I just tested out confidential issues a bit as that's one of the Gitlab
features I was looking forward to.
It turns out that notifications containing the creation of confidential
issues and comments to them are sent out in the clear, unencrypted,
which is problematic.
I am not even sure who exactly gets those notifications. But that's a
different thing to investigate (and a bit hard for me to test as I filed
a confidential test issue in a project I am owner of and I don't want to
spam other projects).
So, Bugzilla solves this part very nicely actually: by default folks
watching a confidential issue just get a notice by email that that issue
got updated, so there is nothing confidential leaking out here, but one
has to log in to actually see what changed/got added. Alternatively, if
one adds an OpenPGP key to the user profile, one gets an encrypted mail
for issue updates with actual meat one can read locally after decrypting.
I am not sure what exactly is possible in Gitlab but it should *not*
send out notifications for confidential issue updates/creations leaking
sensitive information.
issue