Hi, I'm not really sure where to mention this, so please redirect me if I've erred. I own an (email) domain, and use unique email addresses for each company/organisation/website that I deal with. My email address for bugs.kde.org has just received some spam. It seems that if one logs into bugs.kde.org, then one can easily see the email addresses of any user that has filed a bug, etc. I assume that that was how the spammer accessed my email address. FWIW I received a phishing email from balistarholidays.com posing as American Express.

I was wondering how feasible it would be to not list email addresses in the plain. Perhaps bugs.kde.org could send mail directly, keeping email addresses secret? I'm not really sure why one would require another's email address anyway, since AFAIK the default is to subscribe to the created bug.

Maybe not the best approach, but it is how bugzilla, the upstream project, works. Usually we try to avoid fiddling with core functionality of such systems.

But there is also a visual hint when setting up a new account:

PRIVACY NOTICE: KDE Bugtracking System is an open bug tracking system. Activity on most bugs, including email addresses, will be visible to the public. We recommend using a secondary account or free web email service (such as Gmail, Yahoo, Hotmail, or similar) to avoid receiving spam at your primary email address.

I essentially do use a secondary address. Once an email address gets compromised, I redirect to /dev/null, then create/register a new one. All of my email addresses redirect to a single account.

I don't really feel that using a secondary email address is a good system for most people though. If all websites were similarly open with email addresses, then users would require dozens of email accounts.

In any case, I guess it's probably something I should take up with bugzilla then.