Sensitive information in Description History
Problem
With the addition of storing the description history in #10103 (closed), a couple of concerns have been noted regarding sensitive information contained within the version history:
-
Without the ability to delete previous versions of the description history, this sensitive information is unable to be removed.
-
Viewing the history is not available to all tiers. If the history is stored for all tiers, and a user upgrades to a tier where viewing the history is available, any sensitive information that was removed is now visible in the history on all current and older issues.
Solution
We are planning to offer a soft delete for now for items with potentially sensitive information by providing a delete function for admins when in Edit mode. This will remove the item from the history only, not permanently delete.
Feature flag
save_description_versions
Sensitive information should not be something that is handled by GitLab - it should be governed by the company policy of the user.
With regards to evidence collection, it's important that all data is stored - what was changed, by whom and when. If editing history were to be allowed, even only to users with elevated permissions, that action would still need to be logged for evidence collection reasons.
The other option would be to set specific permissions to view the audit log. That way all data would be retained, but access could be restricted.
MVC
As discussed in the comments, the MVC for this issue is to allow a soft deletion
of history items which contain sensitive information.
A follow-on issue has been created #38265 which will allow viewing of the full audit trail.