Sandro Tosi wrote, on 08/04/10 01:45:
Hello Arthur,
thanks for your report.
On Wed, Apr 7, 2010 at 17:01, Arthur Marsh
<[email protected]> wrote:
Hi, it would be a good idea for reportbug to warn of or by default
strip passwords from report messages including attached files (e.g.
text on the same line as a case insensitive match on password) as
Google indexes Debian bug reports very quickly and it would be
trivial to use Google to harvest passwords inadvertently included
in a bug report.
Are you referring to reportbug itself, when it includes the
~/.reportbugrc file and the password there contained? or are you
referring to a general case, where a user insert username/password
into the bug report?
Yes, where a username/password gets inserted into the bug report is one
of the cases I was thinking of.
or (last option :) are you referring to other
packages that includes their configuration files into the bug report?
Regards,
Yes, I was also thinking of configuration files that might be included
(either manually as attachments by the reporter or automatically as part
of the configuration information that reportbug gathers for a particular
package).
Packages that communicate with mobile telephone handsets (e.g.
gammu/wammu/gnokii) might also need some special attention to
warn/remove data that should not be public. It can be very easy to send
a bug report without thinking, and impossible to "unsend" a bug report
once it is indexed by Google and friends.
Arthur.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
