On Thursday, February 25 2021, Ian Campbell wrote: >> What about information leakage? apart from debugids does this leak >> anything else to the server? On a quick look it seems like it might >> potentially leak source code paths (at least the leaf bits) to things >> being debugged -- does this mean that if a user is debugging private >> software (perhaps unpublished or perhaps proprietary software for >> $work) on a Debian system they are at risk of leaking the source >> filenames if they run gdb on one of their binaries while debugging? >> This might be a problem if it comes to enabling this transparently. > > Yes, it might. On the other hand, this is mitigated by a few aspects. > Mainly, debuginfod clients like gdb only call out to the system in case > they have failed to look up the needed data another way. So if you're > debugging local software built normally, the buildids / source names > won't leak because the debugger will find them locally, and debuginfod > servers are not consulted. > > Users who debug secret software but still wish to use internal > debuginfod distribution for it, can do so by setting up a personal > debuginfod instance whereever the secret stuff is held, and configure > that server to federate upstream to the public server. That way, the > public server will only see traffic that the local one couldn't satisfy. > > Do these considerations overcome the concerns, so as to provide a > comfortable out-of-the-box experience for most users?
Thanks for the reply, Frank. As I said in the announcement message, I have proposed a Merge Request against elfutils in order to enable the automatic usage of our debuginfod server. I know that there are people who are not comfortable with having a debugger consult a remote server "behind their backs", so a possible mitigation to this issue would be to have a debconf question asking whether the user wants to enable system-wide debuginfod usage or not. Thanks, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible https://sergiodj.net/
