On 08/12/14 14:47, Sven Van Caekenberghe wrote:
Hi Tommaso,
I think this is a cool initiative, many environments have something similar, so
this is a welcome addition.
However, you must be clearer about the security implications (and/or tell us
how these concerns are dealt with in other places). Say I execute:
ZnEasy
get: 'http://zn.stfx.eu/nuclear-launch-codes.txt'
username: 'barak.ob...@whitehouse.gov'
password: 'michele'.
This will leave sensitive hosts, ports, URIs, usernames and above all passwords
on the stack. Will these be reported/uploaded as well ?
Hi Sven,
you are right, I stressed the idea when I first presented ShoreLine
Reporter to the mailing list but it is important to be clear: We do not
collect any kind of sensitive data. The stack trace we collect is in
text in the format ClassName>>methodSignature:, to be sure that we
exclude any parameter, password or repository.
In addition to the stack trace, we collect the author name, the date and
the pharo version, to cluster the data and have an idea of the evolution
of the system during time.
I hope it is clear enough,
thanks for your question!
Tommaso
