> On 08 Dec 2014, at 17:12, Marcus Denker <marcus.den...@inria.fr> wrote: > >> >> On 08 Dec 2014, at 16:34, Tommaso Dal Sasso <tommaso.dalsa...@gmail.com> >> wrote: >> >> >> On 08/12/14 14:47, Sven Van Caekenberghe wrote: >>> Hi Tommaso, >>> >>> I think this is a cool initiative, many environments have something >>> similar, so this is a welcome addition. >>> >>> However, you must be clearer about the security implications (and/or tell >>> us how these concerns are dealt with in other places). Say I execute: >>> >>> ZnEasy >>> get: 'http://zn.stfx.eu/nuclear-launch-codes.txt' >>> username: 'barak.ob...@whitehouse.gov' >>> password: 'michele'. >>> >>> This will leave sensitive hosts, ports, URIs, usernames and above all >>> passwords on the stack. Will these be reported/uploaded as well ? >>> >> Hi Sven, >> >> you are right, I stressed the idea when I first presented ShoreLine Reporter >> to the mailing list but it is important to be clear: We do not collect any >> kind of sensitive data. The stack trace we collect is in text in the format >> ClassName>>methodSignature:, to be sure that we exclude any parameter, >> password or repository. >> >> In addition to the stack trace, we collect the author name, the date and the >> pharo version, to cluster the data and have an idea of the evolution of the >> system during time. >> > > We should add this explanation to the tool itself… > > Marcus
Yes, and maybe also show the actual stack trace and other info that will be sent in dialog so that the user can see precisely what gets shared.
