Public bug reported:
Binary package hint: lshw
Running `lshw -version` results in a query to the ezix.org domain. This
behavior was noticed during a security audit. Please engage me in
discussion on this ticket before closing it or marking it invalid.
The attached `tcpdump` transcript is a concrete example of the suspect
network activity. The attached patch removes this surprising and
unnecessary addition to the lshw package.
The first problem with this behavior is that silent network activity on
--version is unexpected and breaks behavior conventions. Is it
appropriate for an individual program in Ubuntu main to tell its
upstream developer "I'm running on this computer" when the program does
not need network access to do its job?
The second problem is that the packaging system should be responsible
for reporting software updates. Other software like Firefox and XMMS
usually have automatic upstream version checking disabled, especially if
the package is in the main repository.
** Affects: lshw (Ubuntu)
Importance: Undecided
Status: New
--
lshw 02.12.01-2 phones home (with tcpdump example)
https://bugs.launchpad.net/bugs/208399
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
