** Changed in: desktopcouch
Status: New = Fix Committed
** Changed in: desktopcouch (Ubuntu)
Status: New = Fix Released
** Changed in: desktopcouch
Status: Fix Committed = Fix Released
--
Replication log contains token and token secret so can't be pastebinned
desktopcouch already does what it can and never logs secrets. I don't
think it's worth trying to hide secrets in logs that we don't generate.
We might miss some format, and expose secrets to the public, so the only
safe option is to make all bugs private until we examine them.
Marking this as
I believe this bug report says that that replication token contains the
secrets. So it does, if the server replies with server error response.
Pastebinning this response would disclose personal tokens. So I believe
either such messages need to be placed to some kind of private log and
only
The secret tokens can still be seen in couchdb error messages.
See bug #533769 on how to trigger such message.
Reopening.
** Changed in: desktopcouch
Status: Fix Released = New
** Changed in: desktopcouch (Ubuntu)
Status: Fix Committed = New
--
Replication log contains token and
This bug was about sanitizing the secret tokens out of log messages.
That code is working as intended. Bug #533769 shows that the log
messages do have the secret tokens scrubbed. That bug also shows that an
erlang crash dump still contains the secret tokens, and have not been
scrubbed.
Regardless
Never mind, I'm on crack: I had somehow got it into my head that the
obfuscating code created realistic looking secrets, which it does not.
Instead I was looking at a version which did not have this fixed yet,
and hence included actual keys in the replication log.
--
Replication log contains
So this can be marked fix released as soon as 0.6.1 hits the archives.
--
Replication log contains token and token secret so can't be pastebinned
https://bugs.launchpad.net/bugs/460974
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
Chad, this code needs to be released in Karmic, as people are
inadvertently sharing their tokens when pasting their logs.
** Also affects: desktopcouch (Ubuntu)
Importance: Undecided
Status: New
** Changed in: desktopcouch (Ubuntu)
Assignee: (unassigned) = Chad Miller (cmiller)
Never mind it was released, the scare was all for nothing: your code
replaces the actual tokens by things that still look like tokens. I
thought nothing of it when I reviewed, but it would be MUCH better to
replace them by strings of *s or something to make it clear they have
been scrambled, so as
Ah, and it is *not* in karmic yet, so in fact the user *was* revealing
their real tokens. It was just less obvious because of the obfuscation:
chad could you change it to something more obvious and *then* land that
fix in karmic?
** Changed in: desktopcouch (Ubuntu)
Status: Fix Released =
10 matches
Mail list logo