Your message dated Wed, 7 Apr 2010 20:21:58 +0200
with message-id <[email protected]>
and subject line Re: [Reportbug-maint] Bug#576828: reportbug should warn
reporter on about to be sent text including passwords
has caused the Debian Bug report #576828,
regarding reportbug should warn reporter on about to be sent text including
passwords
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
576828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576828
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: reportbug
Version: 4.11
Severity: wishlist
Hi, it would be a good idea for reportbug to warn of or by default
strip passwords from report messages including attached files (e.g.
text on the same line as a case insensitive match on password) as
Google indexes Debian bug reports very quickly and it would be
trivial to use Google to harvest passwords inadvertently included
in a bug report.
-- Package-specific info:
** Environment settings:
INTERFACE="text"
** /home/amarsh04/.reportbugrc:
reportbug_version "3.5"
mode standard
ui text
realname "Arthur Marsh"
email "[email protected]"
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages reportbug depends on:
ii apt 0.7.25.3 Advanced front-end for dpkg
ii python 2.5.4-9 An interactive high-level object-o
ii python-reportbug 4.11 Python modules for interacting wit
reportbug recommends no packages.
Versions of packages reportbug suggests:
ii debconf-utils 1.5.30 debconf utilities
pn debsums <none> (no description available)
pn dlocate <none> (no description available)
ii emacs22-bin-common 22.3+1-1.2 The GNU Emacs editor's shared, arc
ii exim4 4.71-4 metapackage to ease Exim MTA (v4)
ii exim4-daemon-light [ 4.71-4 lightweight Exim MTA (v4) daemon
ii file 5.04-2 Determines file type using "magic"
ii gnupg 1.4.10-3 GNU privacy guard - a free PGP rep
ii python-gtk2 2.16.0-2 Python bindings for the GTK+ widge
pn python-gtkspell <none> (no description available)
pn python-urwid <none> (no description available)
ii python-vte 1:0.24.0-1 Python bindings for the VTE widget
ii xdg-utils 1.0.2+cvs20100307-1 desktop integration utilities from
-- debconf-show failed
--- End Message ---
--- Begin Message ---
tags 576828 wontfix
thanks
Hello Arthur,
>>> Hi, it would be a good idea for reportbug to warn of or by default
>>> strip passwords from report messages including attached files (e.g.
>>> text on the same line as a case insensitive match on password) as
>>> Google indexes Debian bug reports very quickly and it would be
>>> trivial to use Google to harvest passwords inadvertently included
>>> in a bug report.
>>
>> Are you referring to reportbug itself, when it includes the
>> ~/.reportbugrc file and the password there contained? or are you
>> referring to a general case, where a user insert username/password
>> into the bug report?
>
> Yes, where a username/password gets inserted into the bug report is one of
> the cases I was thinking of.
sorry, this is far too complex to detect in a barely reliable solution
I don't want even to think how to do it properly. If a user inserts
his own password in a public bug report then...it's his problem: there
is no tool to prevent stupidity.
>> or (last option :) are you referring to other
>> packages that includes their configuration files into the bug report?
>>
>> Regards,
>
> Yes, I was also thinking of configuration files that might be included
> (either manually as attachments by the reporter or automatically as part of
> the configuration information that reportbug gathers for a particular
> package).
They are two different points:
- if it's attached by the user, see above
- if it's inserted by the package bug script, then it's a but in that
package and you should report directly to it.
> Packages that communicate with mobile telephone handsets (e.g.
> gammu/wammu/gnokii) might also need some special attention to warn/remove
> data that should not be public. It can be very easy to send a bug report
> without thinking, and impossible to "unsend" a bug report once it is indexed
> by Google and friends.
Then again, the pacakge has a broken/wrong bug script and it has to be fixed.
Sorry, I can't implement anything useful in reportbug; but I encourage
you to report such problems directly to the pacakges involved.
Regards,
--
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi
--- End Message ---
