On Wed, Jan 21, 2009 at 12:36:39AM -0600, Manoj Srivastava wrote: > ucf has no way of knowing whether the data it is being asked to > diff has passwords or other sensitive information; and since it is > required by policy to use debconf for all user interaction, it _has_ to > send the diff through debconf. > > As suggested in the report already, this can be best fixed by > debconf tightening up the permissions on the temporary internal files > it uses for the interaction, so forwarding.
This would be terribly inconvenient for us. It's often necessary to ask users for their config.dat files in order to diagnose bugs; if it potentially contained sensitive data, we wouldn't be able to do that anywhere near as easily. config.dat does not generally contain anything else sensitive, and we already split passwords out into a separate database file for exactly this reason. I don't think there's anything else in config.dat that we need to be rampantly paranoid about; ucf is the only thing I can think of that routinely dumps chunks of miscellaneous files into it. How about if we added a separate database just for ucf? The debconf.conf stanza could look something like this: Name: ucf Driver: File Mode: 600 Backup: false Required: false Accept-Name: ^ucf/ Filename: /var/cache/debconf/ucf.dat (Alternatively, we could add a new private-note type. I kind of dislike the idea of type explosion if we don't have to, though.) Joey, what do you think of this? I'd rather not add a new database unilaterally. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
