You have been subscribed to a public bug: Binary package hint: tomboy
Tomboy writes a log file at ~/.tomboy.log. If the user is using webdav to synchronize notes to a server, then the log file contains the full command-line for "wdfs", including the user's password. Although the permissions on the file are -rw-r-----, this still seems like poor security. If tomboy is launched from the command-line, then the password also appears in the terminal. For clarification: (1) tomboy does require that the password be stored in the user's keyring, in such a way that it is unlocked at login. So anyone who has access to the user's gnome desktop has access to the plaintext password anyway (just open up "seahorse", and view the password). But still, the user shouldn't expect the password to be written to disk. (2) wdfs is (I think) not part of the ubuntu distribution yet, so this functionality is not available in tomboy in a default install. Only users who seek out wdfs are affected. ** Affects: tomboy Importance: Unknown Status: Unknown ** Affects: tomboy (Ubuntu) Importance: Low Assignee: Ubuntu Desktop Bugs (desktop-bugs) Status: Triaged -- Tomboy leaves passwords in log file https://bugs.edge.launchpad.net/bugs/207910 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs