Since I hadn’t received any answer at Github, I’d like to raise an important CouchDB Fauxton security question publicly.
One of the latest Fauxton PRs ( https://github.com/apache/couchdb-fauxton/pull/1284) adds a remote newsfeed to Fauxton. Emitting a newsfeed in the admin panel in that way may lead to IP collection of CouchDB instances (or subnets, that is even worse) somewhere. Where is this ‘somewhere’ located? Pinging blog.couchdb.org shows it points to lb.wordpress.com, which seems a bit ridiculous. CouchDB instances are not uncommon for very critical parts of infrastructure and security projects, and I doubt anyone wants to expose node IPs to _whatever_ logs, esp wordpress.com. So I’d like to ask devs and users: does anyone think adding news to the admin panel worth creating such a security hole? ermouth
