> On 08 Dec 2014, at 16:34, Tommaso Dal Sasso <[email protected]>
> wrote:
>
>
> On 08/12/14 14:47, Sven Van Caekenberghe wrote:
>> Hi Tommaso,
>>
>> I think this is a cool initiative, many environments have something similar,
>> so this is a welcome addition.
>>
>> However, you must be clearer about the security implications (and/or tell us
>> how these concerns are dealt with in other places). Say I execute:
>>
>> ZnEasy
>> get: 'http://zn.stfx.eu/nuclear-launch-codes.txt'
>> username: '[email protected]'
>> password: 'michele'.
>>
>> This will leave sensitive hosts, ports, URIs, usernames and above all
>> passwords on the stack. Will these be reported/uploaded as well ?
>>
> Hi Sven,
>
> you are right, I stressed the idea when I first presented ShoreLine Reporter
> to the mailing list but it is important to be clear: We do not collect any
> kind of sensitive data. The stack trace we collect is in text in the format
> ClassName>>methodSignature:, to be sure that we exclude any parameter,
> password or repository.
>
> In addition to the stack trace, we collect the author name, the date and the
> pharo version, to cluster the data and have an idea of the evolution of the
> system during time.
>
We should add this explanation to the tool itself…
Marcus
