Bug#823004: gplaycli: sensitive information in config file
On Wed, 23 Aug 2017 14:00:55 +0200 Matlink wrote: > Well, this issue has been fixed in the github repository since the > version 0.2.2 of gplaycli. Instead of using email and password for > credentials, gplaycli will fetch a server to get a token that will be > used for further authentication. Thus, gplaycli no longer needs to ship > sensitive informations in the configuration file. > > See https://github.com/matlink/gplaycli > > However, I'm a bit messed up with the debian way to provide .deb > packages, that's why the debian repo of gplaycli has been abandoned > quite long time ago. Gplaycli is now at version 0.2.10 and I'll will be > glad to be helped to update the debian upstream repository. > Someone offered their help in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871828 I'll see if I too can spend some time on gplaycli packaging myself. Thanks, Antonio -- Antonio Ospite https://ao2.it https://twitter.com/ao2it A: Because it messes up the order in which people normally read text. See http://en.wikipedia.org/wiki/Posting_style Q: Why is top-posting such a bad thing?
Bug#823004: gplaycli: sensitive information in config file
Well, this issue has been fixed in the github repository since the version 0.2.2 of gplaycli. Instead of using email and password for credentials, gplaycli will fetch a server to get a token that will be used for further authentication. Thus, gplaycli no longer needs to ship sensitive informations in the configuration file. See https://github.com/matlink/gplaycli However, I'm a bit messed up with the debian way to provide .deb packages, that's why the debian repo of gplaycli has been abandoned quite long time ago. Gplaycli is now at version 0.2.10 and I'll will be glad to be helped to update the debian upstream repository. Le 23/08/2017 à 11:37, Antonio Ospite a écrit : > Package: gplaycli > Version: 0.2.1-1 > Followup-For: Bug #823004 > > Dear Maintainer, > > Ping. > > See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871828 > > I verified that newer versions work fine by cloning the upstream git > repo and running ./gplaycli/gplaycli using the debian dependencies of > the 0.2.1-1 package. > > Thanks, >Antonio > > -- System Information: > Debian Release: buster/sid > APT prefers unstable > APT policy: (900, 'unstable'), (500, 'unstable-debug') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.12.0-1-amd64 (SMP w/2 CPU cores) > Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), > LANGUAGE=it_IT.utf8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages gplaycli depends on: > ii androguard 2.0-3 > ii python 2.7.13-2 > ii python-clint0.5.1-1 > ii python-ndg-httpsclient 0.4.2-1 > ii python-protobuf 3.0.0-9 > ii python-pyasn1 0.1.9-2 > ii python-requests 2.18.1-1 > > Versions of packages gplaycli recommends: > ii dummydroid1.1-1 > pn fdroidserver > > gplaycli suggests no packages. > > -- no debconf information -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
Package: gplaycli Version: 0.2.1-1 Followup-For: Bug #823004 Dear Maintainer, Ping. See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871828 I verified that newer versions work fine by cloning the upstream git repo and running ./gplaycli/gplaycli using the debian dependencies of the 0.2.1-1 package. Thanks, Antonio -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (900, 'unstable'), (500, 'unstable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.12.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), LANGUAGE=it_IT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gplaycli depends on: ii androguard 2.0-3 ii python 2.7.13-2 ii python-clint0.5.1-1 ii python-ndg-httpsclient 0.4.2-1 ii python-protobuf 3.0.0-9 ii python-pyasn1 0.1.9-2 ii python-requests 2.18.1-1 Versions of packages gplaycli recommends: ii dummydroid1.1-1 pn fdroidserver gplaycli suggests no packages. -- no debconf information -- Antonio Ospite https://ao2.it https://twitter.com/ao2it A: Because it messes up the order in which people normally read text. See http://en.wikipedia.org/wiki/Posting_style Q: Why is top-posting such a bad thing?
Bug#823004: gplaycli: sensitive information in config file
On Mon, 2017-03-27 at 14:57 +0200, Matlink wrote: > A token authentication is now privided. By default, gplaycli will > retrieve a token from a server I control, and use it to talk with the > Google servers. Seems like a reasonable compromise. I think you probably want to drop gmail_password from the default configuration file and change the password again? Would it be possible to serve it on the same domain as your website instead of a subdomain? TLS SNI means gplaycli basically says "I'm getting a gplaycli token!" in plaintext on the network all the time. This would need another release to change the default token server. Please update your webserver and token-dispenser config to disable logging of all requests to the token server. > I hope this version will be added to stretch since it fixes that RC > bug, if everyone agrees. The changes seem suitable for Debian stretch to me. Once it gets uploaded to Debian, you will need to file an unblock: https://release.debian.org/testing/freeze_policy.html -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#823004: gplaycli: sensitive information in config file
The new version (https://github.com/matlink/gplaycli/releases/tag/0.2.2) fixes this issue. A token authentication is now privided. By default, gplaycli will retrieve a token from a server I control, and use it to talk with the Google servers. In that way, username and password are not used anymore. I kept them in the credentials.conf file to let users know which options are available. I hope this version will be added to stretch since it fixes that RC bug, if everyone agrees. Le 13/11/2016 à 10:53, Matlink a écrit : > > Another solution would be to tell gplaycli to fetch the credentials > from a server. In this case, when the credentials are changed, I just > have to change this file on the server and every instance of gplaycli > will fetch this file and have the new credentials. > > Pros: > > * no need to update gplaycli when credentials change > * transparent for users > > Cons: > > * gplaycli is dependent to a server > * the server is aware of every gplaycli instances (privacy issues) > > > > Le 09/11/2016 à 09:53, matlink a écrit : >> I understand. We're looking for a solution that won't remove them and >> prevent anyone except me to change the password. >> >> >> Le 09/11/2016 à 09:43, Paul Wise a écrit : >>> On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: >>> there is a potential big issue with providing default credentials >>> The default shared credentials are the main advantage of this package. >>> I wouldn't have any reason to use it without them. >>> > > -- > Matlink - Sysadmin matlink.fr > Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ > XMPP/Jabber : matl...@matlink.fr > Clé publique PGP : 0x186BB3CA > Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2 signature.asc Description: OpenPGP digital signature
Bug#823004: gplaycli: sensitive information in config file
On Wed, 2016-11-09 at 12:42 +0800, Paul Wise wrote: > I suggest this bug report be closed wontfix. This bug has now caused gplaycli to be removed from Debian stretch. Is there any progress to report? -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#823004: gplaycli: sensitive information in config file
On Sun, 2016-11-13 at 10:53 +0100, Matlink wrote: > Another solution would be to tell gplaycli to fetch the credentials > from a server. In this case, when the credentials are changed, I just > have to change this file on the server and every instance of gplaycli > will fetch this file and have the new credentials. You could combine the two options. Keep the credentials in gplaycli and release new versions when they change. When gplaycli detects that the default credentials are in use and that the default credentials are incorrect, then get the new default credentials (over Tor if possible). -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#823004: gplaycli: sensitive information in config file
Another solution would be to tell gplaycli to fetch the credentials from a server. In this case, when the credentials are changed, I just have to change this file on the server and every instance of gplaycli will fetch this file and have the new credentials. Pros: * no need to update gplaycli when credentials change * transparent for users Cons: * gplaycli is dependent to a server * the server is aware of every gplaycli instances (privacy issues) Le 09/11/2016 à 09:53, matlink a écrit : > I understand. We're looking for a solution that won't remove them and > prevent anyone except me to change the password. > > > Le 09/11/2016 à 09:43, Paul Wise a écrit : >> On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: >> >>> there is a potential big issue with providing default credentials >> The default shared credentials are the main advantage of this package. >> I wouldn't have any reason to use it without them. >> -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
If we could automatically create a Google account through command line it would be an acceptable solution. Le 09/11/2016 à 09:53, matlink a écrit : > I understand. We're looking for a solution that won't remove them and > prevent anyone except me to change the password. > > > Le 09/11/2016 à 09:43, Paul Wise a écrit : >> On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: >> >>> there is a potential big issue with providing default credentials >> The default shared credentials are the main advantage of this package. >> I wouldn't have any reason to use it without them. >> -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
Why? Creating a Google account would make gplaycli work. Is that for privacy? Le 09/11/2016 à 10:18, Paul Wise a écrit : > On Wed, 2016-11-09 at 10:17 +0100, matlink wrote: > >> If we could automatically create a Google account through command >> line it would be an acceptable solution. > That wouldn't be interesting to me. Only a shared account is useful. > -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
On Wed, 2016-11-09 at 10:17 +0100, matlink wrote: > If we could automatically create a Google account through command > line it would be an acceptable solution. That wouldn't be interesting to me. Only a shared account is useful. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#823004: gplaycli: sensitive information in config file
I understand. We're looking for a solution that won't remove them and prevent anyone except me to change the password. Le 09/11/2016 à 09:43, Paul Wise a écrit : > On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: > >> there is a potential big issue with providing default credentials > The default shared credentials are the main advantage of this package. > I wouldn't have any reason to use it without them. > -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: > there is a potential big issue with providing default credentials The default shared credentials are the main advantage of this package. I wouldn't have any reason to use it without them. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#823004: gplaycli: sensitive information in config file
agree, but there is a potential big issue with providing default credentials : the google account will be subject to password change, and the more the package is used the more often this password will be changed. Password change means for me reset the password, update the default credentials and maybe update the Debian package. If someone found an alternate good solution ... Le 9 novembre 2016 05:42:12 GMT+01:00, Paul Wise a écrit : >On Mon, 7 Nov 2016 19:26:57 +0100 Hans-Christoph Steiner wrote: > >> I think the best way forward for this issue is for the gplaycli >> package to leave out the default credentials. > >This will make the package essentially useless. >I suggest this bug report be closed wontfix. > >-- >bye, >pabs > >https://wiki.debian.org/PaulWise -- Matlink - sysadmin Matlink.fr
Bug#823004: gplaycli: sensitive information in config file
Re, Le 07/11/2016 à 19:03, Lee Garrett a écrit : > Hi, > > On 07/11/16 17:56, matlink wrote: >> Hi Lee, >> >> Well the main goal for gplaycli was to provide a noconf and very easy to >> use command line for downloading apks. > I totally see the appeal, which is why I'm using it and want to see it in good > shape in Debian. :) > I'm personally working towards a way to have a phone without any google apps. > >> Creating a google account is for some people not the best idea, because >> they either disagree with their ToS or they don't want to give Google >> too many infos (AFAIK Google requires a phone number). > Yes, good point. > >> I am totally aware of the issues that providing default credentials >> includes. Anyway, I am tired of resetting that default credentials' >> account password because a fool changes it. It's sad to see there are >> always such persons to mess everything up. > You can probably avoid people changing the password by activating 2FA. No idea > if gplaycli still works then, needs to be tested. If 2FA is enabled, I think that every attempt to connect with gplaycli will require a second authentication, which is not possible in such a scenario. I'll give it a try right now, but I'm pretty sure Google will refuse the connection since 2FA is enabled. > >> The approach you give seems interesting, however the simplicity of usage >> falls down. But I'm ready to get rid of these default credentials. Maybe >> the github version could provide defaults credentials, and the debian >> one does not? > How about the following: > > The updated package will ask via debconf if the user wants to provide > credentials. If confirmed, google user/pass will be accepted and an Android ID > generated. If denied, it will use your credentials, just as currently. In > non-interactive installations it'll default to your credentials. > > We'll provide in a README how to generate the Android ID, in case people want > to switch to their own credentials. Ideally it should just be adding new > credentials to /etc/gplaycli/credentials.conf and then just re-run a command > to generate the Android ID. I approve, but we will still provide default credentials, then not resolving the issue of misuse of this google account (password change, spam, ...). > >> I will need to investigate again on how to generate an AndroidID (Racoon >> does it well, Dummy Droid too, Hans-Christoph Steiner is on the way to >> package it for debian). > I'll look around. Last time I attempted it, I spent a few hours. Apparently > many tools that achieve this have suffered bit rot due to API changes. > >> To be honest, I'm out of time these days and I don't think it'll go >> better. Any help is greatly appreciated. >> >> Regards, > Regards, > Lee > > >> Le 07/11/2016 à 17:11, Lee Garrett a écrit : >>> Package: gplaycli >>> Followup-For: Bug #823004 >>> >>> Hi Matlink, >>> >>> the way gplaycli is shipped makes it problematic for several reasons: >>> - Sharing account passwords violates Google's ToS >>> - Someone could abuse that account for spamming via gmail, prompting Google >>> to disable the account >>> - Everyone can change the password (just checked) breaking every >>> installation of gplaycli >>> - It probably makes it easier to track gplaycli users >>> (probably more problems if I'd dig more) >>> >>> So the right approach must be: >>> Use debconf to ask for google account credentials (no defaults), then >>> generate the Android ID by >>> some other means. AFAICS this currently means that another tools needs to >>> be included/packaged to >>> generate this. >>> >>> You probably know better what the general approach is, if you could outline >>> them I'd be more than >>> happy to help with implementing this. >>> >>> Bumping the bug severity accordingly. >>> >>> Regards, >>> Lee >>> >>> -- System Information: >>> Debian Release: stretch/sid >>> APT prefers testing >>> APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental') >>> Architecture: amd64 (x86_64) >>> Foreign Architectures: i386 >>> >>> Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) >>> Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) >>> Shell: /bin/sh linked to /bin/dash >>> Init: systemd (via /run/systemd/system) -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2 signature.asc Description: OpenPGP digital signature
Bug#823004: gplaycli: sensitive information in config file
dummydroid is already included in Debian :-D I think the best way forward for this issue is for the gplaycli package to leave out the default credentials. Then make it as easy as possible for people to set up the credentials using dummydroid.
Bug#823004: gplaycli: sensitive information in config file
Hi, On 07/11/16 17:56, matlink wrote: > Hi Lee, > > Well the main goal for gplaycli was to provide a noconf and very easy to > use command line for downloading apks. I totally see the appeal, which is why I'm using it and want to see it in good shape in Debian. :) I'm personally working towards a way to have a phone without any google apps. > Creating a google account is for some people not the best idea, because > they either disagree with their ToS or they don't want to give Google > too many infos (AFAIK Google requires a phone number). Yes, good point. > I am totally aware of the issues that providing default credentials > includes. Anyway, I am tired of resetting that default credentials' > account password because a fool changes it. It's sad to see there are > always such persons to mess everything up. You can probably avoid people changing the password by activating 2FA. No idea if gplaycli still works then, needs to be tested. > > The approach you give seems interesting, however the simplicity of usage > falls down. But I'm ready to get rid of these default credentials. Maybe > the github version could provide defaults credentials, and the debian > one does not? How about the following: The updated package will ask via debconf if the user wants to provide credentials. If confirmed, google user/pass will be accepted and an Android ID generated. If denied, it will use your credentials, just as currently. In non-interactive installations it'll default to your credentials. We'll provide in a README how to generate the Android ID, in case people want to switch to their own credentials. Ideally it should just be adding new credentials to /etc/gplaycli/credentials.conf and then just re-run a command to generate the Android ID. > I will need to investigate again on how to generate an AndroidID (Racoon > does it well, Dummy Droid too, Hans-Christoph Steiner is on the way to > package it for debian). I'll look around. Last time I attempted it, I spent a few hours. Apparently many tools that achieve this have suffered bit rot due to API changes. > To be honest, I'm out of time these days and I don't think it'll go > better. Any help is greatly appreciated. > > Regards, Regards, Lee > Le 07/11/2016 à 17:11, Lee Garrett a écrit : >> Package: gplaycli >> Followup-For: Bug #823004 >> >> Hi Matlink, >> >> the way gplaycli is shipped makes it problematic for several reasons: >> - Sharing account passwords violates Google's ToS >> - Someone could abuse that account for spamming via gmail, prompting Google >> to disable the account >> - Everyone can change the password (just checked) breaking every >> installation of gplaycli >> - It probably makes it easier to track gplaycli users >> (probably more problems if I'd dig more) >> >> So the right approach must be: >> Use debconf to ask for google account credentials (no defaults), then >> generate the Android ID by >> some other means. AFAICS this currently means that another tools needs to be >> included/packaged to >> generate this. >> >> You probably know better what the general approach is, if you could outline >> them I'd be more than >> happy to help with implementing this. >> >> Bumping the bug severity accordingly. >> >> Regards, >> Lee >> >> -- System Information: >> Debian Release: stretch/sid >> APT prefers testing >> APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental') >> Architecture: amd64 (x86_64) >> Foreign Architectures: i386 >> >> Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) >> Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) >> Shell: /bin/sh linked to /bin/dash >> Init: systemd (via /run/systemd/system) >
Bug#823004: gplaycli: sensitive information in config file
Hi Lee, Well the main goal for gplaycli was to provide a noconf and very easy to use command line for downloading apks. Creating a google account is for some people not the best idea, because they either disagree with their ToS or they don't want to give Google too many infos (AFAIK Google requires a phone number). I am totally aware of the issues that providing default credentials includes. Anyway, I am tired of resetting that default credentials' account password because a fool changes it. It's sad to see there are always such persons to mess everything up. The approach you give seems interesting, however the simplicity of usage falls down. But I'm ready to get rid of these default credentials. Maybe the github version could provide defaults credentials, and the debian one does not? I will need to investigate again on how to generate an AndroidID (Racoon does it well, Dummy Droid too, Hans-Christoph Steiner is on the way to package it for debian). To be honest, I'm out of time these days and I don't think it'll go better. Any help is greatly appreciated. Regards, Le 07/11/2016 à 17:11, Lee Garrett a écrit : > Package: gplaycli > Followup-For: Bug #823004 > > Hi Matlink, > > the way gplaycli is shipped makes it problematic for several reasons: > - Sharing account passwords violates Google's ToS > - Someone could abuse that account for spamming via gmail, prompting Google > to disable the account > - Everyone can change the password (just checked) breaking every installation > of gplaycli > - It probably makes it easier to track gplaycli users > (probably more problems if I'd dig more) > > So the right approach must be: > Use debconf to ask for google account credentials (no defaults), then > generate the Android ID by > some other means. AFAICS this currently means that another tools needs to be > included/packaged to > generate this. > > You probably know better what the general approach is, if you could outline > them I'd be more than > happy to help with implementing this. > > Bumping the bug severity accordingly. > > Regards, > Lee > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
Bug#823004: gplaycli: sensitive information in config file
Package: gplaycli Followup-For: Bug #823004 Hi Matlink, the way gplaycli is shipped makes it problematic for several reasons: - Sharing account passwords violates Google's ToS - Someone could abuse that account for spamming via gmail, prompting Google to disable the account - Everyone can change the password (just checked) breaking every installation of gplaycli - It probably makes it easier to track gplaycli users (probably more problems if I'd dig more) So the right approach must be: Use debconf to ask for google account credentials (no defaults), then generate the Android ID by some other means. AFAICS this currently means that another tools needs to be included/packaged to generate this. You probably know better what the general approach is, if you could outline them I'd be more than happy to help with implementing this. Bumping the bug severity accordingly. Regards, Lee -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#823004: gplaycli: sensitive information in config file
Well, quite normal since I provide default credentials not to bother with AndroidID generation (which is very annoying to generate). Le 29/04/2016 22:52, Ingo Kabus a écrit : > Package: gplaycli > Version: 0.1.2+git15~g20f65ca-1 > Severity: normal > > Dear Maintainer, > > you ship your gmail credentials in the configuration file. > Please ask the user to enter his own credentials during package installation. > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.5.0-1-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages gplaycli depends on: > ii androguard 2.0-1 > ii python-clint0.5.1-1 > ii python-ndg-httpsclient 0.4.0-3 > ii python-protobuf 2.6.1-1.3 > ii python-pyasn1 0.1.9-1 > ii python-requests 2.9.1-3 > pn python:any > > Versions of packages gplaycli recommends: > ii fdroidserver 0.6.0-2 > > gplaycli suggests no packages. > > -- Configuration Files: > /etc/gplaycli/credentials.conf changed [not included] > > -- no debconf information -- Matlink - Sysadmin matlink.fr Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/ XMPP/Jabber : matl...@matlink.fr Clé publique PGP : 0x186BB3CA Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2 signature.asc Description: OpenPGP digital signature
Bug#823004: gplaycli: sensitive information in config file
Package: gplaycli Version: 0.1.2+git15~g20f65ca-1 Severity: normal Dear Maintainer, you ship your gmail credentials in the configuration file. Please ask the user to enter his own credentials during package installation. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gplaycli depends on: ii androguard 2.0-1 ii python-clint0.5.1-1 ii python-ndg-httpsclient 0.4.0-3 ii python-protobuf 2.6.1-1.3 ii python-pyasn1 0.1.9-1 ii python-requests 2.9.1-3 pn python:any Versions of packages gplaycli recommends: ii fdroidserver 0.6.0-2 gplaycli suggests no packages. -- Configuration Files: /etc/gplaycli/credentials.conf changed [not included] -- no debconf information