On Sat, Mar 17, 2018 at 08:13:55PM -0400, Jeremy Bicha wrote: > One particular class of private info I've seen in the systemd journal > is file names of files that tracker fails to index. > > File names can be very sensitive. And yet, it seems to me like it's > appropriate for tracker to log the file name as a warning.
The way I see it, by choosing to log, one is also choosing to make that data public should the user share logs. Since sharing logs is something that is typically done when asking for help on the Internet at large. apport is only one part of this. Special casing privacy considerations in apport, IMHO, doesn't help with any wider privacy leak when a user is asked to share logs some other way. I conclude that it needs to be decided in tracker upstream if that information should be considered private or not. If it should be private, then it shouldn't be logged by upstream by default. One way to solve this might be to log the warning with private information not present, but provide some other way to reveal the detail. This could be by enabling some privacy-compromising-logging flag and requring the user to rerun, or by storing the private information somewhere out-of-default-band. > Maybe apport should exclude tracker warnings by default for bugs that > aren't related to tracker? I have no objection to mitigating privacy concerns in apport in this way in lieu of the proper type of fix I suggest above. In the general case I think we absolutely should do this in the absence of an upstream fix. But please don't exclude entire messages, as that can be confusing for debugging; please instead leave a placeholder excluding the private information. In this specific case, I suppose it depends on whether we (the wider community including upstream) decide whether or not it is a privacy problem in this particular instance. Robie
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
