[Pkg-telepathy-commits] [telepathy-mission-control-5] 01/16: NEWS: adjust note about ServerAuthentication handlers

[Simon McVittie]

This is an automated email from the git hooks/post-receive script.

smcv pushed a commit to branch debian
in repository telepathy-mission-control-5.

commit 17a5d31769e9da52797df968c8881732f29d0f45
Author: Simon McVittie <simon.mcvittie at collabora.co.uk>
Date:   Wed Oct 2 16:33:42 2013 +0100

    NEWS: adjust note about ServerAuthentication handlers
    
    rishi pointed out on IRC that ServerAuthentication still makes
    passwords available to eavesdroppers on the session bus (if LOGIN,
    PLAIN or X-TELEPATHY-PASSWORD are used). ServerAuthentication doesn't
    allow arbitrary applications to ask MC "what is the password for
    account X?", which is what I was thinking of.
    
    The session bus is not generally modelled to be a security
    boundary; if yours is, you will need to write a security policy,
    then ensure that that policy is applied. Telepathy components are not
    designed to be used unmodified on an untrusted session bus. (Starting
    points include turning off eavesdropping, applying a "default-deny"
    policy, preventing processes other than Mission Control from
    calling HandleChannels on your ServerAuthentication client, and
    preventing processes from subverting each other with ptrace.)
---
 NEWS | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index edce6da..f31c9e4 100644
--- a/NEWS
+++ b/NEWS
@@ -38,8 +38,7 @@ Enhancements:
   (fd.o #56635, Simon)
 
 • Remove gnome-keyring integration in favour of recommending
-  ServerAuthentication Handlers, which have better UI and don't expose
-  passwords on D-Bus (fd.o #32578, Simon)
+  ServerAuthentication Handlers, which have better UI (fd.o #32578, Simon)
 
 • Internal cleanup related to the connectivity code (fd.o #68712, Simon)
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-telepathy/telepathy-mission-control-5.git