[Reportbug-maint] Bug#576828: Bug#576828: reportbug should warn reporter on about to be sent text including passwords
Arthur Marsh
arthur.marsh at internode.on.net
Wed Apr 7 17:24:28 UTC 2010
Sandro Tosi wrote, on 08/04/10 01:45:
> Hello Arthur,
> thanks for your report.
>
> On Wed, Apr 7, 2010 at 17:01, Arthur Marsh
> <arthur.marsh at internode.on.net> wrote:
>> Hi, it would be a good idea for reportbug to warn of or by default
>> strip passwords from report messages including attached files (e.g.
>> text on the same line as a case insensitive match on password) as
>> Google indexes Debian bug reports very quickly and it would be
>> trivial to use Google to harvest passwords inadvertently included
>> in a bug report.
>
> Are you referring to reportbug itself, when it includes the
> ~/.reportbugrc file and the password there contained? or are you
> referring to a general case, where a user insert username/password
> into the bug report?
Yes, where a username/password gets inserted into the bug report is one
of the cases I was thinking of.
> or (last option :) are you referring to other
> packages that includes their configuration files into the bug report?
>
> Regards,
Yes, I was also thinking of configuration files that might be included
(either manually as attachments by the reporter or automatically as part
of the configuration information that reportbug gathers for a particular
package).
Packages that communicate with mobile telephone handsets (e.g.
gammu/wammu/gnokii) might also need some special attention to
warn/remove data that should not be public. It can be very easy to send
a bug report without thinking, and impossible to "unsend" a bug report
once it is indexed by Google and friends.
Arthur.
More information about the Reportbug-maint
mailing list