[Reportbug-maint] Bug#576828: Bug#576828: reportbug should warn reporter on about to be sent text including passwords

Arthur Marsh arthur.marsh at internode.on.net
Wed Apr 7 17:24:28 UTC 2010

Sandro Tosi wrote, on 08/04/10 01:45:
> Hello Arthur,
> thanks for your report.
> On Wed, Apr 7, 2010 at 17:01, Arthur Marsh
> <arthur.marsh at internode.on.net>  wrote:
>> Hi, it would be a good idea for reportbug to warn of or by default
>> strip passwords from report messages including attached files (e.g.
>> text on the same line as a case insensitive match on password) as
>> Google indexes Debian bug reports very quickly and it would be
>> trivial to use Google to harvest passwords inadvertently included
>> in a bug report.
> Are you referring to reportbug itself, when it includes the
> ~/.reportbugrc file and the password there contained? or are you
> referring to a general case, where a user insert username/password
> into the bug report?

Yes, where a username/password gets inserted into the bug report is one 
of the cases I was thinking of.

> or (last option :) are you referring to other
> packages that includes their configuration files into the bug report?
> Regards,

Yes, I was also thinking of configuration files that might be included 
(either manually as attachments by the reporter or automatically as part 
of the configuration information that reportbug gathers for a particular 

Packages that communicate with mobile telephone handsets (e.g. 
gammu/wammu/gnokii) might also need some special attention to 
warn/remove data that should not be public. It can be very easy to send 
a bug report without thinking, and impossible to "unsend" a bug report 
once it is indexed by Google and friends.


More information about the Reportbug-maint mailing list