[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Make bug package required? (was Re: berolist.deb)

[ Please don't Cc: public replies to me. ]

Christoph Lameter:
> Debian did not. The user made the decision to post that password.

The user made the decision to report a bug, and may have failed
to notice that one of the configuration files contained a password.
That's easy to do, and that's exactly the kind of mistake that users
typically do. Especially novices. Especially novices that are having
severe problems and are already under considerable stress. The bug
program should make it difficult to make the error, and not rely on
the user to do the right thing.

comp.risks and its archives have, I seem to remember, a few examples
of what can happen when software is designed so that it's easy to
do a dangerous thing.

In this case, it's better to have a setuid-nobody version of cat
(a stripped down version, hopefully) that bug can use to read
the configuration files. If the files aren't world-readable,
they probably contain sensitive information, and shouldn't be
posted for the whole world to read. If the contents of the
sensitive files are relevant, the Debian maintainer can ask for
more information.

I think this is a suitable balance between posting everything
and disclosing passwords, and posting nothing and making it
harder to fix bugs.

Please read <http://www.iki.fi/liw/mail-to-lasu.html> before mailing me.
Please don't Cc: me when replying to my message on a mailing list.

Attachment: pgpkfF59xQNwm.pgp
Description: PGP signature

Reply to: