[ Please don't Cc: public replies to me. ] Christoph Lameter: > Debian did not. The user made the decision to post that password. The user made the decision to report a bug, and may have failed to notice that one of the configuration files contained a password. That's easy to do, and that's exactly the kind of mistake that users typically do. Especially novices. Especially novices that are having severe problems and are already under considerable stress. The bug program should make it difficult to make the error, and not rely on the user to do the right thing. comp.risks and its archives have, I seem to remember, a few examples of what can happen when software is designed so that it's easy to do a dangerous thing. In this case, it's better to have a setuid-nobody version of cat (a stripped down version, hopefully) that bug can use to read the configuration files. If the files aren't world-readable, they probably contain sensitive information, and shouldn't be posted for the whole world to read. If the contents of the sensitive files are relevant, the Debian maintainer can ask for more information. I think this is a suitable balance between posting everything and disclosing passwords, and posting nothing and making it harder to fix bugs. -- Please read <http://www.iki.fi/liw/mail-to-lasu.html> before mailing me. Please don't Cc: me when replying to my message on a mailing list.
Attachment:
pgpBzyMSqCLiH.pgp
Description: PGP signature