[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New service: https://debuginfod.debian.net

On Thursday, February 25 2021, Ian Campbell wrote:

>> What about information leakage? apart from debugids does this leak
>> anything else to the server? On a quick look it seems like it might
>> potentially leak source code paths (at least the leaf bits) to things
>> being debugged -- does this mean that if a user is debugging private
>> software (perhaps unpublished or perhaps proprietary software for
>> $work) on a Debian system they are at risk of leaking the source
>> filenames if they run gdb on one of their binaries while debugging?
>> This might be a problem if it comes to enabling this transparently.
> Yes, it might.  On the other hand, this is mitigated by a few aspects.
> Mainly, debuginfod clients like gdb only call out to the system in case
> they have failed to look up the needed data another way.  So if you're
> debugging local software built normally, the buildids / source names
> won't leak because the debugger will find them locally, and debuginfod
> servers are not consulted.
> Users who debug secret software but still wish to use internal
> debuginfod distribution for it, can do so by setting up a personal
> debuginfod instance whereever the secret stuff is held, and configure
> that server to federate upstream to the public server.  That way, the
> public server will only see traffic that the local one couldn't satisfy.
> Do these considerations overcome the concerns, so as to provide a
> comfortable out-of-the-box experience for most users?

Thanks for the reply, Frank.

As I said in the announcement message, I have proposed a Merge Request
against elfutils in order to enable the automatic usage of our
debuginfod server.  I know that there are people who are not comfortable
with having a debugger consult a remote server "behind their backs", so
a possible mitigation to this issue would be to have a debconf question
asking whether the user wants to enable system-wide debuginfod usage or


GPG key ID: 237A 54B1 0287 28BF 00EF  31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible

Reply to: