Privacy concern with debconf
I am concerned with a new trend that uses debconf to configure personal
information into system files. I'll start with an exaggerated example.
I have a Window Maker dockapp, wmbday, that counts down the seconds to
my birthday and then displays the message, "Happy Birthday,
Yournamehere!". If I installed it the way some dockapps do it now,
debconf would ask for my name and birth date and put that info in
command line parameters in the /usr/lib/menu/wmbday file.
Now even legitimate users of the program have access to my personal
information, not to mention that it is also possible for any user,
daemon or hacker to read the info from this world readable file.
The real packages I'm talking about are wmweather and wmmoonclock. The
former stores your METAR (local weather station) code in
/usr/lib/menu/wmweather and the latter stores your latitude and
longitude. These are not big concerns for me, but it's not hard to
imagine some person or some organization that wouldn't want this info to
be exposed.
I didn't see anything about privacy concerns in the policy manual. The
FHS states that /usr/lib is for architecture dependent files. That
seems to suggest that personal info doesn't belong there. There is a
lintian override for wmmoonclock. How would I find out what that was
for?
While this makes configuration easy for novices, I think that any
program that takes personal information from novices should do it in a
way that is highly protective of their privacy. After all, they are
novices. They are trusting Debian that the procedure is safe. Is it?
I could find no Debian guideline on this matter. Certainly one could
define the difference between configuration that changes how a program
runs and configuration that personalizes the program for a specific
user. Sure, I can just skip the questions and configure my own way and
I could easily accept that what these two packages are doing is
reasonable. But even that leaves the question, "What are the limits?"
- Jim, maybe
Reply to: