Hi Nico! Let's keep debian-security in the discussion to see what others have to say about this. Technically I agree with you when you say that people shouldn't enter anything but their usernames at the login prompt, but the fact is that people (like me and the bug submitter for example) *do* enter their passwords there from time to time. People make mistakes, and this is not an uncommon one. Security shouldn't be based on nobody ever doing more or less common mistakes. Regards //Johan ---------- Forwarded message ---------- From: Nico Golde <debian-security+ml@ngolde.de> Date: 2008/8/27 Subject: Re: Password leaks are security holes To: Johan Walles <johan.walles@gmail.com> Kopia: 311772@bugs.debian.org, control@bugs.debian.org Hi Johan, * Johan Walles <johan.walles@gmail.com> [2008-08-27 22:26]: > severity 311772 critical > tag 311772 + security > thanks > > When users' clear text passwords are logged, that's a security hole. > > Setting severity to critical since this bug "introduces a security > hole on systems where you install the package". Quote is from the > definition of the critical severity at > http://www.debian.org/Bugs/Developer#severities. No its not, if you edit your credit card number as a user name this is also not the applications fault. "makes unrelated software on the system (or the whole system) break, or causes serious data loss, or introduces a security hole on systems where you install the package." This doesn't say anything about users not being able to use the software in a proper way. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgp6Mh6f7vo75.pgp
Description: PGP signature