Re: Which Debian packages leak information to the network?
* Patrick Schleizer <adrelanos@riseup.net>, 2016-05-18, 15:50:
we are a privacy-centric distro based on Debian and wanted to know what
Debian packages leak information about the system to the network
without a user's consent/expectation.
As documented on the page below, a system's security also depends on
avoiding leaking any identifiable information to network adversaries by
accident.
python-requests used to include kernel version number in User-Agent.
(And also Python version, but that's less exciting.) This was fixed
upstream in 2.8.0:
https://github.com/kennethreitz/requests/issues/2785
pip leaks even more stuff in U-A:
$ python -c 'import pip; print pip.download.user_agent()'
pip/8.1.2 {"cpu":"x86_64","distro":{"libc":{"lib":"glibc","version":"2.7"},"name":"debian","version":"stretch/sid"},"implementation":{"name":"CPython","version":"2.7.11+"},"installer":{"name":"pip","version":"8.1.2"},"openssl_version":"OpenSSL 1.0.2h 3 May 2016","python":"2.7.11+","system":{"name":"Linux","release":"4.5.0-2-amd64"}}
(As a side note, I don't think this is RFC-2616-compliant...)
Popcon, bts, wnpp-check are the noted examples
Could you explain how any of these tools leak any information "without a
user's consent/expectation"?
--
Jakub Wilk
Reply to: