FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 12-14-2010, 01:51 AM
Jan Kratochvil
 
Default RetraceServer security

On Thu, 09 Dec 2010 17:10:49 +0100, David Malcolm wrote:
> Another gratuitous me too, see:
> https://fedoraproject.org/wiki/Talk:Features/RetraceServer

Detailed description:
[...] User sends the coredump [...]

Do you intend to make it default for Fedora?

So far I thought it is not acceptable and in many cases my request in BZ for
a core dump was refused by a user due to security concerns.


OTOH the system binaries are already provided by the Fedora project and if the
retrace server infrastructure has the same security as Koji servers the
security level stays the same.


Thanks,
Jan
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-14-2010, 09:06 AM
Jiri Moskovcak
 
Default RetraceServer security

On 12/14/2010 03:51 AM, Jan Kratochvil wrote:
> On Thu, 09 Dec 2010 17:10:49 +0100, David Malcolm wrote:
>> Another gratuitous me too, see:
>> https://fedoraproject.org/wiki/Talk:Features/RetraceServer
>
> Detailed description:
> [...] User sends the coredump [...]
>
> Do you intend to make it default for Fedora?
>

- not decided yet, but I'm thinking about something user friendly like
dialog saying:

How do you want to generate the backtrace?
1. Locally (will download XY MB of debuginfo and you need gdb and etc..)
2. I want to use the RS (WARNING!!: will upload the core file which may
contain a sensitive data, but provides a better backtrace)
3. I need to ask my older brother, so cancel the reporting ...


> So far I thought it is not acceptable and in many cases my request in BZ for
> a core dump was refused by a user due to security concerns.
>

- some people won't send it some will.. When I can't reproduce the bug
and user doesn't want to send me the core, then sorry -> CLOSED
INSUFF_INFO what else can you do?

>
> OTOH the system binaries are already provided by the Fedora project and if the
> retrace server infrastructure has the same security as Koji servers the
> security level stays the same.
>

- exactly if we want to get user's private data there is many easier
ways then to build a server and write a special app for it...

But the core definitely won't be uploaded without making sure that user
understands what he is about to upload, as we don't want to get under
the same critic as one of the well known operating system developer

Jirka
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 01:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org