Package: alpine
Version: 2.20+dfsg1-7
Followup-For: Bug #710511
Here Debian Alpine 2.20 does not core dump/segfault/crash, but the
password is still saved only if the passfile already exists (and same with
Alpine 2.21 in CentOS).
From the mail above, it seems this is intended, so rather a feature not a
bug, but this does not seem to be documented anywhere (apart from internet
forums), and alpine does not give any hint about this when it happens.
I understand that security is important and saving passwords should not
be the default behavior when it is not expected. However, e.g., launching
alpine by the -passfile option (even with a nonexisting file) the user's
expectation is to use it, not silently ignore it, especially, suggested by
the help of Alpine saying:
-passfile <fully_qualified_filename>
Set the password file to something other than the default
(Btw, either the default password file, which seems to vary among versions
and distributions, does not seem to be documented anywhere around alpine,
and should be traced by strace or string.)
Also, here
https://github.com/termux/termux-packages/issues/2023
one finds reasonable complains about mandatory "master password" (password
for S/MIME key?) demonstrating that all in all the decision between
convenience and security should be left to the user's discretion with
reasonable defaults (even is not each user is very skilled).
I think the users would be best-served by alpine either creating the
passfile file when it is explicitely given in command line and/or giving
a warning and hints on how to use one when it is not created, and the
whole behaviour being well documented in every reasonable way.
Thanks,
Andras
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable'), (100, 'stretch')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages alpine depends on:
ii libc6 2.24-11+deb9u3
ii libgssapi-krb5-2 1.15-1+deb9u1
ii libkrb5-3 1.15-1+deb9u1
ii libldap-2.4-2 2.4.44+dfsg-5+deb9u2
ii libpam0g 1.1.8-3.6
ii libssl1.0.2 1.0.2l-2+deb9u3
ii libtinfo5 6.0+20161126-1+deb9u2
ii mlock 8:2007f~dfsg-5
Versions of packages alpine recommends:
pn alpine-doc <none>
Versions of packages alpine suggests:
ii aspell 0.60.7~20110707-3+b2
ii exim4-daemon-light [mail-transport-agent] 4.89-2+deb9u3
-- no debconf information
