Package: devscripts
Version: 2.18.11
Severity: important
Justification: potential sensitive information leak
Dear Maintainer,
by default reportbug(1) includes content of ~/.devscripts when reporting
bugs in devscripts. Problem is that it can contain sensitive
information (at least SALSA_TOKEN, maybe something more).
Since salsa(1) is only in experimental, and such changes would not
introduce major breakage, I suggest:
* discourage/prohibit storing sensitive information in ~/.devscripts
* read SALSA_TOKEN from environment
* remove/discourage --token option, since this way token is exposed
to anybody, who can invoke ps(1).
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
SALSA_TOKEN=$(pass access/git/salsa.debian.org/kaction | awk 'NR == 2 { print
$2 }')
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to
C.UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled
Versions of packages devscripts depends on:
ii dpkg-dev 1.19.2
ii fakeroot 1.23-1
ii file 1:5.34-2
ii gnupg 2.2.11-1
ii gnupg2 2.2.11-1
ii gpgv 2.2.11-1
ii libc6 2.28-2
ii libfile-homedir-perl 1.004-1
ii libfile-which-perl 1.22-1
ii libipc-run-perl 20180523.0-1
ii libmoo-perl 2.003004-2
ii libwww-perl 6.36-1
ii patchutils 0.3.4-2
ii perl 5.28.1-3
ii python3 3.7.1-2
ii sensible-utils 0.0.12
ii wdiff 1.2.2-2+b1
Versions of packages devscripts recommends:
ii apt 1.8.0~alpha2
pn at <none>
ii curl 7.62.0-1
ii dctrl-tools 2.24-3
pn debian-keyring <none>
ii dput 1.0.2
ii equivs 2.2.0
ii libdistro-info-perl 0.20
ii libdpkg-perl 1.19.2
ii libencode-locale-perl 1.05-1
ii libgit-wrapper-perl 0.048-1
ii libgitlab-api-v4-perl 0.13-1
ii liblist-compare-perl 0.53-1
ii liblwp-protocol-https-perl 6.07-2
pn libsoap-lite-perl <none>
ii libstring-shellquote-perl 1.04-1
ii libtry-tiny-perl 0.30-1
ii liburi-perl 1.74-1
pn licensecheck <none>
ii lintian 2.5.116
ii man-db 2.8.4-3
ii patch 2.7.6-3
ii python3-apt 1.7.0
ii python3-debian 0.1.33
ii python3-magic 2:0.4.15-2
ii python3-requests 2.20.0-2
ii python3-unidiff 0.5.4-1
ii python3-xdg 0.25-4
ii strace 4.21-1
ii unzip 6.0-21
ii wget 1.19.5-2
ii xz-utils 5.2.2-1.3
Versions of packages devscripts suggests:
pn adequate <none>
pn autopkgtest <none>
pn bls-standalone <none>
ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1
ii build-essential 12.5
pn check-all-the-things <none>
pn cvs-buildpackage <none>
pn devscripts-el <none>
ii diffoscope 107
pn disorderfs <none>
pn dose-extra <none>
pn duck <none>
ii faketime 0.9.7-3
pn gnuplot <none>
pn how-can-i-help <none>
pn libauthen-sasl-perl <none>
pn libdbd-pg-perl <none>
ii libfile-desktopentry-perl 0.22-1
pn libnet-smtps-perl <none>
pn libterm-size-perl <none>
pn libtimedate-perl <none>
pn libyaml-syck-perl <none>
ii mozilla-devscripts 0.53
ii mutt 1.10.1-2
ii openssh-client [ssh-client] 1:7.9p1-4
pn piuparts <none>
pn postgresql-client <none>
ii quilt 0.65-3
pn ratt <none>
pn reprotest <none>
pn svn-buildpackage <none>
ii w3m 0.5.3-36+b1
-- no debconf information
