package: duplicity severity: important tags: security Version: 0.4.10-1 The boto class in backends.py requires that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY be set. However python-boto is perfectly happy to read these values out of ~/.boto.
The process environment is public; setting passwords i]n the environment is problematic because everyone on a multi-user system can read them. Therefore duplicity really should take advanatge of python-boto's facility for reading passwords out of config files. All that needs to happen is that the check for these environment variables needs to be removed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
