On Sat, Mar 17, 2018 at 08:13:55PM -0400, Jeremy Bicha wrote:
> One particular class of private info I've seen in the systemd journal
> is file names of files that tracker fails to index.
>
> File names can be very sensitive. And yet, it seems to me like it's
> appropriate for tracker to log the file name as a warning.
The way I see it, by choosing to log, one is also choosing to make that
data public should the user share logs. Since sharing logs is something
that is typically done when asking for help on the Internet at large.
apport is only one part of this. Special casing privacy considerations
in apport, IMHO, doesn't help with any wider privacy leak when a user is
asked to share logs some other way.
I conclude that it needs to be decided in tracker upstream if that
information should be considered private or not. If it should be
private, then it shouldn't be logged by upstream by default. One way to
solve this might be to log the warning with private information not
present, but provide some other way to reveal the detail. This could be
by enabling some privacy-compromising-logging flag and requring the user
to rerun, or by storing the private information somewhere
out-of-default-band.
> Maybe apport should exclude tracker warnings by default for bugs that
> aren't related to tracker?
I have no objection to mitigating privacy concerns in apport in this way
in lieu of the proper type of fix I suggest above. In the general case I
think we absolutely should do this in the absence of an upstream fix.
But please don't exclude entire messages, as that can be confusing for
debugging; please instead leave a placeholder excluding the private
information.
In this specific case, I suppose it depends on whether we (the wider
community including upstream) decide whether or not it is a privacy
problem in this particular instance.
Robie
