existing users expect it will go to a distro owned pastebin, and we
should remain consistent.
I am also all for keeping user data on IS controlled assets, we don't
exactly know who controls dpaste, and if they parse dmesg or ceph logs
for call traces etc that might contain juicy data.
For the login issue, perhaps we could do a quick entropy test on the
uploaded data. Log data is very repetitive, even on long logs, so it
will have low entropy. Base64 encoded data will have high entropy. We
just reject any high entropy submissions, and remove the login to view
requirement.
I use pastebinit all the time, and it would be nice to default back to
paste.ubuntu.com.
Thanks,
Matthew
On Tue, 16 Apr 2024 at 08:44, Stéphane Graber <stgraber@stgraber.org> wrote:
>
> On Mon, Apr 15, 2024 at 4:14 PM Steve Langasek
> <steve.langasek@ubuntu.com> wrote:
> >
> > On Mon, Apr 15, 2024 at 04:48:17PM +0100, Robie Basak wrote:
> > > Prior to Noble, the pastebinit command defaulted to paste.ubuntu.com. In
> > > Noble, this has changed to dpaste.com due to an upstream change[1].
> >
> > > What do Ubuntu developers think the default should be? If it should
> > > remain paste.ubuntu.com, we can ask upstream to change it back, or add a
> > > delta for now.
> >
> > > Reason to keep it dpaste.com:
> >
> > > People have complained that the login requirement makes it unusable for
> > > helping Ubuntu users at large who don't necessarily have an Ubuntu SSO
> > > account.
> >
> > > Reason to keep it paste.ubuntu.com:
> >
> > > I'm not keen on relying on third party services when not necessary,
> > > especially ad-supported ones. I have no reason to distrust the current
> > > operator, but in general, these things tend to go wrong sooner or later.
> >
> > > There was more discussion on IRC[2].
> >
> > > [1] https://github.com/pastebinit/pastebinit/commit/5c668fb3ed9b4a103eb22b16e603050a539951e0
> > > [2] https://irclogs.ubuntu.com/2024/04/15/%23ubuntu-devel.html#t14:17
> >
> > I was not pleased to see the switch to dpaste.com. I've found that it's
> > pretty unusable on mobile, and I don't like this pointing to a service we
> > don't control.
> >
> > And if there are issues with the usability of paste.ubuntu.com, uh, we own
> > that service? So let's work with our IS team to make it fit for purpose.
> > (I don't know why it currently requires a login to *view* paste contents;
> > that seems straightforwardly a bug that we should just get sorted.)
>
> That's because pastebin servers are frequently abused as a way to get
> free mass storage.
>
> It's not very practical to require login to post to a pastebin as the
> whole point is for a tool like "pastebinit" to work without needing
> user configuration as it's commonly used as a debug tool on cloud
> instances and other random servers random than a user's personal
> system.
>
> With that in mind, a bunch of folks noticed that you could abuse a
> service like paste.ubuntu.com by pushing large files (base64 encoded
> or the like) and then retrieve them with a very trivial amount of html
> parsing (if no raw option is offered directly).
>
>
> There are obviously alternatives to this, but they tend to require a
> bunch more server side logic, basically trying to find the right set
> of restrictions to both poster and reader so that legitimate users can
> use the service normally while abusers get sufficiently annoyed to
> stay away from it.
>
> > --
> > Steve Langasek Give me a lever long enough and a Free OS
> > Debian Developer to set it on, and I can move the world.
> > Ubuntu Developer https://www.debian.org/
> > slangasek@ubuntu.com vorlon@debian.org
> > --
> > ubuntu-devel mailing list
> > ubuntu-devel@lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>
>
>
> --
> Stéphane
>
> --
> ubuntu-devel mailing list
> ubuntu-devel@lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
