Re: [bug-buddy]: Custom scripts for your application

[Olav Vitters <olav bkor dhs org>]

On Wed, Nov 29, 2006 at 06:48:30PM -0600, Brian Cameron wrote:
> It sounds like a cool idea, but I always worry about code that
> "automagically" runs code in the background without the user being
> aware of what is goind on.  Especially when desktop files can
> be added to the system by installing random packages found on the
> internet.

If you install a random package found on the Internet, IMO Bug-Buddy is
the least of your worries.

> Isn't it possible to install .desktop files in the user's $HOME
> directory?  If someone were to trick a user into installing a
> .desktop file with a script that does something malicious, is there
> anything to protect the user from the malicious thing happening the
> next time the program corresponding to the desktop file crashes?

Bug-Buddy especially ignores .desktop files in the $HOME directory. This
wasn't actually done as a security issue, just that the system .desktop
file usually is the only one to contain the special Bugzilla headers.

> Since .desktop files can be shipped by 3rd parties, is there any
> privacy issues about collecting information and forwarding it along
> to a bug database.  For example, core files might contain passwords,
> so might not be appropriate to forward as an attachment to a public
> database.  Will there be any way for the end user to control what
> sorts of data can be collected and forwarded with a bug report?

You can see what is collected beforehand.

> > Hi, after reading Feredico's mail[1] I added that feature to bug-buddy.
> > 
> > Now if you add to your application .dektop file the field:
> >  X-GNOME-Bugzilla-ExtraInfoScript=myscript
> > 
> > that script will be executed during bug-buddy info collecting and its
> > output will be appended to the report.

I fear this someone will dump loads of info using such a script. Please
let's make an attachment out of that info. This would also make it far
easier to hide just an attachment.

-- 
Regards,
Olav