Re: [bug-buddy]: Custom scripts for your application

From: Olav Vitters <olav bkor dhs org>
To: Brian Cameron <Brian Cameron Sun COM>
Cc: desktop-devel-list gnome org
Subject: Re: [bug-buddy]: Custom scripts for your application
Date: Thu, 30 Nov 2006 20:07:06 +0100

On Thu, Nov 30, 2006 at 12:11:57PM -0600, Brian Cameron wrote:
> 
> Olav:
> 
> >> Isn't it possible to install .desktop files in the user's $HOME
> >> directory?  If someone were to trick a user into installing a
> >> .desktop file with a script that does something malicious, is there
> >> anything to protect the user from the malicious thing happening the
> >> next time the program corresponding to the desktop file crashes?
> > 
> > Bug-Buddy especially ignores .desktop files in the $HOME directory. This
> > wasn't actually done as a security issue, just that the system .desktop
> > file usually is the only one to contain the special Bugzilla headers.
> 
> Perhaps a decision about how it should work should be made and
> documented so people understand how it is intended to work?

How what should work? Bug-Buddy or the bug-buddy info in the .desktop
files?

> >> Since .desktop files can be shipped by 3rd parties, is there any
> >> privacy issues about collecting information and forwarding it along
> >> to a bug database.  For example, core files might contain passwords,
> >> so might not be appropriate to forward as an attachment to a public
> >> database.  Will there be any way for the end user to control what
> >> sorts of data can be collected and forwarded with a bug report?
> > 
> > You can see what is collected beforehand.
> 
> I'd think it would be nice to completely turn off this feature if the
> user doesn't want data collected on their machine to be forwarded
> externally.

Maybe, I'm not sure. I'd rather have some design thing that prevents the
script from including too much information. The developer should be
strongly encouraged not to collect too much 'crap'.

The added information should be so vital that bugsquad would mark the
bugreport 'NEEDINFO' without it. Meaning that if a user doesn't want to
report that information with the bugreport, the bugreport is useless
(and so I do not want an incomplete one -- meaning some option).

It is probably a good idea to notify the user (without a dialog box)
that more information was collected than usually.
-- 
Regards,
Olav

Follow-Ups:
- Re: [bug-buddy]: Custom scripts for your application
  - From: Brian Cameron

References:
- Re: [bug-buddy]: Custom scripts for your application
  - From: Brian Cameron
- Re: [bug-buddy]: Custom scripts for your application
  - From: Olav Vitters
- Re: [bug-buddy]: Custom scripts for your application
  - From: Brian Cameron

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]