Re: String additions to 'gdm2.gnome-2-20'
- From: Claude Paroz <claude 2xlibre net>
- To: Brian Cameron <Brian Cameron Sun COM>
- Cc: gnome-i18n gnome org
- Subject: Re: String additions to 'gdm2.gnome-2-20'
- Date: Wed, 10 Oct 2007 23:50:46 +0200
Brian, thanks for your thorough explanation.
I tend to approve this, because I know that most other programs don't
translate debug messages and it wouldn't be fair to disadvantage you for
Formally, we need a second approval though.
And please, next time ask before committing!
Le mercredi 10 octobre 2007 �2:36 -0500, Brian Cameron a �it :
> Apologies for breaking string freeze in GDM 2.20. However, I think that
> this change is acceptable for the following reasons, mainly reason #2
> which is a security issue. I think, in this case, security trumps
> translation. However, I do recognize that I should have sent an email
> to the gnome-i18n list to let people know about this change. Sorry for
> not doing that.
> 1) These strings are in debug messages, which are only used when debug
> is turned on. These debug messages are sent to the system log
> (/var/log/messages or /var/adm/messages depending on your OS).
> I am not sure it really adds value to even translate such debug
> messages anyway. When people provide debug logs to bugzilla, etc.
> translated messages can make it harder for the people who maintain
> GDM, who typically speak English, to help debug the problem.
> 2) These messages replaced older messages which included the login user
> in the message. Bugzilla bug #484750 pointed out that if a user
> were to, by accident, type their password into the username field
> that this would cause their password to get logged to syslog, which
> we should avoid doing ever.
> 3) These debug messages are only used when the user configures GDM
> to use crypt or shadow passwords, which are not typically used.
> Most users use PAM. So these messages only affect a small number
> of GDM users. The commonly used PAM code is smarter about not ever
> logging the username to the system log.
> I recommend that we not worry about whether these debug messages are
> translated. Or, I can change these strings so they aren't marked for
> translation if that makes things easier. As I said, I don't think it
> adds any significant value to translate these messages. Or, I could
> remove the messages completely from the code if people think that is
> a better choice.
> Since this affects security, it might also make sense to backport
> a similar change to older GDM releases. I'm not sure if there are
> distros/people out there who configure/use older versions of GDM with
> shadow/crypt passwords. If so, let me know and I can make a release
> of older versions of GDM's with this security issue fixed.
> Please advise if you think further work is needed to fix this issue
> The GDM documentation recommends that people not leave on debug, and
> I would like to further stress that users who have configured GDM
> to use shadow/crypt passwords should ensure that they have debug
> turned off to avoid this sort of problem. Debug is only intended to
> be used briefly when trying to figure out why GDM may not be
> functioning properly.
> > Le mercredi 10 octobre 2007 �1:19 +0100, GNOME Status Pages a �it :
> >> This is an automatic notification from status generation scripts on:
> >> http://l10n.gnome.org/.
> >> There have been following string additions to module 'gdm2.gnome-2-20':
> >> + "Cannot get passwd structure for user"
> >> + "Cannot get passwd structure"
> >> + "Cannot set user group"
> >> + "User not allowed to log in"
> >> + "User password has expired"
> >> Note that this doesn't directly indicate a string freeze break, but it
> >> might be worth investigating.
> > Hi Brian,
> > This seems to be clearly a string freeze breakage (from verify-crypt.c).
> > Could you please revert the changes, and explains to the list why you
> > think this should really go into gnome-2-20 branch?
> > Regards,
> > Claude
] [Thread Prev