<div>To quote Andrea Corbellini on the bug you linked us to:</div> <div> </div> <blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Bug reports created by Apport may containing a variety of sensible information -- from user names to credit card numbers. If you think that ProcMaps.txt is leaking private information, than don't look at the other files! </blockquote> <blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"></blockquote> <div> </div> <blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Well, jokes apart, all potentially sensible information uploaded is always secured and reviewed by experienced and competent people. When real sensible information are found, they are removed before a bug report is made public. There are well-established procedures used to deal with such cases.</blockquote> <div> </div> <div>These competent people are a small subgroup of people who can see bugs. These bugs are screened for private information such as user names or credit card numbers. Before those bugs get set as publicly visible, members of the teams who can see those private bugs screen the information for such private data, and either remove the file or handle it accordingly. Thus far, I've not witnessed any breaches in this.</div> <div> </div> <div>There have been crash bugs on other applications and packages (of which I have personally triaged or reviewed, as a member of that package's upstream team or as a member of BugControl), and sometimes this "private information" is included in crash stack traces for python programs. Since for the package I referred to only BugControl can see the private information, what I did in that particular instance was obfuscate that information by replacing the user name with 'IAmATeapot' or some other random name that does not exist, thereby obfuscating the information (and of course removing the original file uploaded by Apport), long before setting the bug as a public security bug.</div> <div> </div> <div> </div> <div>If I may ask, Fred, why, personally, would you want that information purged, other than "Oh, my user name is in there"? Generally speaking, if your username is there, but you dont have, say, an SSH server running, or a DMZ'd system with no firewall protection or other form of protection, or are intentionally not hardening your system, disclosing your username is not **too** much of a threat.</div> <div> </div> <div> </div> <div>-------</div> <div>Thomas Ward</div> <div>LPID: trekcaptainusa-tw</div> <div>Ubuntu BugSquad Member</div> <div><br></div> <div class="gmail_quote">On Thu, Jul 26, 2012 at 12:39 PM, Fred . <span dir="ltr"><<a href="mailto:eldmannen@gmail.com" target="_blank">eldmannen@gmail.com</a>></span> wrote:<br> <blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><a href="https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1029189" target="_blank">https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1029189</a><br> <br>The ProcMaps.txt file that gets uploaded to Launchpad may contain<br>private information such as username that can be obtained from the<br>path of the home directory.<br><br>7fbd44c33000-7fbd44c34000 r--s 00000000 08:01 1306557<br> /home/alice/.local/share/mime/mime.cache<br><br>I propose scrubbing/anonymizing the username.<br><span class="HOEnZb"><font color="#888888"><br>--<br>Ubuntu-bugsquad mailing list<br><a href="mailto:Ubuntu-bugsquad@lists.ubuntu.com">Ubuntu-bugsquad@lists.ubuntu.com</a><br> <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugsquad" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugsquad</a><br></font></span></blockquote></div><br>