pastebinit default target on Ubuntu

Michael Hudson-Doyle michael.hudson at canonical.com
Tue Apr 16 05:54:47 UTC 2024 

On Tue, 16 Apr 2024 at 14:37, Steve Langasek <steve.langasek at ubuntu.com>
wrote:

> On Mon, Apr 15, 2024 at 04:42:37PM -0400, Stéphane Graber wrote:
> > > And if there are issues with the usability of paste.ubuntu.com, uh,
> we own
> > > that service?  So let's work with our IS team to make it fit for
> purpose.
> > > (I don't know why it currently requires a login to *view* paste
> contents;
> > > that seems straightforwardly a bug that we should just get sorted.)
>
> > That's because pastebin servers are frequently abused as a way to get
> > free mass storage.
>
> > It's not very practical to require login to post to a pastebin as the
> > whole point is for a tool like "pastebinit" to work without needing
> > user configuration as it's commonly used as a debug tool on cloud
> > instances and other random servers random than a user's personal
> > system.
>
> > With that in mind, a bunch of folks noticed that you could abuse a
> > service like paste.ubuntu.com by pushing large files (base64 encoded
> > or the like) and then retrieve them with a very trivial amount of html
> > parsing (if no raw option is offered directly).
>
> > There are obviously alternatives to this, but they tend to require a
> > bunch more server side logic, basically trying to find the right set
> > of restrictions to both poster and reader so that legitimate users can
> > use the service normally while abusers get sufficiently annoyed to
> > stay away from it.
>
> The current behavior of paste.ubuntu.com, and what I assumed was the
> driver
> for moving away from this as a default, was that it requires a login to
> VIEW
> the contents of the pastebin.  AFAICS this is not justifiable on the basis
> of preventing abuse with illicit/illegal pastes, that's already addressed
> by
> requiring login on the submission side.
>

I think the current behaviour is to require login for at least one of
submission or view, so a paste created while logged in can be viewed
anonymously and a paste created anonymously (e.g. by pastebinit, which I
don't think supports logging in?) requires a login to view.

Cheers,
mwh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20240416/9a5b5e1a/attachment-0001.html>

More information about the ubuntu-devel mailing list