On Mon, Apr 15, 2024 at 04:42:37PM -0400, Stéphane Graber wrote: > > And if there are issues with the usability of paste.ubuntu.com, uh, we own > > that service? So let's work with our IS team to make it fit for purpose. > > (I don't know why it currently requires a login to *view* paste contents; > > that seems straightforwardly a bug that we should just get sorted.)
> That's because pastebin servers are frequently abused as a way to get > free mass storage. > It's not very practical to require login to post to a pastebin as the > whole point is for a tool like "pastebinit" to work without needing > user configuration as it's commonly used as a debug tool on cloud > instances and other random servers random than a user's personal > system. > With that in mind, a bunch of folks noticed that you could abuse a > service like paste.ubuntu.com by pushing large files (base64 encoded > or the like) and then retrieve them with a very trivial amount of html > parsing (if no raw option is offered directly). > There are obviously alternatives to this, but they tend to require a > bunch more server side logic, basically trying to find the right set > of restrictions to both poster and reader so that legitimate users can > use the service normally while abusers get sufficiently annoyed to > stay away from it. The current behavior of paste.ubuntu.com, and what I assumed was the driver for moving away from this as a default, was that it requires a login to VIEW the contents of the pastebin. AFAICS this is not justifiable on the basis of preventing abuse with illicit/illegal pastes, that's already addressed by requiring login on the submission side. If requiring authentication on the SUBMISSION side is sufficient reason to change the default pastebin, then that of course isn't something we should second-guess; we don't need to be reinvesting anonymous ftp servers. But in that case, I think there should have been a discussion about who the default behavior is for, because for my part it makes the default behavior much worse. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel