First of, thank you very much for review! On Thu, Mar 26, 2015 at 7:48 PM, Timo Juhani Lindfors <timo.lindf...@iki.fi> wrote: > Eugene Zhukov <jevgeni...@gmail.com> writes: >> Would anyone be interested in sponsoring its client package: >> https://bugs.debian.org/780096 > > Some comments: > > 1) does dy.fi really require you to send the password in an unencrypted > HTTP request? > Yes, that's upstream implementation (a very old one though).
> 2) Does the service really need to run as root? > No, and this is even mentioned in upstream readme. It needs to create a pid file though. Any hint/pointer on how to change the packaging to not run it as root? > 3) Doesn't > > db_get dyfi/password > sed -i "s/^Password.*/Password $RET/" /etc/dyfi-update.conf > > in debian/postinst let all local users to see the password if they type > "ps axuf" at the right moment? Probably, but do I need to care about that? The targeted audience of the service is home or small office I assume. Thanks for looking at this from the security perspective! Eugene -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
