Package: gbrowse Version: 2.54+dfsg-7 Severity: normal Tags: security User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org
Hi, gbrowse ships an OpenID consumer secret in /usr/share/perl5/GBrowse/ConfigData.pm: { 'OpenIDConsumerSecret' => '639098210478536', 'cgibin' => '/usr/lib/cgi-bin/gbrowse', 'conf' => '/etc/gbrowse', 'config_done' => 1, 'databases' => '/var/lib/gbrowse/databases', 'htdocs' => '/usr/share/gbrowse/htdocs', 'installetc' => 'y', 'persistent' => '/var/lib/gbrowse', 'registration_done' => '1', 'tmp' => '/var/cache/gbrowse' }, The number is randomly generated a build-time, meaning that everyone installing that particular .deb gets the same "secret". The security implications of this should be obvious, hence the tag. (In addition, it also means the package is not reproducible.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-