On Tue, Mar 12, 2019 at 09:59:04AM +0100, Martin Steigerwald wrote: > Didier Kryn - 12.03.19, 09:48: > > Le 11/03/2019 à 19:33, KatolaZ a écrit : > > > guys, anything using dbus will most probably (indirectly) access > > > /var/lib/dbus/machine-id at some point in time, since that file is > > > read when attempting to send a message via dbus. > > > > It's most certainly as simple as that. > > > > The question is why the hell do a web browser need to attach to > > Dbus? This question is pure rant because I won't be satisfied by any > > answer. > > For me it would be more important to see what DBUS, aka libdbus, is > actually doing with the machine id. > > Thus I second the recommendation of KatolaZ to look at its source code. >
Martin, AFAIU it's used just to make sure that a dbus call originates from a process on the same machine of the receiver. But, please, audit the code if you have time for that, and report any misbehaving. We have also implemented a fix in dbus that re-generates /var/lib/dbus/machine-id at each reboot (despite I think it's not necessary). I think that any leak in dbus would have been found by now (dbus has been around for several years), but I might be proven wrong. The code is free software, available and distributed under GNU GPL2+ (and also under Academic Free License 2.1). Literally anybody can read it. But please, let's stop shooting in the dark. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ]
signature.asc
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng