Package: udev Version: 254~rc2-3 Severity: normal X-Debbugs-Cc: m...@bues.chDear Maintainer, when reporting a udev bug via reportbug the tool auto-attaches the complete udev database dump to the report. That came as a complete surprise to be. I didn't see any mention of that in the report process. Nor was there a way to prevent the attachment. I think auto-attaching the complete udev database is a confidentiality problem. The udev database might contain sensitive information that the reporter did not want to disclose to the public internet. Think of Luks DM names for example. The reporter is free to choose any name for them. The reporter might not have thought about that the name can end up being posted to the public internet when the reporter choose a name for the DM device. Besides that, the udev database is a very large fingerprint of the hardware that the user uses. By posting the udev database to the public internet, that hardware is permanently associated to the reporter's name. That may be a problem. Think of illegal things being done with the hardware after the original reporter sold the hardware to somebody else. Please also keep in mind that not all Debian users live in free countries with free speech. Associating hardware to people might be a major threat to people in such countries. Think of plausible deniability of ownership, for example. Therefore, my suggestion is: - Please make the posting of the udev database optional. - Also, please make it obvious that the complete database is posted during the process, if the option is chosen. And explain to the reporter what that database contains.
I posted a MR here https://salsa.debian.org/systemd-team/systemd/-/merge_requests/207The default is to include the information. If you have suggestions to the wording, please follow-up in the MR.
Regards, Michael
OpenPGP_signature.asc
Description: OpenPGP digital signature
