[Bug 42686] Re: audioscrobbler password saved configuration file
Alright, here is the patch I came up with (also sent upstream). It seems to work in that new passwords are stored as md5 and existing plaintext ones are converted, and tracks are successfully sent to last.fm. Daniel, you seem to have some experience in this area, any hints for a first time contributor? Should I attempt to get a PPA up to ease testing? Or what is the next step? ** Attachment added: "rhythmbox-md5passwd-2.patch" http://launchpadlibrarian.net/18042379/rhythmbox-md5passwd-2.patch ** Changed in: rhythmbox (Ubuntu) Status: In Progress => Confirmed ** Summary changed: - audioscrobbler password saved configuration file + audioscrobbler password saved as plaintext in gconf ** Description changed: When saving a password for audioscrobbler, it is saved in .gconf unencoded. It appears in /home/kevinly/.gconf/apps/rhythmbox/audioscrobbler/%gconf.xml I realize that you should use different password for different websites, but some may inadvertantly set the user's (and thus su) password for their audioscrobbler password. + + A better option would be to store the md5 of the password instead since + that is all last.fm requires for authorization. An optimal solution may + be to use gnome-keyring instead of gconf. -- audioscrobbler password saved as plaintext in gconf https://bugs.launchpad.net/bugs/42686 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 42686] Re: audioscrobbler password saved configuration file
Five chunks of the patch failed (it looks like there has been some rework/updating in the plugin since this patch was made), so I had to do some of it by hand, making a guess or two at behavior. I am going to try compiling the new plugin and seeing if it works, and/or submitting it upstream for a review. ** Changed in: rhythmbox (Ubuntu) Assignee: Ubuntu Desktop Bugs (desktop-bugs) => Mike Rooney (michael) Status: Confirmed => In Progress -- audioscrobbler password saved configuration file https://bugs.launchpad.net/bugs/42686 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 42686] Re: audioscrobbler password saved configuration file
On Thu, Sep 11, 2008 at 1:49 AM, Daniel T Chen <[EMAIL PROTECTED]> wrote: > @Mike any movement on the patch? Thanks for the reminder Daniel, I'll take another look at it for Intrepid. -- audioscrobbler password saved configuration file https://bugs.launchpad.net/bugs/42686 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 42686] Re: audioscrobbler password saved configuration file
@Mike any movement on the patch? -- audioscrobbler password saved configuration file https://bugs.launchpad.net/bugs/42686 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 42686] Re: audioscrobbler password saved configuration file
Actually, this would be a good project for me, in order to learn how to do these sorts of things, so I will attempt to get a package up with the md5 patch in the next day or two. -- audioscrobbler password saved configuration file https://bugs.launchpad.net/bugs/42686 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 42686] Re: audioscrobbler password saved configuration file
Okay, after reading the upstream bug, the idea of using the md5 is being criticized because you can still log into the site. First, Jonas claims this isn't even true. Second, as others have mentioned, people might be using the same password for another site and as such compromising this password could be a serious issue. I would recommend applying the patch provided upstream (against 11.2, I would guess it would apply to 11.5 with proper offsets) to store the md5 instead of the password. This would at least reduce the issue. Then it should also be stored in gnome-keyring but the issue wouldn't be as immediate IMO. Can anyone attempt to apply the patch and give us access to a test package via PPA? -- audioscrobbler password saved configuration file https://bugs.launchpad.net/bugs/42686 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 42686] Re: audioscrobbler password saved configuration file
You technically only need to store md5sum of the password, since that's all that's needed to perform a handshake with last.fm servers... That md5 sum still ought to be stored in gnome keyring, since it could be used by anyone to scrobble/listen to users account... However md5 sum cannot be used to login to the last.fm website... -- audioscrobbler password saved configuration file https://bugs.launchpad.net/bugs/42686 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 42686] Re: audioscrobbler password saved configuration file
** Changed in: rhythmbox (upstream) Status: Unknown => Unconfirmed -- audioscrobbler password saved configuration file https://launchpad.net/bugs/42686 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 42686] Re: audioscrobbler password saved configuration file
Thank you for your bug. That's known upstream: http://bugzilla.gnome.org/show_bug.cgi?id=349132 ** Changed in: rhythmbox (Ubuntu) Assignee: (unassigned) => Ubuntu Desktop Bugs Status: Unconfirmed => Confirmed ** Bug watch added: GNOME Bug Tracker #349132 http://bugzilla.gnome.org/show_bug.cgi?id=349132 ** Also affects: rhythmbox (upstream) via http://bugzilla.gnome.org/show_bug.cgi?id=349132 Importance: Unknown Status: Unknown -- audioscrobbler password saved configuration file https://launchpad.net/bugs/42686 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 42686] Re: audioscrobbler password saved configuration file
Agreed, rhythmbox should use the gnome keyring to store passwords. ** Visibility changed to: Public ** This bug is no longer flagged as a security issue ** This bug has been flagged as a security issue -- audioscrobbler password saved configuration file https://launchpad.net/bugs/42686 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs