Debian Bug report logs - #480860
popularity-contest should encrypt contents

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sheridan Hutchinson <Sheridan@Shezza.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: popularity-contest should encrypt contents

Date: Mon, 12 May 2008 13:31:07 +0100

Package: popularity-contest
Severity: wishlist

Sadly, due to concerns about traffic eavesdropping I've decided to 
remove popularity-contest from the machines that I administrate as 
personally I feel it leaks too much information about the make-up of a 
system (just my personal, paranoid viewpoint!)

If however in the future versions of popcon the contents could be 
encrypted prior sending (which will also compress everything) then I'll 
be happy to re-install this package in the first instance.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages popularity-contest depends on:
ii  debconf [debconf-2.0]         1.5.21     Debian configuration management sy
ii  dpkg                          1.14.18    package maintenance system for Deb

Versions of packages popularity-contest recommends:
ii  cron                          3.0pl1-104 management of regular background p
ii  exim4                         4.69-2     meta-package to ease Exim MTA (v4)
ii  exim4-daemon-light [mail-tran 4.69-2+b1  lightweight Exim MTA (v4) daemon
pn  mime-construct                <none>     (no description available)

Message #10 received at 480860@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>

To: Sheridan Hutchinson <Sheridan@Shezza.org>, 480860@bugs.debian.org

Subject: Re: [Popcon-developers] Bug#480860: popularity-contest should encrypt contents

Date: Thu, 19 Feb 2009 19:31:49 +0100

On Mon, May 12, 2008 at 01:31:07PM +0100, Sheridan Hutchinson wrote:
> Package: popularity-contest
> Severity: wishlist
> 
> Sadly, due to concerns about traffic eavesdropping I've decided to 
> remove popularity-contest from the machines that I administrate as 
> personally I feel it leaks too much information about the make-up of a 
> system (just my personal, paranoid viewpoint!)
> 
> If however in the future versions of popcon the contents could be 
> encrypted prior sending (which will also compress everything) then I'll 
> be happy to re-install this package in the first instance.

Hello Sheridan,

Your issue is mentionned in the popcon FAQ 
<http://popcon.debian.org/FAQ>.

We could provide a popcon public key and encrypt the report with it,
decrypting submission on the server. We would have to put the private
key on the server.

At this stage I am afraid that decrypting all the submissions would
but too high a load on the server.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 

Message #15 received at 480860@bugs.debian.org (full text, mbox, reply):

From: Sheridan Hutchinson <sheridan@shezza.org>

To: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>

Cc: 480860@bugs.debian.org

Subject: Re: [Popcon-developers] Bug#480860: popularity-contest should encrypt contents

Date: Thu, 19 Feb 2009 18:55:00 +0000

2009/2/19 Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
> Your issue is mentionned in the popcon FAQ
> <http://popcon.debian.org/FAQ>.

Thank you for your reply, indeed it is very clearly in the FAQ and I
should have checked that first.

> At this stage I am afraid that decrypting all the submissions would
> but too high a load on the server.

I guess there are two ways to consider this relative to the demands
and productivity of the server.

I'm going to assume that it would be too much for the server for all
submissions to be encrypted, but what about if popcon had an opt-in
for encryption.  Surely the number of people who would opt-in for
encryption and getting it set up would be reasonably low, although it
may still generate too high a load.

Ideally though (and I hope you'll agree) all submissions would
preferentially be encrypted in transit and one day when you've got the
necessary computing resources this may become a reality.

The FAQ indicates this is an on-going consideration so we'll see what
the next few years bring.

-- 
Regards,
Sheridan Hutchinson
sheridan@shezza.org

Message #20 received at 480860-close@bugs.debian.org (full text, mbox, reply):

From: Bill Allombert <ballombe@debian.org>

To: 480860-close@bugs.debian.org

Subject: Bug#480860: fixed in popularity-contest 1.58

Date: Fri, 21 Jun 2013 15:06:22 +0000

Source: popularity-contest
Source-Version: 1.58

We believe that the bug you reported is fixed in the latest version of
popularity-contest, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 480860@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bill Allombert <ballombe@debian.org> (supplier of updated popularity-contest package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 19 Jun 2013 13:45:02 +0200
Source: popularity-contest
Binary: popularity-contest
Architecture: source all
Version: 1.58
Distribution: unstable
Urgency: low
Maintainer: Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>
Changed-By: Bill Allombert <ballombe@debian.org>
Description: 
 popularity-contest - Vote for your favourite packages automatically
Closes: 480860 707951
Changes: 
 popularity-contest (1.58) unstable; urgency=low
 .
   * Move examples script to examples subdirectory.
     - Add gensections.pl
     - Do not install clean-filter/clean-genpkglist
     - Rename popcon-submit.cgi to popcon.cgi
   * popcon now report the dpkg Vendor field. Suggested by Paul Wise.
   * popanal.py:
     - Record the VENDOR field.
     - Bump stable version to 1.56.
   * Add support for encrypted report: Closes: #480860
     + debian-popcon.gpg:
       - Added: public encryption key
     + debian/cron.daily:
       - Encrypt submission with gnupg if available
     + debian/control:
       - Recommends: gnupg so that encryption is enabled
     + default.conf:
       - Add setting ENCRYPT, KEYRING and POPCONKEY.
         ENCRYPT default to 'no' for this release but will default to 'yes' in
         subsequent release.
     + examples/cgi-bin/popcon.cgi:
       - Accept encrypted report.
     + examples/bin/prepop.pl, examples/bin/popcon-process.sh
       - Add support for decrypting encrypted report
   * popularity-contest:
     - truncate reported atime and ctime to multiple of 12 hours to reduce
       information leak. Closes: #707951 Thanks Bernhard R. Link
   * debian/control:
     - Updated Standards-Version from 3.9.3 to 3.9.4.  No change needed.
Checksums-Sha1: 
 b85dd5f42f706c7da2361d7a8e530c0881b96fbe 960 popularity-contest_1.58.dsc
 46ca399fca16850921d20e32fa7be518d6b04e2a 88656 popularity-contest_1.58.tar.gz
 f3912d852d32a54e44d227c4188ee60f494a60f2 71848 popularity-contest_1.58_all.deb
Checksums-Sha256: 
 89562ffd36fdf4a6397de86d82840840e3baabbf644cbd8e286b454b911c741d 960 popularity-contest_1.58.dsc
 3da008cb7423bc58a75545b71ba2eafae270345914c2ff115515994c0b37a655 88656 popularity-contest_1.58.tar.gz
 27d3f3ee80aadcb205a15bb05e0cee4c51967beb5b283d92638be35512c63cde 71848 popularity-contest_1.58_all.deb
Files: 
 b2771b9cbae64d05e856792392a5d866 960 misc optional popularity-contest_1.58.dsc
 8f0b7f80ccf211bee012702a7251fe90 88656 misc optional popularity-contest_1.58.tar.gz
 bc6bf20018cfb1e0838f51f0076831c0 71848 misc optional popularity-contest_1.58_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlHEYfkACgkQeDPs8bVESBUZEwCfWVyNn6GyIchsUiGS4S78iZXy
nA0Anja46IsW0xc+lhkufi310TOmjp2u
=k26E
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.