Re: Handling of TortoiseSVN crash report compromises security
Remco Nijhuis wrote:
> I came accross a crash report I submitted on TortoiseSVN using the
> automated tool. I didn't know this report was submitted to the mailing
> list org.tigris.tortoisesvn.crashreports. I found it on Google when it
> was included on http://markmail.org/message/oooh2lhlt6tld46l. The report
> includes a zipped .dmp dump file, containing bits and pieces of the
> source code I was working on at the time.
> You may imagine that these pieces of source code might include sensitive
> information, e.g. config-files with usernames and passwords to database
> servers used in the project. I regret this being publicly disclosed.
> You might want to change procedures to prevent this. As a user, I'd like
> to be warned about data disclosure when I am about to commit a crash
> report. However satisfied I am about your work on TortoiseSVN in
> general, and however much I am committed to help you improve the
> software using these reports, I can't take the risk of spreading
> confidential information. So I am sorry to say that I won't send crash
> reports until this is solved.
> I'm not a member of this list, but please keep me informed about the
> solution of this issue.
I'm really sorry about that. I have no idea how they could index that
archive: that list is set to 'private' so that only project members have
access to it.
I contacted markmail and asked them to delete their index of this list.
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
Received on 2008-11-04 17:33:31 CET
This is an archived mail posted to the TortoiseSVN Users