----- Original Message -----
the ABRT team got an request to replace uploading of core dumps
to the retrace server by providing a fuse-like share with debuginfos [1].
It would be really nice if the security experts could comment on this.
Not uploading users’ data we don’t need and never use would be a nice security
improvement.
The flip side is that the “fuse-like share client” is an attack vector, so the way these
files are distributed should be protected (signed, verified etc.) as well as packages in
the repositories are.
(Non-security questions:
1) What does this do to the latency of the core dump generation (i.e. is it more data to
upload the coredump, or download the debuginfo?), and the likelihood we will collect
backtraces?
2) If we are talking about an integrity-verified method of delivering data to the users’
machine, why not just download and install debuginfos from the existing repos? This might
require changing their packaging, perhaps to split ELF debug info and sources, but that’s
very likely not as much work as writing a different—essentially—packaging mechanism from
scratch.
3) Do you actually need all the complexity of fuse, or just a layer of indirection within
gdb?)
Mirek