[Rubygems-developers] Reviewing the Tattle Data (was RubyGems plaform thread)

Hugh Sasse hgs at dmu.ac.uk
Fri Apr 27 04:51:00 EDT 2007


On Thu, 26 Apr 2007, Eric Hodel wrote:

> On Apr 26, 2007, at 11:29, Charles Oliver Nutter wrote:
> > Eric Hodel wrote:
> >> How exactly is it sensitive?  If I'm able to run code on the box I
> >> can find ruby, via rbconfig.rb or traversing the filesystem.  On the
        [...]
> >
> > I just don't like personally-identifiable information about my
> > filesystem layout to be published without my knowledge. Someone  
        [...]
> 
> $ tattle -h
> Usage:
> tattle report # Print config data without sending
> tattle post # Post config data (this is the default)

Yes, but what do you mean by posting that?  "Don't post if you 
don't want to reveal personal data?"  Well, what if you want to 
reveal the data that isn't personal, for all the reasons tattle
was invented?  I think that if personal data (particularly names
embedded in paths) is going to be sent then tattle should give
people the information about what is to be sent.  Various choices
about this come to mind:

1 `tattle psst` uses the data from tattle report, and doesn't 
   generate the report itself.  This give people time to edit the
   data to obscure information.  But that makes the data less accurate,
   given: "To err is human. [To really mess things up, involve a
   computer.]".

2 'tattle post` gathers data as now, but displays it and asks before
   posting.   This is interactive, more verbose than Unix conventions.

3  'tattle post' gets more options about what it may send, so one can
   turn off various parameters.  Complicates the code, and the interface.

4  `tattle` with no options should be the same as `tattle -h` instead
   of `tattle post`   Again runs against Unix culture but is more
   "first, do no harm".

Security is 1/convenience, as they say.  Are any of the above acceptable
changes, or is there something better one could do?

Bizarre thought: tattle really only answers the positive side of the question.
What about providing a form (with CAPTCHA or something) to find out
how many people don't install ruby on their platform and why not?

        Hugh


More information about the Rubygems-developers mailing list