Re: [Tails-dev] minitube (Youtube client)

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: The Tails public development discussion list
Betreff: Re: [Tails-dev] minitube (Youtube client)
Hi,

Alessandro Grassi wrote (13 Dec 2012 00:20:57 GMT) :
> I did it because maybeSetSystemProxy() could overwrite settings in env
> variables, which seemed counter-intuitive to me. Do you agree?


I think that's exactly the point of this code: I've not looked deep
enough to be sure, but I believe this function is meant to implement
*exceptions* to the default proxy policy. I've no idea where Qt looks
for to find the relevant configuration (or KDE / whatever user
configuration?). E.g. in many situations, it makes sense to configure
your LAN as a destination that should be reached without going through
a proxy. So, I think the general process, as implemented by the
unpatched code, makes sense.

You may disagree and want to argue with upstream, and that's totally
fine with me, but that should be for another orthogonal patch: no sane
upstream maintainer will accept a patch that supposedly "implements
SOCKS5 support", but also silently changes the behaviour for HTTP
proxy users. See what I mean? :)

> Anyway, the upstream developer replied to my question about cookies in
> his forum:
> "No cookies.


Great. Thanks for asking!

> Minitube does store your recent searches in its settings file."
> I think we can live with this (or try to lock such file...)


The problem with history / cache / software internal memory in an
anonymizing amnesic system is not often that it's simply *stored*
(which I agree we can live with -- Tails is amnesic for a reason),
but how it may modify the software's behaviour in the future, possibly
giving bits to an attacker that may help in deanonymizing Tails users.

So, the question now becomes: how does the stored history affect the
behaviour of Minitube? Does it affect this behaviour in any way that
could be observable on the network, or on the YouTube / Google / 3rd
party servers that are reached? (I guess, and hope, the answers will
unanimously be "no", but this is what should be checked.)

[half-OT: we have never looked at Liferea this well. Someone should.
Creating a todo/applications_audit/liferea ticket.]

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc