Dear team,

When reportbug is used as a direct SMTP client , reporting user
hostname , ip and username  are leaked to the BTS.

Such information leak is not expected (and undesirable). That information is
passes under Message-ID (hash-reportbug@users-fqdn)  and in the Received: from
section.

That Information is then made publicly available  (under "full text") at the
BTS website.

information can be accessible with the url - https://bugs.debian.org/cgi-bin/
bugreport.cgi?bug=$BUGID;msg=5

(this bug is sent without reportbug )

well, that's how mail transport systems work
is
from

this is generated by a standard python function

reportbug/submit.py:        message['Message-ID'] =
email.utils.make_msgid('reportbug')
the
https://bugs.debian.org/cgi-bin/

this is all expected.

what i think your report is missing is a concrete solution to address
whatever you think it wrong. if you cant provide anything, i'm afraid i'm
going to close this report, as i dont think any action is warranted.

Regards,

Package: reportbug
Version: 7.10.3+deb11u1
Followup-For: Bug #880877
X-Debbugs-Cc: debbug.880877@sideload.33mail.com

Different MTAs work differently.

Regarding the hostname, that is a configurable parameter in
postfix. It can be whatever the user sets it to.

Regarding IP, all MTAs inherently know the IP but some
privacy-respecting MTAs strip out the IP to protect the sender’s
privacy from the recipient.  This is crtically important when email is
not merely going to the inbox of an individual but rather being
published to the world.  It’s reckless to expose that sensitive
information.

The MTA is one place where this leak can be addressed, but it’s not
the only place. IIUC, bugs are processed by procmail, which means a
procmail recipe also has the opportunity to strip out the sender’s IP
address.

While it’s interesting to know that a standard lib fails to give the
user control over what elements are used for the composition of the
msg id, this does not excuse the leaking of sensitive info.  Use of
that library call is optional. IIRC, the RFC does not dictate what
info appears in a msg id, only that the msg id is sufficiently random
so as to facilitate uniqueness and avoid duplicating another msg id.

Certainly not. It’s expected that a mainstream project like Debian be
on the ball about safeguarding sensitive info.  IP address & other
unique IDs can go in the logs if Debian needs the info for abuse
control, but it’s embarrassing that a reputable distro would publish
that info for the world.

This is a bug report, not a PR request.  Bug reports do not need a PR
request to justify their existence.

Isn't the publishing of IP addresses without prior consent a violation of European data protection laws, resulting in a minimum fine of 20k or 2% of annual turnover, whichever is higher?