(Not sure where to file this - the pfl site asks to file bugs here, but there isn't a category for pfl.) It appears app-portage/pfl e-file makes path database searches over HTTP, and also uploads the weekly XML document over HTTP. This means the following data is sent over plaintext: - Paths the user searches for - What architecture the user is running - What ebuilds from the gentoo ebuild repository the user has installed - What versions of the above ebuilds - When the user installed each ebuild - What USE flags the user has for each package - A complete list of paths for the packages The main concern besides the privacy implications is this permits an unauthorized third party to know precise software selection, and hence what exact services a server are likely hosting. This cuts out the need for an attacker to collect fingerprinting data which may never be as accurate as obtaining the weekly xml document. Both versions appear to use HTTP exclusively: - =app-portage/pfl-3.0-r2 - =app-portage/pfl-3.0.1-r3
Hi, HTTPS is already available and should work if we just switch the URL in PFL upload script. Same for e-file. Would be glad if you could test this. thanks & regards Daniel
Should be fixed wit pfl-3.1. Please reopen if this is still an issue.