[next] telepathy-mission-control: NEWS: adjust note about ServerAuthentication handlers

[Simon McVittie]

Module: telepathy-mission-control
Branch: next
Commit: 17a5d31769e9da52797df968c8881732f29d0f45
URL:    http://cgit.freedesktop.org/telepathy/telepathy-mission-control/commit/?id=17a5d31769e9da52797df968c8881732f29d0f45

Author: Simon McVittie <simon.mcvittie at collabora.co.uk>
Date:   Wed Oct  2 16:33:42 2013 +0100

NEWS: adjust note about ServerAuthentication handlers

rishi pointed out on IRC that ServerAuthentication still makes
passwords available to eavesdroppers on the session bus (if LOGIN,
PLAIN or X-TELEPATHY-PASSWORD are used). ServerAuthentication doesn't
allow arbitrary applications to ask MC "what is the password for
account X?", which is what I was thinking of.

The session bus is not generally modelled to be a security
boundary; if yours is, you will need to write a security policy,
then ensure that that policy is applied. Telepathy components are not
designed to be used unmodified on an untrusted session bus. (Starting
points include turning off eavesdropping, applying a "default-deny"
policy, preventing processes other than Mission Control from
calling HandleChannels on your ServerAuthentication client, and
preventing processes from subverting each other with ptrace.)

---

 NEWS |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index edce6da..f31c9e4 100644
--- a/NEWS
+++ b/NEWS
@@ -38,8 +38,7 @@ Enhancements:
   (fd.o #56635, Simon)
 
 • Remove gnome-keyring integration in favour of recommending
-  ServerAuthentication Handlers, which have better UI and don't expose
-  passwords on D-Bus (fd.o #32578, Simon)
+  ServerAuthentication Handlers, which have better UI (fd.o #32578, Simon)
 
 • Internal cleanup related to the connectivity code (fd.o #68712, Simon)