Debian Bug report logs - #40435
lynx: takes privacy too seriously [NO_ANONYMOUS_EMAIL]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Francesco Potorti` <F.Potorti@cnuce.cnr.it>

To: Debian Linux bug list <submit@bugs.debian.org>

Subject: lynx takes privacy too seriously :-)

Date: Tue, 29 Jun 1999 17:40:25 +0200 (CEST)

Package: lynx-ssl
Version: 2.8.1-2
Severity: normal

When NO_FROM_HEADER  is TRUE,  as it  is the default,  no mail  headers are
sent,  even for  comments wxplicitely  sent  by the  user.  This  is not  a
reasonable behaviour.  That  option should only be applied  to From headers
sent in http requests, not to From headers in regular mail.

In my case, for  example, I don't want my mail address  to be sentto anyone
with every  http request, but  I do want  it to be  sent with a  From: mail
header when  I send comments, because  the address that lynx  builds is not
valid (well, it is, currently, but soon it will not be any more).

-- System Information
Debian Release: potato
Kernel Version: Linux pot 2.2.8 #2 Tue May 18 14:37:02 CEST 1999 i686 unknown

Versions of the packages lynx-ssl depends on:
ii  libc6           2.1.1-12       GNU C Library: Shared libraries and timezone
ii  libssl09        0.9.2b-3       SSL shared libraries
ii  slang1          1.2.2-2.1      The S-Lang programming library - runtime ver
ii  zlib1g          1.1.3-3        compression library - runtime

--- Begin /etc/lynx.cfg (modified conffile)
#
#
#
#
#
#
#
STARTFILE:http://www.cnuce.pi.cnr.it/
#
HELPFILE:file://localhost/usr/doc/lynx/lynx_help/lynx_help_main.html
#
DEFAULT_INDEX_FILE:http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/MetaIndex.html
#
#
#
#
#
#
#
#
#
#
SAVE_SPACE:~/
#
LYNX_HOST_NAME:pot.cnuce.cnr.it
#
LOCALHOST_ALIAS:fly.cnuce.cnr.it
#
LOCAL_DOMAIN:cnuce.cnr.it
#
#
#
#
#
#
#
PREFERRED_LANGUAGE:en,it
#
#
URL_DOMAIN_PREFIXES:www.
URL_DOMAIN_SUFFIXES:.com,.it,.edu,.net,.org
#
#
#
#
#
#
#
#
#
#
DEFAULT_CACHE_SIZE:50
#
#
#
#
#
#
#
#
#
#
LOCAL_EXECUTION_LINKS_ALWAYS_ON:FALSE
LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE:FALSE
#
#
#
#
#
#
TRUSTED_EXEC:none
#
#
#
ALWAYS_TRUSTED_EXEC:none
#
#
#
TRUSTED_LYNXCGI:none
#
#
#
#
#
#
#
MAIL_SYSTEM_ERROR_LOGGING:FALSE
#
#
CHECKMAIL:TRUE
#
NNTPSERVER:newsserver.unipi.it
#
#
#
#
NEWS_POSTING:TRUE
#
LYNX_SIG_FILE:.signature
USE_MOUSE:TRUE
#
#
SET_COOKIES:TRUE
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
DEFAULT_EDITOR:ae
#
#
#
#
#
#
#
#
#
PRINTER:Print to default printer:lpr %s:FALSE
PRINTER:Print to LWPiano1N:lpr -PLWPiano1N %s:FALSE
#
#
#
#
#
#
#
#
#
#
#
#
#
NO_DOT_FILES:FALSE
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
MINIMAL_COMMENTS:TRUE
#
#
#
#
#
#
#
#
ENABLE_SCROLLBACK:TRUE
#
#
#
#
#
#
#
#
#
GLOBAL_EXTENSION_MAP:/etc/mime.types
#
PERSONAL_EXTENSION_MAP:.mime.types
#
#
XLOADIMAGE_COMMAND:xv %s
#
#
#
#
#
#
VIEWER:application/postscript:gv %s&:XWINDOWS
VIEWER:image/gif:xv %s&:XWINDOWS
VIEWER:image/x-xbm:xv %s&:XWINDOWS
VIEWER:image/x-rgb:xv %s&:XWINDOWS
VIEWER:image/x-tiff:xv %s&:XWINDOWS
VIEWER:image/jpeg:xv %s&:XWINDOWS
VIEWER:video/mpeg:mpeg_play %s &:XWINDOWS
#
GLOBAL_MAILCAP:/etc/mailcap
#
PERSONAL_MAILCAP:.mailcap
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
COLOR:0:lightgray:black
COLOR:1:brightblue:black
COLOR:2:yellow:blue
COLOR:3:green:black
COLOR:4:magenta:black
COLOR:5:blue:black
COLOR:6:red:black
COLOR:7:magenta:cyan
#
#
#
#
#
#
#
#
#
#
EXTERNAL:ftp:wget %s &:TRUE
#

--- End /etc/lynx.cfg

Message #10 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Francesco Potorti` <F.Potorti@cnuce.cnr.it>

To: 40435@bugs.debian.org

Subject: Re: Bug#40435: Acknowledgement (lynx takes privacy too seriously :-))

Date: Tue, 29 Jun 1999 18:09:22 +0200 (CEST)

I was not precise  in my bug report, because what i  said was based on what
is written  inthe lynx.cfg and ~/.lynxrc  files.  I found no  other docs on
this feature.  

But experimenting  leads me to thing  that's even worse than  what I wrote,
because   both  calling   lynx  with   the  "-from"   option   and  setting
NO_FROM_HEADERS:FALSE  in  /etc/lynx.conf  produces  no  change:  the  mail
address set in the options and regularly stored in ~/.lynxrc is not used at
all.

Message #15 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Christoph Martin <martin@uni-mainz.de>

To: Francesco Potorti` <F.Potorti@cnuce.cnr.it>, 40435@bugs.debian.org

Subject: Re: Bug#40435: Acknowledgement (lynx takes privacy too seriously :-))

Date: Wed, 30 Jun 1999 09:48:47 +0200 (MET DST)

Francesco Potorti` writes:
 > I was not precise  in my bug report, because what i  said was based on what
 > is written  inthe lynx.cfg and ~/.lynxrc  files.  I found no  other docs on
 > this feature.  
 > 
 > But experimenting  leads me to thing  that's even worse than  what I wrote,
 > because   both  calling   lynx  with   the  "-from"   option   and  setting
 > NO_FROM_HEADERS:FALSE  in  /etc/lynx.conf  produces  no  change:  the  mail
 > address set in the options and regularly stored in ~/.lynxrc is not used at
 > all.

Did you find the same problem in lynx too? Then we should reassign it
to lynx.

Christoph

Message #20 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Francesco Potorti` <F.Potorti@cnuce.cnr.it>

To: Christoph Martin <martin@uni-mainz.de>

Cc: 40435@bugs.debian.org

Subject: Re: Bug#40435: Acknowledgement (lynx takes privacy too seriously :-))

Date: Wed, 30 Jun 1999 12:19:23 +0200 (CEST)

    > because   both  calling   lynx  with   the  "-from"   option   and  setting
    > NO_FROM_HEADERS:FALSE  in  /etc/lynx.conf  produces  no  change:  the  mail
    > address set in the options and regularly stored in ~/.lynxrc is not used at
    > all.
   
   Did you find the same problem in lynx too? Then we should reassign it
   to lynx.

I installed lynx, and yes, it's the same with lynx.

Message #25 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Christoph Martin <martin@uni-mainz.de>

To: Francesco Potorti` <F.Potorti@cnuce.cnr.it>

Cc: 40435@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#40435: Acknowledgement (lynx takes privacy too seriously :-))

Date: Wed, 30 Jun 1999 14:55:01 +0200 (MET DST)

reassign 40435 lynx
quit

Francesco Potorti` writes:
 >     > because   both  calling   lynx  with   the  "-from"   option   and  setting
 >     > NO_FROM_HEADERS:FALSE  in  /etc/lynx.conf  produces  no  change:  the  mail
 >     > address set in the options and regularly stored in ~/.lynxrc is not used at
 >     > all.
 >    
 >    Did you find the same problem in lynx too? Then we should reassign it
 >    to lynx.
 > 
 > I installed lynx, and yes, it's the same with lynx.
 > 

Message #32 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Klaus Weide <kweide@enteract.com>

To: 40435@bugs.debian.org

Cc: Francesco Potorti` <F.Potorti@cnuce.cnr.it>

Subject: Re: Bug#40435

Date: Sun, 11 Jul 1999 00:49:42 -0500 (CDT)

Does any of this still apply to the lynx 2.8.2-1 package?

   Klaus

Message #37 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Klaus Weide <kweide@enteract.com>

To: 40435@bugs.debian.org

Cc: Francesco Potorti` <F.Potorti@cnuce.cnr.it>

Date: Mon, 12 Jul 1999 06:28:08 -0500 (CDT)

Francesco Potorti` writes:
> because both calling lynx with the "-from" option and setting
> NO_FROM_HEADERS:FALSE in /etc/lynx.conf produces no change: the mail
> address set in the options and regularly stored in ~/.lynxrc is not used at
> all.

Ok, I found it's true that personal_mail isn't used for personal mail, in
2.8.1 and 2.8.2 versions.  There was an upstream change between 2.8 and 2.8.1
in the default behavior.  The comments in lynx.cfg, .lynxrc and possibly
elsewhere don't properly reflect this.

This is from 2.8 userdefs.h:

/********************************
 * Don't let the user enter his/her email address when sending a message.
 * Anonymous mail makes it far too easy for a user to spoof someone else's
 * email address.
 * This requires that your mailer agent put in the From: field for you.
 *
 * The default should be to uncomment this line but there probably are too
 * many mail agents out there that won't do the right thing if there is no
 * From: line.
 */
/* #define NO_ANONYMOUS_EMAIL TRUE */

This is from 2.8.1 userdefs.h:

/********************************
 * Comment this line out to let the user enter his/her email address
 * when sending a message.  There should be no need to do this unless
 * your mailer agent does not put in the From: field for you.  (If your
 * mailer agent does not automatically put in the From: field, you should
 * upgrade, because anonymous mail makes it far too easy for a user to
 * spoof someone else's email address.)
 */
#define NO_ANONYMOUS_EMAIL TRUE


Effectively, the personal_mail_address isn't passed in a "From:" header
to the /usr/sbin/sendmail -t -oi invocation for mailto: links and for
the 'c'omment key command.  There is no "From:", sendmail is supposed to
fill it in.  personal_mail_address may still be used for FORM mailto:
actions(!), for news postings, for the rarely used From HTTP header,
for the rarely used MAIL_SYSTEM_ERROR_LOGGING, and for suggesting a Cc:
for mail messages.

I guess it's up to the Debian maintainer to decide whether the Debian
package should revert back to the old default.

   Klaus

Message #42 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Francesco Potorti` <F.Potorti@cnuce.cnr.it>

To: Klaus Weide <kweide@enteract.com>

Cc: 40435@bugs.debian.org

Date: Thu, 29 Jul 1999 18:23:21 +0200 (CEST)

Sorry for the delay.
   
   This is from 2.8.1 userdefs.h:
   
   /********************************
    * Comment this line out to let the user enter his/her email address
    * when sending a message.  There should be no need to do this unless
    * your mailer agent does not put in the From: field for you.  (If your
    * mailer agent does not automatically put in the From: field, you should
    * upgrade, because anonymous mail makes it far too easy for a user to
    * spoof someone else's email address.)
    */
   #define NO_ANONYMOUS_EMAIL TRUE

If i am not wrong, no one should be worried about this.  People can set its
From: header to whatever they like, but  the MTA will add a Sender: line if
the  user  is not  trusted.   Moreover, the  MTA  will  put an  appropriate
envelope around the mail message.

On the other  hand, preventing the user  from adding a From: line  is not a
good idea  in any case.  In  most situations, the  system cannot reasonably
guess the  correct mail  address of a  user, like  when one has  dynamic IP
address, or when  is behind a firewall, or more simply  when mail is popped
from a server, rather than being received directly via SMTP.

So I suggest that the above line  in userdefs.h be commented out.  It was a
bad idea to uncomment it in the first place.

Please forward this message to the lynx maintainer list if you see fit.

Message #47 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Klaus Weide <kweide@enteract.com>

To: lynx-dev@sig.net

Cc: 40435@bugs.debian.org

Subject: Forwarded mail....

Date: Fri, 30 Jul 1999 09:23:32 -0500 (CDT)

The below message refers to a problem with honoring or not honoring
the "Personal mail address", please read the previous conversation
under <http://www.debian.org/Bugs/db/40/40435.html> - especially
if you are the person responsible for the change of the
NO_ANONYMOUS_EMAIL default...

It seems to me Francesco is right, and the default should have not been
changed.  But I think there was extensive and maybe heated discussion
about this in the past, which I didn't follow, I don't really want to
get into it now.

But whether the default stays as it is or not, something should be done.
- the behavior is inconsistent (sometimes the "personal mail address" is
  used, and sometimes it isn't.  (e.g. mailto: URL as form action vs. as
  link)
- Documentation (including .lynxrc comment) doesn't reflect the change.
  It seems to describe the non-default behavior. 
- "Personal mail address" should not be offered on the 'O'ptions screen
  as such if it isn't used as such.

As far as the Debian package is concerned, I see nothing wrong with
the Debian maintainer deviating from the default if he chooses so.
The reason for the lynx-dev default setting (if there is a good one)
may not apply to a Debian package (e.g. assuming all Debian MTAs behave
reasonably.  And hopefully nobody would offer anonymous lynx guest logins
to the world using a binary package without careful examination.).


  Klaus

---------- Forwarded message ----------
Date: Thu, 29 Jul 1999 18:23:21 +0200 (CEST)
From: Francesco Potorti` <F.Potorti@cnuce.cnr.it>
To: Klaus Weide <kweide@enteract.com>
Cc: 40435@bugs.debian.org

Sorry for the delay.
   
   This is from 2.8.1 userdefs.h:
   
   /********************************
    * Comment this line out to let the user enter his/her email address
    * when sending a message.  There should be no need to do this unless
    * your mailer agent does not put in the From: field for you.  (If your
    * mailer agent does not automatically put in the From: field, you should
    * upgrade, because anonymous mail makes it far too easy for a user to
    * spoof someone else's email address.)
    */
   #define NO_ANONYMOUS_EMAIL TRUE

If i am not wrong, no one should be worried about this.  People can set its
From: header to whatever they like, but  the MTA will add a Sender: line if
the  user  is not  trusted.   Moreover, the  MTA  will  put an  appropriate
envelope around the mail message.

On the other  hand, preventing the user  from adding a From: line  is not a
good idea  in any case.  In  most situations, the  system cannot reasonably
guess the  correct mail  address of a  user, like  when one has  dynamic IP
address, or when  is behind a firewall, or more simply  when mail is popped
from a server, rather than being received directly via SMTP.

So I suggest that the above line  in userdefs.h be commented out.  It was a
bad idea to uncomment it in the first place.

Please forward this message to the lynx maintainer list if you see fit.

Message #52 received at 40435@bugs.debian.org (full text, mbox, reply):

From: David Woolley <david@djwhome.demon.co.uk>

To: lynx-dev@sig.net

Cc: 40435@bugs.debian.org

Subject: Re: lynx-dev Forwarded mail....

Date: Sat, 31 Jul 1999 11:12:56 +0100 (BST)

> reasonably.  And hopefully nobody would offer anonymous lynx guest logins
> to the world using a binary package without careful examination.).

That's a totally unreasonable assumption.  The days of the technically
aware ISPs is long over.  Most service providers these days are plug
and play operators at the technical level.

Message #59 received at 40435@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@his.com>

To: 40435@bugs.debian.org

Subject: re: #40435 lynx: takes privacy too seriously [NO_ANONYMOUS_EMAIL]

Date: Mon, 13 Nov 2006 16:29:03 -0500

[Message part 1 (text/plain, inline)]

The original bug report was mistaken:  the NO_FROM_HEADER has never been used
in any context other than a test in HTLoadHTTP().

The related text on NO_ANONYMOUS_EMAIL has been obsolete since 2.8.3dev.22
(2000-03-12), when the #define in userdefs.h was commented-out.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net

[signature.asc (application/pgp-signature, inline)]

Message #66 received at 40435-close@bugs.debian.org (full text, mbox, reply):

From: warp@debian.org (Zephaniah E. Hull)

To: 40435-close@bugs.debian.org

Subject: Bug#40435: fixed in lynx 2.8.6-1

Date: Tue, 01 May 2007 06:17:03 +0000

Source: lynx
Source-Version: 2.8.6-1

We believe that the bug you reported is fixed in the latest version of
lynx, which is due to be installed in the Debian FTP archive:

lynx_2.8.6-1.diff.gz
  to pool/main/l/lynx/lynx_2.8.6-1.diff.gz
lynx_2.8.6-1.dsc
  to pool/main/l/lynx/lynx_2.8.6-1.dsc
lynx_2.8.6-1_amd64.deb
  to pool/main/l/lynx/lynx_2.8.6-1_amd64.deb
lynx_2.8.6.orig.tar.gz
  to pool/main/l/lynx/lynx_2.8.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 40435@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zephaniah E. Hull <warp@debian.org> (supplier of updated lynx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 01 May 2007 01:43:17 -0400
Source: lynx
Binary: lynx
Architecture: source amd64
Version: 2.8.6-1
Distribution: unstable
Urgency: low
Maintainer: Zephaniah E. Hull <warp@debian.org>
Changed-By: Zephaniah E. Hull <warp@debian.org>
Description: 
 lynx       - Text-mode WWW Browser
Closes: 40435 67184 99400 120451 121520 132674 137480 141158 147287 152810 157088 171312 184482 188415 193205 204994 240237 244871 248092 252915 254515 265031 268264 271048 304989 313789 315853 318034 325478 343049 344275 374388 390918
Changes: 
 lynx (2.8.6-1) unstable; urgency=low
 .
   * Hijack the package.  I might not be great at it, but I do use it daily.
   * New upstream release.
     Closes: #254515, #137480, #67184, #99400, #132674, #141158, #40435,
     #120451, #157088, #204994, #244871, #248092, #268264, #271048, #318034,
     #343049, #390918, #240237, #313789, #171312, #193205, #252915, #265031,
     #121520, #152810, #188415, #344275, #374388, #184482, #315853
   * Uses the new upstream defaults. Closes: #325478, #147287.
   * Update 01_default-config.dpatch. (Offset changes only.)
   * Update 02_default-key-bindings.dpatch. (Upstream formatting changes.)
   * Kill 03_newer_gnutls.dpatch entirely.
     This was fixed upstream.  But this is also a GPL violation as we only ship
     the patch to configure, and not to configure.in, the source file.
   * Kill 04_CVE-2004-1617.dpatch. (Merged into upstream.)
   * Disable 05_FTBFS_on_GNUHurd_and_GNUkBSD (Upstream changes, file new bug if
     we FTBFS again.)
   * Removed configure arguments:
     --enable-8bit-toupper - Removed, no longer exists.
     --enable-persistent-cookies - Enabled by default.
     --enable-prettysrc - Enabled by default.
     --enable-source-cache - Enabled by default.
     --enable-read-eta - Enabled by default.
   * Added configure arguments:
     --enable-nsl-fork - fork NSL requests, allowing them to be aborted
     --enable-justify-elts - use element-justification logic
   * Update the contents and location of lynx.desktop. Closes: 304989.
   * Other things will be handled by later uploads, patches welcome.
Files: 
 5f2a3005f67b144c6093ae875957d5fe 605 web optional lynx_2.8.6-1.dsc
 2158041a3fdb5d094831da2c82cfcaba 3195728 web optional lynx_2.8.6.orig.tar.gz
 24699d4e88618f94d9dd2b3e88ca41ef 15521 web optional lynx_2.8.6-1.diff.gz
 e44c39690127312aa16149da5356ce4b 2010044 web optional lynx_2.8.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGNtYKRFMAi+ZaeAERAn6nAJ0SiaGd5zI4mt+sknbcH7M2/GWA1gCg2otr
gDdwPYjAsyQXG/udwapEPGA=
=6Lmp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.