Duplicity

Don't require email and password in hubic backend except for first time

Bug #1664063 reported by Pablo Castellano on 2017-02-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Duplicity	New	Undecided	Unassigned

Bug Description

When you configure Duplicity using Hubic backend you are required to create ~/.hubic_credentials with login data (email and password) and api data (client_id, client_secret, redirect_uri.
More info here: http://duplicity.nongnu.org/duplicity.1.html#sect16

The first time you run duplicity, it will generate a ~/.hubic_tokens file with two new values named access_token and refresh_token.

Since now you email and password are not used anymore but they are still present in the configuration file. This is insecure because a malicious user could read this file and compromise your whole hubic account.

Proposed workaround:
Once duplicity has obtained the tokens, set email and password to blank or random data

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.