On Tue, Mar 12, 2019 at 09:59:04AM +0100, Martin Steigerwald wrote:
> Didier Kryn - 12.03.19, 09:48:
> > Le 11/03/2019 à 19:33, KatolaZ a écrit :
> > > guys, anything using dbus will most probably (indirectly) access
> > > /var/lib/dbus/machine-id at some point in time, since that file is
> > > read when attempting to send a message via dbus.
> >

> >      It's most certainly as simple as that.

> >

> >      The question is why the hell do a web browser need to attach to
> > Dbus? This question is pure rant because I won't be satisfied by any
> > answer.

>
> For me it would be more important to see what DBUS, aka libdbus, is
> actually doing with the machine id.
>
> Thus I second the recommendation of KatolaZ to look at its source code.
>

Martin, AFAIU it's used just to make sure that a dbus call originates
from a process on the same machine of the receiver. But, please, audit
the code if you have time for that, and report any misbehaving. We
have also implemented a fix in dbus that re-generates
/var/lib/dbus/machine-id at each reboot (despite I think it's not
necessary).

I think that any leak in dbus would have been found by now (dbus has
been around for several years), but I might be proven wrong. The code
is free software, available and distributed under GNU GPL2+ (and also
under Academic Free License 2.1). Literally anybody can read it. But
please, let's stop shooting in the dark.

My2Cents

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]