Skip to content

Don't leak hostname through debusine-setup

Describe the bug

debusine setup send the machine local hostname to the debusine server.

There's no need to leak the machine name to a third-party.

In some situations, e.g. corporate environment, the machine hostname may not be controlled by the end-user and/or may carry sensitive information.

How to reproduce the bug

  • Following https://wiki.debian.org/DebusineDebianNet
  • Run debusine --server=debian setup
  • This points to a page saying The request was made at 2025-07-02 08:31 (0 minutes ago) from HOSTNAME for scope debian.
  • This then creates a token with default description obtained via 'debusine setup' on HOSTNAME

Runtime environment

Operating system

Debian 12.

Versions of debusine and its dependencies

debusine-client 0.11.1~bpo12+1

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information