potiuk commented on PR #53888: URL: https://github.com/apache/airflow/pull/53888#issuecomment-3141429529
> Showing passwords makes us look like clowns, I'm amazed you think that is okay behaviour for a webapp that cares at all about security @potiuk. This means that we were clowns for a long time and we never raised the issue despite it being discussed several times. It's a strange thing to see it raised now. I think it was a choice made long time ago (not by me) and I would be rather careful with pejorative words like "clowns". It's a choice. We all agreed to it. We agreed to the model. We discussed it several time in the past and nobody ever raised concern for it (including you who insisted to be on all security discussions). Yes. I agree that "write only" is better for security - and I even proposed it in the past discussions for it. I was not even a proponent of it - if you look at past discussions, I always told it's a better solutions. I merely explained what choice we (all of us - including you if you did not oppose those choices, where you were part of those discussions in security team and had a chance to state the "clown" argument before. Many apps (for example password managers - including Google Password manager for example make the choice that they expose password (which are stored for manipulation and eiditing in a CRUD form). Is that web app "clown" app? I am not sure I would use that word. Security is never 0/1 and "obvious". Security is a set of choices to make. And so far we (yes, including you - all the important decisions we made here are "us") made a choice that we include passwords in API responses. We are now changing that choice - and I am super happy about it - but I would never say "clowns" - for choice you also were part of. I find it surprsing to use such pejorative statement in professional context. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
