(No need to CC on replies: I read the list.) On Thursday 05 August 2010, Thibaut Girka wrote: > If you're talking about user-setup, they are cleared, that the first > thing I've checked (better done that checking network-console, it seems) > before sending this mail.
With user-setup the passwords are asked by a different (much earlier [1]) script than the one that creates the accounts and sets the passwords. So they *must* be in the debconf database for at least the time in between. The fact that they are cleared afterwards - only at the very, very end of the installation: just before the reboot - seems to me like a mostly empty gesture. At least for the attack vector you were concerned about. [1] The asking of the passwords was recently moved forward quite a bit for Squeeze. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201008052017.30148.elen...@planet.nl
