Package: obs-api Severity: important Tags: upstream Control: block 926198 by -1
Installing obs-api currently creates an "Admin" user with the well-known password "opensuse", which the user is expected to change before doing anything else. I think the Admin user's password should either be set to something securely random, for example the result of reading /proc/sys/kernel/random/uuid, and made available to the sysadmin somehow (for example written to a file only readable by root); or prompted for by a debconf question (maybe as part of #926200), with the default being either a securely random string or something that makes it impossible to log in until the password is changed by manipulating the database. I'm marking this as blocking #926198, because it would certainly be a security vulnerability if the maintainer scripts brought up the system automatically but didn't change Admin's password. smcv _______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers