Someone fixed the security issue with --debug?

[Curtis Hovey-Canonical]

I am comparing the use of streams during the bootstrap of 1.20 and
1.21. I noticed that 1.21 no longer dumps the content of the
cloud-init script, which has user credentials and machine keys,
implicitly fixing this bug
--debug dumps sensitive information to terminal
https://bugs.launchpad.net/juju-core/+bug/1289038

If we can guarantee that --debug will never dump the content of the
script, agent config, and jenv files, we can mark this bug fixed. Juju
CI and also enable --debug for better logs too.
-- 
Curtis Hovey
Canonical Cloud Development and Operations
http://launchpad.net/~sinzui

-- 
Juju-dev mailing list
Juju-dev@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju-dev

Re: Someone fixed the security issue with --debug?

[Andrew Wilkins]

On Sat, Nov 8, 2014 at 3:16 AM, Curtis Hovey-Canonical  wrote:

> I am comparing the use of streams during the bootstrap of 1.20 and
> 1.21. I noticed that 1.21 no longer dumps the content of the
> cloud-init script, which has user credentials and machine keys,
> implicitly fixing this bug
> --debug dumps sensitive information to terminal
> https://bugs.launchpad.net/juju-core/+bug/1289038
>
> If we can guarantee that --debug will never dump the content of the
> script, agent config, and jenv files, we can mark this bug fixed. Juju
> CI and also enable --debug for better logs too.
>

Yes, sorry I forgot to inform you (again). The change I made was to not log
cloud-config at debug level; it's logged at trace level now. AFAICT, there
are no secrets leaked anymore.

I'll close the bug.

Cheers,
Andrew
-- 
Juju-dev mailing list
Juju-dev@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju-dev