On 2020-02-06 19:46, Josef Reidinger wrote:
Also we should maybe somehow mention that when Y2DEBUG is set to 1, then it logs everything including passwords as it logs also on UI layer ( by default not enabled ).
Is this true and tested and confirmed, or is this an urban legend in the making? Careful what information we are spreading; some people might mistake such a wild guess for serious information. I am pretty sure that the UI does NOT log any passwords. Never ever. The code doesn't any CONTAIN any yuiDebug() call, let alone leaking any confidential information, much less passwords or even single keystrokes. https://github.com/libyui/libyui/blob/master/src/YInputField.cc https://github.com/libyui/libyui-qt/blob/master/src/YQInputField.cc https://github.com/libyui/libyui-ncurses/blob/master/src/NCInputField.cc I also took great care to explicitly NOT log any passwords in the macro that we write during installation. So, where did you see any password information leaked by the UI? I am very sure that this does not happen. If any other YaST component logs large hashes that may also contain passwords, that's another matter; but in that case, this is where we need to fix things. Kind regards -- Stefan Hundhammer <shundhammer@suse.de> YaST Developer SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton; HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org