Re: Thoughts about network-console
(No need to CC on replies: I read the list.)
On Thursday 05 August 2010, Thibaut Girka wrote:
> If you're talking about user-setup, they are cleared, that the first
> thing I've checked (better done that checking network-console, it seems)
> before sending this mail.
With user-setup the passwords are asked by a different (much earlier )
script than the one that creates the accounts and sets the passwords. So
they *must* be in the debconf database for at least the time in between.
The fact that they are cleared afterwards - only at the very, very end of
the installation: just before the reboot - seems to me like a mostly empty
gesture. At least for the attack vector you were concerned about.
 The asking of the passwords was recently moved forward quite a bit for