Bug#46857: apt: If source URI contains password, the password is printed on the screen during fetches
On 7 Oct 1999, KORN Andras wrote:
> try a URI like <deb ftp://user:password@host/debian unstable local>; the
> password is printed on the screen in plain text. I believe it would be
> better to not display the user:password bit at all, or at least mask the
> password.
>
> (I agree that it is not generally a good idea to put password-protected URIs
> into sources.list.)
It is even worse. sources.list has to be world readable, so that normal users
can run apt-get source.
The only solution to this would be to NOT put the password in sources.list,
and have both the http and ftp modules prompt. I know the api supports this
feature, but I have never seen it done in actual use.
Adam
Reply to: