On Wed, 2007-04-25 at 19:40 +1100, Russell Coker wrote: > On Wednesday 25 April 2007 16:36, sean finney <[EMAIL PROTECTED]> wrote: > > On Wed, 2007-04-25 at 13:22 +1100, Russell Coker wrote: > > > I just did a fresh install of mysql-server-5.0 on an AMD64 system which > > > had never been used to run any version of MySQL before. It has root > > > accounts with no passwords. > > > > i believe the bug in question was about an existing installation with a > > password being upgraded in such a way that root could log in afterwards > > without a password. > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418955 > > My above bug report was closed as a duplicate of this.
ah, okay. i think some wires must have gotten crossed then.
> > empty passwords are actually the *default* with mysql databases, though
> > in debian we've value-added some debconf-based password setting. still,
> > if you don't see the questions or othewrise decline these questions the
> > default remains.
>
> Empty passwords by default might be OK for a source based install of MySQL,
> but they are not OK for a Debian install. Debian packages should be expected
> to be secure by default!
i think it's fairly common knowledge that this is to be expected when
installing mysql, as you will find this to be the case for every other
distribution of unix/linux that includes mysql.
however, in principle i agree with you--hence we went out of our way to
do the password prompt stuff in the first place. perhaps we should
consider raising the priority of the question (currently i believe it's
medium, which is why you didn't see it maybe?).
sean
signature.asc
Description: This is a digitally signed message part
