Github user jburwell commented on the pull request:
https://github.com/apache/cloudstack/pull/1152#issuecomment-168570237
@DaanHoogland I complete agree with you regarding exposing credential
information. The best practice when credentials are lost is to require that
they be changed. This approach makes the access to the sensitive information
obvious to all users -- making it impossible for an attacker to hide such a
breach.
In the past, we have removed sensitive data from existing API responses.
For example, for CVE-2015-3251, we removed exposure of KVM credentials from the
[listHosts call](https://github.com/apache/cloudstack/pull/682). Therefore, as
a project, we have previously determined that security should trump API
backwards compatibility. It should most certainly be prioritized over making
the task of integration testing easier.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
