On Thu, 24 Nov 2016 08:46:29 Patrick Ohly wrote: > On Thu, 2016-11-24 at 11:38 +0800, Robert Yang wrote: > > Currently, debug-tweaks is in EXTRA_IMAGE_FEATURES by default for poky, > > and > > there is no passwd, so that user can login easily without a passwd, I > > think > > that current status is more unsafe ? > > Both well-known password and no password are unsafe. User "root" with > password "root" is not even "more" safe already now, because tools that > brute-force logins try that. Choosing something else would be a bit > safer for a short while until the tools add it to their dictionary. > > Poky is also targeting a different audience than OE-core. Poky can > assume to be used in a secure environment, OE-core can't (because it > might be used for all kinds of devices).
I don't think that's part of the design goals on either side, it's simply about making development easier. The feature is clearly labelled "debug- tweaks" because it's for debugging not for production. It could be that we should make it do other things like append a notice to /etc/issue to avoid people leaving it on for production, if that is a concern. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
