On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote: > On 2017-06-19 09:05 AM, Mark Hatle wrote: > > It would be reasonable to write up a 'best practices' type document. > > Explaining that simply due to the nature of building many of these things > > will be 'leaked' and where some of them are leaked through. (Package > > generation, compilation, etc for instance.) > > That sounds reasonable, although, TBH, if someone is adding credentials > to their SRC_URIs, I would expect that a best practice would be ignored. > Perhaps adding a detection routine that emitted a warning during > parsing for credentials in the SRC_URI might be warranted? Thoughts?
This might be useful yes. I think the stumbling block is that at the moment we would have to have it off by default and then the user is almost certainly not going to know to turn it on. Perhaps this is another thing that we might check in a "production" vs. "development" mode where the user can easily switch to the former to enable a set of more stringent checks. FWIW it's not quite the same thing but some of what you might want to do when moving to production is described in this section of the manual (which, full disclosure, I had a hand in writing): http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
