On 2017-06-20 04:30 AM, Paul Eggleton wrote: > On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote: >> On 2017-06-19 09:05 AM, Mark Hatle wrote: >>> It would be reasonable to write up a 'best practices' type document. >>> Explaining that simply due to the nature of building many of these things >>> will be 'leaked' and where some of them are leaked through. (Package >>> generation, compilation, etc for instance.) >> >> That sounds reasonable, although, TBH, if someone is adding credentials >> to their SRC_URIs, I would expect that a best practice would be ignored. >> Perhaps adding a detection routine that emitted a warning during >> parsing for credentials in the SRC_URI might be warranted? Thoughts? > > This might be useful yes. I think the stumbling block is that at the moment we > would have to have it off by default and then the user is almost certainly not > going to know to turn it on. Perhaps this is another thing that we might > check > in a "production" vs. "development" mode where the user can easily switch to > the former to enable a set of more stringent checks.
I'm not sure I follow. What would prevent us from turning on a warning that detected credentials in a SRC_URI by default? Even with Richard's change to prevent the information from propagating into the .ipk, it seems useful to notify the user. Personally, I'd like to know if one of the recipes I'm using has such information in it regardless of whether I'm generating a development or a production image. -- Sean
signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
