Again reply to the list too :)
GUI's which change buttons etc. depending on whatever they like are bad...
On 07/08/14 08:02, Martin Furter wrote:
> On 07/08/14 03:33, Ben Reser wrote:
>> On 7/6/14 5:16 AM, Martin Furter wrote:
>>> Attached is a log message and a patch which adds the new options
>>> '--password-file' and '--password-envvar'. It also adds Julians
>>> warning to the
>>> '--password' help text.
>>
>> I veto (-1) --password-envar (and peters follow-up suggestion of a
>> hard-coded
>> environment variable). As several other people have shown the
>> environment of a
>> running program is often just as available as the command line
>> arguments. The
>> whole point of this exercise is to improve the security of the manner
>> in which
>> we allow passwords to be provided in order to guide users to make good
>> choices.
>> We're not achieving anything if we only provide them with new insecure
>> choices.
>
> On Linux I see only the environment of my own processes. On OpenBSD I
> see only HOME and PATH for other users. So envvar seems to not be less
> secure than a password file.
>
> If you really want to improve security the only option is using stdin.
>
> I had a patch for that ready. But then people started wishing other
> things so I just implemented without thinking too much :)
>
> - Martin
Received on 2014-07-08 04:39:22 CEST