Those two patches introduce a fix for a low impact CVE where both user & admin password would be passed to the osinfo-install-script via command line. In order to avoid doing so, let's introduce a --config-file and warn out whenever a password is passed via --config. Changes since v1: https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html - Added a note that --config-file is strongly recommended if the user or admin passwords need to be set; - Added a note in the manpage that --config is deprecated and --config-file should be used instead; - Changed the error to warning when --config is used to set user or admin passwords; Changes not done after v1 review: - Add a new API to OsinfoInstallConfig: Adding a new API would force us to, instead of easily backporting the change, force distros to use a new release of libosinfo; - Fix Daniel's name: Better be consistent all over the place. :-) (Jokes apart, I can just fix this before pushing) Fabiano Fidêncio (2): tools,install-script: Add --config-file (-f) option tools,install-script: Deprecate --config tools/osinfo-install-script.c | 110 +++++++++++++++++++++++++++++++++- 1 file changed, 109 insertions(+), 1 deletion(-) -- 2.21.0 _______________________________________________ Libosinfo mailing list Libosinfo@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libosinfo
