Someone fixed the security issue with --debug?
Andrew Wilkins
andrew.wilkins at canonical.com
Mon Nov 10 01:57:57 UTC 2014
On Sat, Nov 8, 2014 at 3:16 AM, Curtis Hovey-Canonical <curtis at canonical.com
> wrote:
> I am comparing the use of streams during the bootstrap of 1.20 and
> 1.21. I noticed that 1.21 no longer dumps the content of the
> cloud-init script, which has user credentials and machine keys,
> implicitly fixing this bug
> --debug dumps sensitive information to terminal
> https://bugs.launchpad.net/juju-core/+bug/1289038
>
> If we can guarantee that --debug will never dump the content of the
> script, agent config, and jenv files, we can mark this bug fixed. Juju
> CI and also enable --debug for better logs too.
>
Yes, sorry I forgot to inform you (again). The change I made was to not log
cloud-config at debug level; it's logged at trace level now. AFAICT, there
are no secrets leaked anymore.
I'll close the bug.
Cheers,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju-dev/attachments/20141110/d7744c1c/attachment.html>
More information about the Juju-dev
mailing list