Tuesday Bug Triage Report (2022-09-27)
Robie Basak
robie.basak at ubuntu.com
Wed Sep 28 13:05:24 UTC 2022
Well done on your first triage, and good job with writing up the report.
It's particularly valuable as it enables wider feedback on this list.
On Wed, Sep 28, 2022 at 10:08:58AM +0200, Michał Małoszewski wrote:
> *https://pad.lv/1980466 <https://pad.lv/1980466> - (Confirmed)
> [mysql-8.0] - mysql_secure_installation can not set root
> password and end…*
> Here I was very careful when I've noticed that it's mysql issue. I have
> added workaround for it in the comment sections.
> @Robie Basak <robie.basak at canonical.com>, @Lena Voytek
> <lena.voytek at canonical.com> could you take a look at this bug and maybe
> suggest or prompt if there is a way to improve the workaround or the
> solution in general.
I don't think running mysql_secure_installation makes sense on Ubuntu
(or Debian) - certainly not straight after installation - because
package maintainer scripts arrange to set secure defaults themselves.
Setting a root password reduces security because by default only Unix
socket authentication is permitted, which is guaranteed, rather than
relying on a secret that could be guessed or brute forced.
However I can understand how a user, guided by upstream or external
docs, would think that's an appropriate step that should be followed,
then see it fail, and then think that there's a bug. That's a poor UX,
and a poor UX is a valid bug.
I wonder if we should perhaps stop shipping mysql_secure_installation
entirely? Or, if it does something useful that someone might want to
run, then what can be adjusted to make this a better UX for users who
fall into this trap? This might be worth discussing with upstream.
> *https://pad.lv/1990863 <https://pad.lv/1990863> - (New)
> [openssh] - conversion from sshd service to socket is too
> bumpy*
> Here I didn't comment that one because I was unsure about it. I mean: I
> think that this person should list the steps to reproduce it easily apart
> from writing the scope of the problem.
> Honestly, in my opinion that description is a bit overwhelming.
> Lucas asked for more information, especifically their changes in the config
> file so we can better investigate the upgrade path they are going through.
I'm familiar with this. Steve is working on the move to socket
activation, so I commented and also subscribed Steve.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20220928/1955ff5d/attachment.sig>
More information about the ubuntu-server
mailing list