Abhishekmishra2808 commented on issue #16822: URL: https://github.com/apache/nuttx/issues/16822#issuecomment-3999716213
The intention of this change is not to solve the broader problem of device provisioning or preventing password hashes from appearing in firmware images. As @cederom mentioned, if the same firmware is flashed to multiple devices, the hash will still be identical, so that aspect remains unchanged. The main goal here is narrower: to avoid shipping firmware with a **known or implicit default password**. With this change: • If authentication is disabled, behavior remains unchanged. • If authentication is enabled, the developer must explicitly set a password. • The build fails if `CONFIG_ETC_ROMFS_GENPASSWD` is enabled but no password is provided. So the patch ensures that credentials are **explicitly configured by the developer at build time**, instead of relying on a default value in the tree. More advanced approaches like per-device passwords, random generation, or encrypted firmware would indeed improve security further, but they likely require a broader design discussion beyond the scope of this change. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
