Package: obs-api
Severity: important
Tags: upstream
Control: block 926198 by -1
Installing obs-api currently creates an "Admin" user with the well-known
password "opensuse", which the user is expected to change before doing
anything else.
I think the Admin user's password should either be set to something
securely random, for example the result of reading
/proc/sys/kernel/random/uuid, and made available to the sysadmin somehow
(for example written to a file only readable by root); or prompted for by
a debconf question (maybe as part of #926200), with the default being
either a securely random string or something that makes it impossible to
log in until the password is changed by manipulating the database.
I'm marking this as blocking #926198, because it would certainly be a
security vulnerability if the maintainer scripts brought up the system
automatically but didn't change Admin's password.
smcv
