Alexander Kanavin <[email protected]> writes: >> Else, there are sometimes not many ways to work without them. >> E.g. SSTATE_MIRRORS has contain the secret token because it is >> used directly by bitbake; perhaps I could use a wget wrapper and >> write a custom curl python class... > > Yes, the secret needs to be in a file (or other access-controlled > facility), and read from it by the process that needs it, and only > directly prior to using it. Having it in a bitbake variable which gets > passed through a million tasks and components
Where is the problem? I known only one component (rootfs-postcommands.bbclass) which dumps the whole environment and leaks it. Else, when there is a malicious component that wants to steal secrets from a bitbake variable, what would stop it from reading the secret from a file? Your suggestion (write secrets in files instead of bitbake variables) does not improve security but causes only extra work. Enrico
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184881): https://lists.openembedded.org/g/openembedded-core/message/184881 Mute This Topic: https://lists.openembedded.org/mt/100368202/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
