[debian-mysql] Bug#418672: 5.0.32-7etch1 has this bug

[sean finney]

On Wed, 2007-04-25 at 19:40 +1100, Russell Coker wrote:
> On Wednesday 25 April 2007 16:36, sean finney <seanius at debian.org> wrote:
> > On Wed, 2007-04-25 at 13:22 +1100, Russell Coker wrote:
> > > I just did a fresh install of mysql-server-5.0 on an AMD64 system which
> > > had never been used to run any version of MySQL before.  It has root
> > > accounts with no passwords.
> >
> > i believe the bug in question was about an existing installation with a
> > password being upgraded in such a way that root could log in afterwards
> > without a password.
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418955
> 
> My above bug report was closed as a duplicate of this.

ah, okay.  i think some wires must have gotten crossed then.

> > empty passwords are actually the *default* with mysql databases, though
> > in debian we've value-added some debconf-based password setting.  still,
> > if you don't see the questions or othewrise decline these questions the
> > default remains.
> 
> Empty passwords by default might be OK for a source based install of MySQL, 
> but they are not OK for a Debian install.  Debian packages should be expected 
> to be secure by default!

i think it's fairly common knowledge that this is to be expected when
installing mysql, as you will find this to be the case for every other
distribution of unix/linux that includes mysql.

however, in principle i agree with you--hence we went out of our way to
do the password prompt stuff in the first place.  perhaps we should
consider raising the priority of the question (currently i believe it's
medium, which is why you didn't see it maybe?).


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20070425/33074368/attachment.pgp