[request-tracker-maintainers] Bug#475730: request-tracker3.6: should prompt for initial root password
Niko Tyni
ntyni at debian.org
Sat Apr 12 15:26:34 UTC 2008
Package: request-tracker3.6
Version: 3.6.6-2
Severity: normal
The initial password for the RT superuser 'root' (separate from the
local root account, of course) is currently set to 'password' on new
installs.
As the database is now created automatically since 3.6.6-2, this would be
a gaping security hole if the system was reachable on the web after the
default install. As things are, the web server must first be configured
manually, so things are not quite that bad.
The right thing to do would be to prompt for the initial password via
debconf. This requires changes to rt-setup-database, and I'm not sure
yet if I'll implement this for Lenny, but I'm filing this as a reminder
in any case.
Cheers,
--
Niko Tyni ntyni at debian.org
More information about the pkg-request-tracker-maintainers
mailing list