[request-tracker-maintainers] Bug#475730: Bug#475730: request-tracker3.6: should prompt for initial root password

[Dominic Hargreaves]

On Sun, Jul 25, 2010 at 04:43:58PM +0100, Dominic Hargreaves wrote:

> We would patch initialdata to remove the default password on the root
> account, and patch rt-setup-database to separately set the password on
> the root account (perhaps within action_insert, perhaps with a separate
> action). It should be possible to use standard RT API methods (ie
> RT::User->SetPassword) to do this.

Note that it wasn't necessary to patch initialdata. The password in
there can simply be overridden if appropriate.

> One complication here is finding a secure channel for communication
> between the postinst and rt-setup-database. We could make rt-setup-database
> prompt for the password and then use expect or similar, but this is
> hacky. We could use a command line option or environment variable, but 
> these are not necessarily secure.
> 
> We could use a temporary file containing a password, which would be okay,
> or we could use a direct call to debconf via perl APIs. The latter would
> be the most elegant but would make the patch completely Debian-specific,
> whereas a separate file-based approach would make it suitable for inclusion
> upstream. Being able to set a safe password should benefit non-Debian
> users, so we should aim to do this.

I've now implemented most of this in SVN. There are a couple of edge
cases to work through, but it's basically done. The patch against
upstream portion of the work has been forwarded upstream as

<http://issues.bestpractical.com/Ticket/Display.html?id=15376>

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)