Default passwords in shell scripts

[miohtama]

This is nitpicking, but it is generally not recommended of having default passwords in shell scripts, especially if the project has a public codebase:

https://github.com/solita/kansalaisaloite/blob/master/initdb-mac.sh

Having a known default password for the development environment iitself does not hurt, but if the same password is recycled for a reason or another it might weaken the security.

This is what some other Github-hosted open source projects are doing

• Have the passwords in a developer-specific configuration file not distributed on Github. Disclose only a configuration file template where one needs to edit their own password before proceeding.
• Ask the developer to enter the password on the command prompt using readline.
• Store the password in the operating system environment variables, ask the developer to put the corresponding environment variables to .profile or corresponding sh source command input file.

Just my two cents as this project might get some high profile visibility in Finland.

[bafeus]

You're correct, this is kinda bad practice. However the initdb-scripts are only used locally by the developers to easily set up the development environment for their own computer. The password in the script matches the db-pw in default.properties, which is used when running the software locally. These properties are overwritten in all the other environments.

For example the release script which is used by CI takes all it's attributes via environment variables: https://github.com/solita/kansalaisaloite/blob/master/etc/release.sh

In any case, you're right. Thanks for the comment!

[miohtama]

Cool :) Closing this issue as there is probably no point of looking this further, just letting you know.