[4/4] local.conf.sample: use explicit IMAGE_FEATURES instead of debug-tweaks

debug-tweaks is vague and doesn't give any indication that the root user
can login over SSH without a password.  This behaviour is incredibly
dangerous if used unwittingly, so discourage it by using the underlying
features explicitly to spell out exactly what is being done.

This is not the complete set of features that debug-tweaks enables,
but I don't think we need to enable serial-autologin-root or
post-install-logging by default.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta-poky/conf/templates/default/local.conf.sample | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

While we’re at it, should we also remove the dangerous items from
debug-tweaks and require them to be enabled explicitly?

Alex

On Tue 5. Nov 2024 at 20.49, Ross Burton via lists.openembedded.org
<ross.burton=arm.com@lists.openembedded.org> wrote:

> debug-tweaks is vague and doesn't give any indication that the root user
> can login over SSH without a password.  This behaviour is incredibly
> dangerous if used unwittingly, so discourage it by using the underlying
> features explicitly to spell out exactly what is being done.
>
> This is not the complete set of features that debug-tweaks enables,
> but I don't think we need to enable serial-autologin-root or
> post-install-logging by default.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta-poky/conf/templates/default/local.conf.sample | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta-poky/conf/templates/default/local.conf.sample
> b/meta-poky/conf/templates/default/local.conf.sample
> index 72d35662940..cfa77106ab3 100644
> --- a/meta-poky/conf/templates/default/local.conf.sample
> +++ b/meta-poky/conf/templates/default/local.conf.sample
> @@ -145,8 +145,8 @@ DISTRO ?= "poky"
>  # There are other application targets that can be used here too, see
>  # meta/classes-recipe/image.bbclass and
>  # meta/classes-recipe/core-image.bbclass for more details.
> -# We default to enabling the debugging tweaks.
> -EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
> +# We default to allowing root login without a password for convenience.
> +EXTRA_IMAGE_FEATURES ?= "allow-empty-password empty-root-password
> allow-root-login"
>
>  #
>  # Additional image features
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#206751):
> https://lists.openembedded.org/g/openembedded-core/message/206751
> Mute This Topic: https://lists.openembedded.org/mt/109412890/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

On 5 Nov 2024, at 20:07, Alexander Kanavin <alex.kanavin@gmail.com> wrote:
> 
> While we’re at it, should we also remove the dangerous items from debug-tweaks and require them to be enabled explicitly?

You’re apparently under the misapprehension that debug-tweaks is going to survive the week… :)

Ross

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Ross Burton
> Sent: den 5 november 2024 20:49
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH 4/4] local.conf.sample: use explicit IMAGE_FEATURES instead of debug-tweaks
> 
> debug-tweaks is vague and doesn't give any indication that the root user
> can login over SSH without a password.  This behaviour is incredibly
> dangerous if used unwittingly, so discourage it by using the underlying
> features explicitly to spell out exactly what is being done.
> 
> This is not the complete set of features that debug-tweaks enables,
> but I don't think we need to enable serial-autologin-root or
> post-install-logging by default.
> 
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta-poky/conf/templates/default/local.conf.sample | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/meta-poky/conf/templates/default/local.conf.sample b/meta-poky/conf/templates/default/local.conf.sample
> index 72d35662940..cfa77106ab3 100644
> --- a/meta-poky/conf/templates/default/local.conf.sample
> +++ b/meta-poky/conf/templates/default/local.conf.sample
> @@ -145,8 +145,8 @@ DISTRO ?= "poky"

A few lines above, suitable features to use in EXTRA_IMAGE_FEATURES are 
listed. This list includes debug-tweaks, but none of the features that 
you now set as default below...

>  # There are other application targets that can be used here too, see
>  # meta/classes-recipe/image.bbclass and
>  # meta/classes-recipe/core-image.bbclass for more details.
> -# We default to enabling the debugging tweaks.
> -EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
> +# We default to allowing root login without a password for convenience.
> +EXTRA_IMAGE_FEATURES ?= "allow-empty-password empty-root-password allow-root-login"
> 
>  #
>  # Additional image features
> --
> 2.34.1

//Peter

On 6 Nov 2024, at 22:07, Peter Kjellerstedt <peter.kjellerstedt@axis.com> wrote:
> A few lines above, suitable features to use in EXTRA_IMAGE_FEATURES are 
> listed. This list includes debug-tweaks, but none of the features that 
> you now set as default below…

The comment is improved in the follow-up patch I just posted.

Ross