The -g option causes portage to spit out a useful message detailing which binhost emerge is connecting to, however the password is also displayed, which has some obvious security concerns. Granted make.conf is readable, but there is the possibility that people who could not gain access to my system and it's make.conf could gain visual access over my shoulder. Reproducible: Always Steps to Reproduce: 1. run emerge with the -g flag and a PORTAGE_BINHOST value set in /etc/make.conf 2. 3. Actual Results: Calculating dependencies - Fetching bininfo from ftp://username:password@binhost.example.com/All/ Expected Results: Calculating dependencies - Fetching bininfo from ftp://username:password@binhost.example.com/All/ with my patch the following is output: Calculating dependencies - Fetching bininfo from ftp://username:*******@binhost.example.com/All/ My patch is as follows, and could likely be cleaned up a bit: --- ./pym/portage.py 2008-01-15 10:25:37.000000000 -0600 +++ ../portage-2.1.3.16.fuzz/pym/portage.py 2008-01-15 10:25:21.000000000 -0600 @@ -7788,7 +7788,12 @@ chunk_size = 3000 writemsg_stdout("\n") - writemsg_stdout(green("Fetching bininfo from ")+base_url+"\n") + mp_proto = base_url.split(':')[0] + mp_usern = base_url.split(':')[1].split('//')[1] + mp_paswd = base_url.split(':')[2].split('@')[0] + mp_url = base_url.split(':')[2].split('@')[1] + output_url = mp_proto+'://'+mp_usern+':'+('*'*len(mp_paswd))+'@'+mp_url + writemsg_stdout(green("Fetching bininfo from ")+output_url+"\n") self.remotepkgs = getbinpkg.dir_get_metadata( self.settings["PORTAGE_BINHOST"], chunk_size=chunk_size) #writemsg_stdout(green(" -- DONE!\n\n"))
Created attachment 140983 [details, diff] simple interface enhancement
Thanks, this has been released in 2.1.4.1.