Re: Question about gokey password generation?
Zeng, Tingyu <tingyu.zeng@...>
The link to the issue can be found here:
This issue was triaged at the end of last year by the group and it was decided it is no within the scope of Geneva release due to reasons below:
1. The move towards of Redis database and leaving Mongo
2. Prefer to use built-in Vault as database generator for Redis
3. Such issue needs to be consistent with a broader topic of how to vent/evaluate 3rd party components/plugins on a project level.
From: EdgeX-TSC-Security@... <EdgeX-TSC-Security@...> on behalf of espy <espy@...>
Sent: Tuesday, April 14, 2020 10:04 AM
Subject: [Edgex-tsc-security] Question about gokey password generation?
While testing recent changes to the snap packaging over the past week
I've been doing quite a bit of log inspection.
One thing that recently caught my eye was the following WARNING logged
app=edgex-security-secretstore-setup source=init.go:256 msg="WARNING:
The gokey generator is a reference implementation for credential
generation and the underlying libraries not been reviewed for
cryptographic security. The user is encouraged to perform their own
security investigation before deployment."
Have we actually performed a review of the underlying libraries and
approved their usage? If so, perhaps we should suppress this log message
so as not to raise concern by end-users?