[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 5/5] ui: remove deprecated 'password' option for SPICE
From: |
Daniel P . Berrangé |
Subject: |
[PULL 5/5] ui: remove deprecated 'password' option for SPICE |
Date: |
Wed, 15 Feb 2023 17:47:12 +0000 |
This has been replaced by the 'password-secret' option,
which references a 'secret' object instance.
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
docs/about/deprecated.rst | 8 --------
docs/about/removed-features.rst | 7 +++++++
qemu-options.hx | 9 +--------
ui/spice-core.c | 15 ---------------
4 files changed, 8 insertions(+), 31 deletions(-)
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index d31ffa86d4..2827b0c0be 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -66,14 +66,6 @@ and will cause a warning.
The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
rather than ``delay=off``.
-``-spice password=string`` (since 6.0)
-''''''''''''''''''''''''''''''''''''''
-
-This option is insecure because the SPICE password remains visible in
-the process listing. This is replaced by the new ``password-secret``
-option which lets the password be securely provided on the command
-line using a ``secret`` object instance.
-
``-smp`` ("parameter=0" SMP configurations) (since 6.2)
'''''''''''''''''''''''''''''''''''''''''''''''''''''''
diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst
index 4a84e6174f..e901637ce5 100644
--- a/docs/about/removed-features.rst
+++ b/docs/about/removed-features.rst
@@ -428,6 +428,13 @@ respectively. The actual backend names should be used
instead.
Use ``-drive if=pflash`` to configure the OTP device of the sifive_u
RISC-V machine instead.
+``-spice password=string`` (removed in 8.0)
+'''''''''''''''''''''''''''''''''''''''''''
+
+This option was insecure because the SPICE password remained visible in
+the process listing. This was replaced by the new ``password-secret``
+option which lets the password be securely provided on the command
+line using a ``secret`` object instance.
QEMU Machine Protocol (QMP) commands
------------------------------------
diff --git a/qemu-options.hx b/qemu-options.hx
index e79ff4d8fb..cafd8be8ed 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2135,7 +2135,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice,
" [,tls-channel=[main|display|cursor|inputs|record|playback]]\n"
"
[,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n"
" [,sasl=on|off][,disable-ticketing=on|off]\n"
- " [,password=<string>][,password-secret=<secret-id>]\n"
+ " [,password-secret=<secret-id>]\n"
" [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n"
" [,jpeg-wan-compression=[auto|never|always]]\n"
" [,zlib-glz-wan-compression=[auto|never|always]]\n"
@@ -2161,13 +2161,6 @@ SRST
``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off``
Force using the specified IP version.
- ``password=<string>``
- Set the password you need to authenticate.
-
- This option is deprecated and insecure because it leaves the
- password visible in the process listing. Use ``password-secret``
- instead.
-
``password-secret=<secret-id>``
Set the ID of the ``secret`` object containing the password
you need to authenticate.
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 72f8f1681c..76f7c2bc3d 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -412,9 +412,6 @@ static QemuOptsList qemu_spice_opts = {
.name = "unix",
.type = QEMU_OPT_BOOL,
#endif
- },{
- .name = "password",
- .type = QEMU_OPT_STRING,
},{
.name = "password-secret",
.type = QEMU_OPT_STRING,
@@ -666,20 +663,8 @@ static void qemu_spice_init(void)
}
passwordSecret = qemu_opt_get(opts, "password-secret");
if (passwordSecret) {
- if (qemu_opt_get(opts, "password")) {
- error_report("'password' option is mutually exclusive with "
- "'password-secret'");
- exit(1);
- }
password = qcrypto_secret_lookup_as_utf8(passwordSecret,
&error_fatal);
- } else {
- str = qemu_opt_get(opts, "password");
- if (str) {
- warn_report("'password' option is deprecated and insecure, "
- "use 'password-secret' instead");
- password = g_strdup(str);
- }
}
if (tls_port) {
--
2.39.1
- [PULL 0/5] Misc next patches, Daniel P . Berrangé, 2023/02/15
- [PULL 1/5] crypto: TLS: introduce `check_pending`, Daniel P . Berrangé, 2023/02/15
- [PULL 2/5] io/channel-tls: fix handling of bigger read buffers, Daniel P . Berrangé, 2023/02/15
- [PULL 3/5] block: mention 'password-secret' option for -iscsi, Daniel P . Berrangé, 2023/02/15
- [PULL 5/5] ui: remove deprecated 'password' option for SPICE,
Daniel P . Berrangé <=
- [PULL 4/5] block: deprecate iSCSI 'password' in favour of 'password-secret', Daniel P . Berrangé, 2023/02/15
- Re: [PULL 0/5] Misc next patches, Peter Maydell, 2023/02/16