When installing MySQL with cinst mysql I'm seeing the install defaulting to --initialize-insecure with empty string as password for the root user. It would be better if we could specify the root user password and if the install would default to --initialize for “secure by default” installation. Where there would be a generation of a random initial root password.
https://dev.mysql.com/doc/refman/5.7/en/data-directory-initialization-mysqld.html
Additionally, it would be nice to pass a secondary user/password parameter set to auto-create an additional MySQL user during the cinst mysql process.
@photodude thank you for raising this issue.
I am curious how you came to this repository though. The MySQL package is not maintained here.
The MySQL package is not maintained here.
Although, it's planned to be migrated to this repo though.
@AdmiringWorm oh, is it. Sorry, must have missed that one 👍
@gep13 it was just something that @ferventcoder briefly mentioned in a previous PR.
https://github.com/chocolatey/chocolatey-coreteampackages/pull/490#issuecomment-272069830
@photodude we initially went exactly the way you wanted. However nobody knew how to find the password (even though it was logged in the event log).
https://github.com/ferventcoder/chocolatey-packages/commit/6d5a5f8570ad517e2d662bba135234bb31857e1f was the original change over
https://github.com/ferventcoder/chocolatey-packages/issues/128 was the original issue. Please note this is not the only place we heard about this.
I think it would be best if we provide package parameters and pick a sensible default here on how to pass this in. Thoughts?
I think it would be best if we provide package parameters and pick a sensible default here on how to pass this in. Thoughts?
I agree, that would be best (not entirely sure what the sensible defaults would be though)
I'm not either. Maybe better to be secure by default?
Wouldn't that require a password? (I'm not familiar with mysql, nor it's install arguments)
I'm ok with insecure by default IF there are big warnings and lots of notices saying that it's insecure and recommending to add a password to root with documentation explaining how to add the password. additionally the package page should note that it's insecure by default and should note how to install as secure and where the random generated password for secure install would be after install.
When users might not understand what they are getting, I find it's best to explain in triplicate (3 different methods, documentation, shell output, logs)
It's important to note that secure by default is actually best practices... even for local dev install. I remember xamp and Wamp were insecure by default at one time but had notices to inform users that the install was insecure and recommended to add a password as best practices. I think Since then they have gone to secure by default (it's been a while since I used xamp or wamp as I had been using bitnami stacks)
I'm a huge fan of secure by default.
As am I, It is best practices. Unfortunately, we do need to deal with the user level issue of people who misunderstand when it's secure by default and where the random generated password is.
Maybe if the password is output to both the log and to the shell output post install info with details on the package page documentation explaining those two locations to retrieve the password.
I added pending closure label for now. Nobody planned migration of mysql here altho its mentioned in passing to be good to do.
Most helpful comment
As am I, It is best practices. Unfortunately, we do need to deal with the user level issue of people who misunderstand when it's secure by default and where the random generated password is.
Maybe if the password is output to both the log and to the shell output post install info with details on the package page documentation explaining those two locations to retrieve the password.